Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

15c874c0f9...18.exe

windows7-x64

10

15c874c0f9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 02:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15c874c0f92c845193085ef131f71350_JaffaCakes118.exe

  • Size

    48KB

  • MD5

    15c874c0f92c845193085ef131f71350

  • SHA1

    a7d58c5c52250c63e9a36bcd219c6b7f59eb5cd5

  • SHA256

    09afceb9b2008c2fdb38c8d15f8673e73a6b3ab0099774de00b3fe5eb4a18436

  • SHA512

    d306f26158c8d7b607266fa18e68b8577baefcb445c7337cbe87b2a9ea29a42b300028ed666d4755be5fe78abfa179002c62ece917c4602f189eef29c08e11b6

  • SSDEEP

    768:jYEJbd6heGI5eubtgTVH7NHaurxmWXOQfwoObuPb77e0:jYE9J5pbml5lXAoO+H79

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15c874c0f92c845193085ef131f71350_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\15c874c0f92c845193085ef131f71350_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\Users\Admin\riuom.exe
      "C:\Users\Admin\riuom.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2244
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:8
    1⤵
      PID:3304

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\riuom.exe
      Filesize

      48KB

      MD5

      59413fb42f8afdd53eb838bd5f88ee5d

      SHA1

      49d9ec29dfac310460db368340ae96acaaef2e5d

      SHA256

      89775a3993bb81feb744013b2853458023604be5de46b28203b9281677214d1a

      SHA512

      279602f79c58df9f771a69d556ed7aa12912e1a80e1d1e7fa4f80c0baa614d63f2757fc24f61f47d1aaf180a11d3d2f98dacdf560fd090295fe66b7104c72fb4

      Download Submit