Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/08/2024, 08:53

General

  • Target

    b2d597e090ca0cb921a2148fe7f746ab_JaffaCakes118.exe

  • Size

    312KB

  • MD5

    b2d597e090ca0cb921a2148fe7f746ab

  • SHA1

    1eadeee9fffdb5483db8b3b1d2d8e78ad3d0f1ac

  • SHA256

    5636ea8ba3dc2b5778fb9582a7bac8d15402243476cedad2be814272fcbde418

  • SHA512

    920bf3fdaf9c4a6ab15036d6d1d021dac2bbafa3f040d7acbeee69f485a3579725f115039b5af6fe2d8f5e41d967e90222484d69c80de57f87ff9cacbf500b05

  • SSDEEP

    6144:kk7tvTlIpr1f+XqO5aOmSGFDbeOjLPmUSgF:r1TlIB1f+55SpNPmUHF

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2d597e090ca0cb921a2148fe7f746ab_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b2d597e090ca0cb921a2148fe7f746ab_JaffaCakes118.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\letil.exe
      "C:\Users\Admin\letil.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\letil.exe

    Filesize

    312KB

    MD5

    1824f0f9044520912d04f83d21c0e50a

    SHA1

    455e7aad419810f4b00290efb000c10d9cdd8288

    SHA256

    35f10825afccb3ea3207eecedd3e136e011dbc0d98733d1154f55093ab541071

    SHA512

    a1f7341139e080fa8288b94331d7cf8131677f18aff7ce36b46b9ca9857ea35f866fcd5aefec1de14426b7a66409255951f8f9c876e0b1e3122b990d7a3e4e00