Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    95s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/01/2025, 22:06

General

  • Target

    JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe

  • Size

    176KB

  • MD5

    60eb23fca4d131d362b8e39c0325bb00

  • SHA1

    ef3519f410b08480d2f8be81717a973cbf2826af

  • SHA256

    d1ec457eab6fdee6069a68b7254d285da85b58aac62202900daf8f9622be09f4

  • SHA512

    8f0e4d46385035921c19a55b07b0d987fd268a0f2ce0b5a8ab7584dd3bf82d5ba961d38a21ed2dd562ef0a4ccab938ba3be0c40bef0651563568a6b444012854

  • SSDEEP

    3072:5APazUfD8iJDZnxrYudpi78EfkE10q/pMIi9x:5+D8ivxpg7V110MWhz

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5068
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 264
        3⤵
        • Program crash
        PID:3592
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5068 -ip 5068
    1⤵
      PID:2732

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60eb23fca4d131d362b8e39c0325bb00mgr.exe

      Filesize

      153KB

      MD5

      63caaedd9675796966020d2fd7ac9f3a

      SHA1

      2966ab246e9c8d926f61c91a7e5dd80e7798d7e6

      SHA256

      a5a5d6ead6799377d947f0d77be21b1d79ca54fda2aa0ed2e1eccb14bd4d465b

      SHA512

      4e811df6f0b890e462e203c07597486728f2342d9f5230509be681231844a59db0ab1411e5e8b382da60eeee16c9dddc7a1199e2d37335f86891db4549cc247d

    • memory/2416-0-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

    • memory/2416-7-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

    • memory/5068-4-0x0000000000400000-0x000000000045D000-memory.dmp

      Filesize

      372KB

    • memory/5068-6-0x00000000005B0000-0x00000000005B1000-memory.dmp

      Filesize

      4KB

    • memory/5068-9-0x0000000000400000-0x000000000045D000-memory.dmp

      Filesize

      372KB