Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2025, 19:46
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe
-
Size
73KB
-
MD5
6f1d008c6d0499aa29a2e2942d362960
-
SHA1
853c07f3cd4823ce6c3e782ca5fa0c3fddeb28c8
-
SHA256
773ed267ba4f811688af03c9a4c9d8acf03be9fab275c40c69986d1658870f59
-
SHA512
dd6a01faf5f6a8e72041ea6b90c1dce38ec996627a77a8f8576431d9e3dbb6db235794e71518903f2e34416f64caf8670306ca2b2ab978b310f4e3211d13b344
-
SSDEEP
1536:gLxnAv2aSRpdNAZNBGa5TsFPChwbaJgX5DHu+/Ou9O39:6+v2TAAa5TEMw+Kzr9O39
Malware Config
Extracted
tofsee
94.242.250.149
91.218.38.245
188.165.132.183
rgtryhbgddtyh.biz
wertdghbyrukl.ch
Signatures
-
Tofsee family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe -
Executes dropped EXE 1 IoCs
pid Process 4152 hiayyskx.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "\"C:\\Users\\Admin\\hiayyskx.exe\"" JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4152 set thread context of 2840 4152 hiayyskx.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1880 2840 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hiayyskx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4300 wrote to memory of 4152 4300 JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe 82 PID 4300 wrote to memory of 4152 4300 JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe 82 PID 4300 wrote to memory of 4152 4300 JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe 82 PID 4152 wrote to memory of 2840 4152 hiayyskx.exe 83 PID 4152 wrote to memory of 2840 4152 hiayyskx.exe 83 PID 4152 wrote to memory of 2840 4152 hiayyskx.exe 83 PID 4152 wrote to memory of 2840 4152 hiayyskx.exe 83 PID 4152 wrote to memory of 2840 4152 hiayyskx.exe 83 PID 4300 wrote to memory of 4728 4300 JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe 87 PID 4300 wrote to memory of 4728 4300 JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe 87 PID 4300 wrote to memory of 4728 4300 JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f1d008c6d0499aa29a2e2942d362960.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\hiayyskx.exe"C:\Users\Admin\hiayyskx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 3564⤵
- Program crash
PID:1880
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8515.bat" "2⤵
- System Location Discovery: System Language Discovery
PID:4728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2840 -ip 28401⤵PID:4368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
266B
MD5798258d07f74f761a5283bb3ec33b212
SHA1c39119681e6c803ce8b5c807d5305660f8250def
SHA256b20b4fa12b160966aca10628cebca3bef18e232fc4cefd4070321c12b5aa0b14
SHA512c2e997777f38d88c7009bc249a0fc7a3413dedcbfea39b1ee66ba8e61e1b6b1c99c4acd773c2bc07e5b4aa189b835b88f59272ecd5adfaf156b278594390bbb7
-
Filesize
73KB
MD56f1d008c6d0499aa29a2e2942d362960
SHA1853c07f3cd4823ce6c3e782ca5fa0c3fddeb28c8
SHA256773ed267ba4f811688af03c9a4c9d8acf03be9fab275c40c69986d1658870f59
SHA512dd6a01faf5f6a8e72041ea6b90c1dce38ec996627a77a8f8576431d9e3dbb6db235794e71518903f2e34416f64caf8670306ca2b2ab978b310f4e3211d13b344