Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/09/2024, 10:36

General

  • Target

    fa3fb045e0e65395f4b710b2e7dd5ec0_JaffaCakes118.exe

  • Size

    171KB

  • MD5

    fa3fb045e0e65395f4b710b2e7dd5ec0

  • SHA1

    110141089687f1f751d1f721ae4839f8298ccb59

  • SHA256

    670c6a1acf459f744e8fad284c89ed36f0da2797a7f4a53956200a38cd37c343

  • SHA512

    7f5eb5b40a5aaf2b9d84351af73a06d7d7146421bbae099838d09da28db807a00870112a0841b94a26f4c2bc1614051b4db2416db94235faa36973cdc2e6d16c

  • SSDEEP

    3072:SwjmK0lZmJEs4aBXMvkK7eyKIMZu7DMnx1pqCSozKn1WJWmowqV3k7FS:SbN5s4ameyrMZufAjJSozK1WvowqL

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa3fb045e0e65395f4b710b2e7dd5ec0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fa3fb045e0e65395f4b710b2e7dd5ec0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3528
    • C:\Users\Admin\AppData\Local\Temp\nsv1347.tmp\keygen.exe
      "C:\Users\Admin\AppData\Local\Temp\nsv1347.tmp\keygen.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4840
    • C:\Users\Admin\AppData\Local\Temp\nsv1347.tmp\tish.exe
      "C:\Users\Admin\AppData\Local\Temp\nsv1347.tmp\tish.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsv1347.tmp\keygen.exe

    Filesize

    136KB

    MD5

    279829ae83560628c0c9f58ac87541b6

    SHA1

    2eb1ad73b7480c92f3fefde5fb229cd0b86409c1

    SHA256

    83c21cf3199544f9e88a2180af134e7315dec7d6aa8227c0c08ea1c727807411

    SHA512

    9293d4e3691ead3fa3b1bccf0d816ae8a437c306c1e8ee6eaf9d41da7ad6bb2968340490ab2d7b9517dfc4ec7543ee1b14bdcf7ee6f843e13f0e3686a9608ba6

  • C:\Users\Admin\AppData\Local\Temp\nsv1347.tmp\tish.exe

    Filesize

    7KB

    MD5

    28ac32071d72f7dd657adbee25b04b97

    SHA1

    5c23720df5939c366f34e08c56f00c5e7728261d

    SHA256

    f620d4d30c06611822e3cff1ecc87bb3a5cacfc008f135c99a45a36806dde3fe

    SHA512

    02fe1364027b92e750b8d3b8b65c3ae09f907ea86761030b9036d4a8a6d2b785077342dd98373860ce84a89545002bbeb3a797bd01be0b8af775a675df11173d

  • memory/2860-23-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/4840-8-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

  • memory/4840-10-0x00000000004C0000-0x00000000004C2000-memory.dmp

    Filesize

    8KB

  • memory/4840-11-0x00000000020D0000-0x00000000020D1000-memory.dmp

    Filesize

    4KB

  • memory/4840-24-0x0000000000400000-0x0000000000461000-memory.dmp

    Filesize

    388KB

  • memory/4840-26-0x00000000020D0000-0x00000000020D1000-memory.dmp

    Filesize

    4KB