Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

6000c6e6fe...18.exe

windows7-x64

10

6000c6e6fe...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2024, 09:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6000c6e6fe5ef925bfa0de6b606cf713_JaffaCakes118.exe

  • Size

    288KB

  • MD5

    6000c6e6fe5ef925bfa0de6b606cf713

  • SHA1

    272fd57adc08a4d1c6292fb597190574c3e17e4a

  • SHA256

    04f2ef25ea59fb29ee9c5e4febb7fde42070908e6682ca27ed154bf7fd8c0b2a

  • SHA512

    c878eb1d3da48ca1272cdca6e178f1c0987aad07ada3c3d741a7fa5314af9f5b0da46f3d13ae622d6ee4510f9ab77fdd058e1369dd5dddb93fffcb66258c6e3c

  • SSDEEP

    6144:pgXJUOAgjCbFak5GRuZzDkKn3RbxgT7VMa9YocgEBHBQZUNMhwMMbbWg3jtAD6OV:pyUOPevlB9sZsuEBHBSWbkcn

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 53 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6000c6e6fe5ef925bfa0de6b606cf713_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6000c6e6fe5ef925bfa0de6b606cf713_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Users\Admin\yonat.exe
      "C:\Users\Admin\yonat.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\yonat.exe
    Filesize

    288KB

    MD5

    ac559719d2986fbe3079235c322c6218

    SHA1

    6850ad41fc912c76ba6b7bbe157bb047918b058b

    SHA256

    586c5a2aff9f028c0d45c167325e4020d4df9b6caa0a81f623ebf10c051f92c0

    SHA512

    e66f63a9d51620f2a184d953b2f7e4db0104668c514301c892147faedc2910a2dc597ac606462fabba76bf7781c303b7fb6341626842ab3671b5a2a317143cb7

    Download Submit

  • memory/1988-35-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1988-38-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4900-0-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4900-37-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download