Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 01:53

General

  • Target

    28bf706967b2f4074f84eb5b78e9e1fe_JaffaCakes118.exe

  • Size

    216KB

  • MD5

    28bf706967b2f4074f84eb5b78e9e1fe

  • SHA1

    abba9e16edb6480ce73a8ad2d03fcc1d45c6c9e5

  • SHA256

    b94feaa2edb82dd3ac85052e32bdff889db6164624b779c2ff93fbecbfca35e7

  • SHA512

    75987a41dc7b5d25b74df21e9f6be84aff89b2684a7715756128e60c8e877db02b7f216181609c1cc675f902c011dc59cbe04a18addc1fe5aafd8d335c16d881

  • SSDEEP

    3072:3YSaMKxz6cBewR7sEVSdJplM2IlNGzBkl9s1Y:o1JBe2pV2M2CWs9l

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28bf706967b2f4074f84eb5b78e9e1fe_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\28bf706967b2f4074f84eb5b78e9e1fe_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\deooyuc.exe
      "C:\Users\Admin\deooyuc.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\deooyuc.exe

    Filesize

    216KB

    MD5

    7a84f78da4741adca7c0af30f06aaa5c

    SHA1

    7c9f7993edab7465dff3cde3e37ddd496f83e06b

    SHA256

    a8bb3be03fa82f974610c75486bfa4c433356113a921f6b458807aeede0da5ce

    SHA512

    b3afcd102f1bcc9446d744552a56ea9320ac5908141c1c37ecef636578d86cfbe481c6e18e9bad9d30a41fed56ff76a285f93cffa99fec391f6b378b68f2eb4f