Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/12/2024, 02:48
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe
-
Size
383KB
-
MD5
4c1c1353d9ba6ccbb2c14f31b77c7a78
-
SHA1
6bdfd8cdebd9455c4e8dec17d992764865b52c56
-
SHA256
c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee
-
SHA512
fef17d2dd8e96cf7abff922e8be0ddcc7ca2cb736aed76325b8e03b71eb22fd3f53551dca4cb83e272fbc4b85fb12796e118aa206a6ae36c3d49846f63844177
-
SSDEEP
6144:++E1M63eDwShxpZWqipaOkBI2KbQBL3XjpuzbgwuO0RikwVfT:1Ei63eDwQX7ipaJB1GcL3tunnwR
Malware Config
Extracted
amadey
3.08
d00855
http://179.43.154.147
-
install_dir
9d5cca72fb
-
install_file
ftewk.exe
-
strings_key
9defde16baecb416084964a9b667f06e
-
url_paths
/d2VxjasuwS/index.php
Signatures
-
Amadey family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation ftewk.exe -
Executes dropped EXE 3 IoCs
pid Process 2184 ftewk.exe 4116 ftewk.exe 3280 ftewk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 3480 4980 WerFault.exe 81 2744 4116 WerFault.exe 100 4928 3280 WerFault.exe 103 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftewk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftewk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ftewk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5036 schtasks.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4980 wrote to memory of 2184 4980 JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe 82 PID 4980 wrote to memory of 2184 4980 JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe 82 PID 4980 wrote to memory of 2184 4980 JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe 82 PID 2184 wrote to memory of 4312 2184 ftewk.exe 90 PID 2184 wrote to memory of 4312 2184 ftewk.exe 90 PID 2184 wrote to memory of 4312 2184 ftewk.exe 90 PID 2184 wrote to memory of 5036 2184 ftewk.exe 92 PID 2184 wrote to memory of 5036 2184 ftewk.exe 92 PID 2184 wrote to memory of 5036 2184 ftewk.exe 92 PID 4312 wrote to memory of 4148 4312 cmd.exe 94 PID 4312 wrote to memory of 4148 4312 cmd.exe 94 PID 4312 wrote to memory of 4148 4312 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\4⤵
- System Location Discovery: System Language Discovery
PID:4148
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5036
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 11002⤵
- Program crash
PID:3480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4980 -ip 49801⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeC:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 5002⤵
- Program crash
PID:2744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4116 -ip 41161⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeC:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3280 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 5002⤵
- Program crash
PID:4928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3280 -ip 32801⤵PID:2964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD501854b6a0c8106277820fcc7ed06ede8
SHA1556b1b1cb44020d54049f74a1b6bb333a797d430
SHA2564bc64c85c8e384d7bfd8b79e838369a818588a6d6c8c58ee01307690327437b5
SHA512da14fc26df0c20cb80ca99c06df2a33954ec9aae38ad84058337c3dd72ce89481ed08a9bd36d6c4450cab5289ce7aa0e667019525f642a0057101d27ac455aa1
-
Filesize
383KB
MD54c1c1353d9ba6ccbb2c14f31b77c7a78
SHA16bdfd8cdebd9455c4e8dec17d992764865b52c56
SHA256c9409dcdd35f34531c3a7e692b46be9ec74efc25d0cb8c322a099adfb95055ee
SHA512fef17d2dd8e96cf7abff922e8be0ddcc7ca2cb736aed76325b8e03b71eb22fd3f53551dca4cb83e272fbc4b85fb12796e118aa206a6ae36c3d49846f63844177