Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 06:09
Static task
static1
Behavioral task
behavioral1
Sample
f55d1346e07506bad44761ae8bbcb070_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f55d1346e07506bad44761ae8bbcb070_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f55d1346e07506bad44761ae8bbcb070_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
f55d1346e07506bad44761ae8bbcb070
-
SHA1
b37240dd8b332f5b66480500b21aef1c9f91b766
-
SHA256
bf10723e69597a363a2e407bb5b6d1090558a67f6eff2f7d08f11382e6ea59ba
-
SHA512
494048ac6e011c983d29c15456e2ccc280ccf782fb9cf55f3b6dca0a97aa935203c3a591d3188bcc76745434b33d8c52e462ce0977344c6f3b1266776a67d3bd
-
SSDEEP
49152:8E4VssMhkdGUJmoFgIQnOBgMF5pmyIMbTdlyyiCy:v4VsLhkdGUJmoFgIoOBgMF5pmylTdky+
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
pid pid_target Process procid_target 2176 4724 WerFault.exe 81 4624 4724 WerFault.exe 81 4512 4724 WerFault.exe 81 2292 4724 WerFault.exe 81 772 4724 WerFault.exe 81 2064 4724 WerFault.exe 81 5096 4724 WerFault.exe 81 4992 4724 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f55d1346e07506bad44761ae8bbcb070_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4724 f55d1346e07506bad44761ae8bbcb070_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f55d1346e07506bad44761ae8bbcb070_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f55d1346e07506bad44761ae8bbcb070_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 8642⤵
- Program crash
PID:2176
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 8802⤵
- Program crash
PID:4624
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 9242⤵
- Program crash
PID:4512
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 9762⤵
- Program crash
PID:2292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 10402⤵
- Program crash
PID:772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 12322⤵
- Program crash
PID:2064
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 17962⤵
- Program crash
PID:5096
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 18042⤵
- Program crash
PID:4992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4724 -ip 47241⤵PID:2752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4724 -ip 47241⤵PID:3048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4724 -ip 47241⤵PID:2084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4724 -ip 47241⤵PID:1308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4724 -ip 47241⤵PID:2976
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4724 -ip 47241⤵PID:1236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4724 -ip 47241⤵PID:1392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4724 -ip 47241⤵PID:3832