Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2024, 06:33

General

  • Target

    0e61494eae62d4bf1da27a0ae9566ac9_JaffaCakes118.exe

  • Size

    111KB

  • MD5

    0e61494eae62d4bf1da27a0ae9566ac9

  • SHA1

    36b97b00d47923760b30bf0027ca6154d3b3c943

  • SHA256

    806f940cb5eb48df89e011d47888378af7466fe61743d5d01ceda32f0b8f9238

  • SHA512

    5ade2c5656c36470d5eff992214655e25eda4494ae87c0212a08dda732242e91c43514cfb3dd95c2bab90ccb90f962dca093cd6849c38612c79a3e6e83091692

  • SSDEEP

    1536:5P1ak2c8CgDwTvD+bFWU+L1i4QmOexXxBxmxZx44D4dMz4n4N4t4R4R7ILiJIIIQ:91akL8Mp4D4dMz4n4N4t4R4aEIIIIzH

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e61494eae62d4bf1da27a0ae9566ac9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0e61494eae62d4bf1da27a0ae9566ac9_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Users\Admin\heoadip.exe
      "C:\Users\Admin\heoadip.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\heoadip.exe

    Filesize

    111KB

    MD5

    49b9a2b5bea1449c430c22e0e26d18cd

    SHA1

    120475e9f247d4c1355c0d9519b129afb04a9d0b

    SHA256

    e56eaf518ade7bcf8c849e2507f1ebda128af366891497733e64f928f6924126

    SHA512

    b6e5a6690ea0908f3f1b4130a820ed34dd31e6488568e67850bd7b3b000c5fa5057700f0cd7b436d4df8c0133da5ebd88caf805e0562949b35047dd03bfeb8ec