Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2025, 20:49

General

  • Target

    JaffaCakes118_981b953858e6068fc71394b208b751dc.exe

  • Size

    200KB

  • MD5

    981b953858e6068fc71394b208b751dc

  • SHA1

    31cbaa37b0f42959bb08eeebf5e1e22f507e3b3e

  • SHA256

    38b4737faebe3449fce04010d510239ad1c8c829f75e596f288f1224967583cc

  • SHA512

    e81994b42def790b7eca27cdae1b7caff7513b026eeb67373420d0ad324cde33d6b6019bcda9cea7254f61590c33647b1749f61dc4314c92c441a9ddc28ede38

  • SSDEEP

    3072:lC/To/0Yxr0tQ9nLHbB9WPliBs2HWWEakGJm9hi:lCmN4QxL7B9WPli+yWWEazH

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_981b953858e6068fc71394b208b751dc.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_981b953858e6068fc71394b208b751dc.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Users\Admin\hiaweuc.exe
      "C:\Users\Admin\hiaweuc.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\hiaweuc.exe

    Filesize

    200KB

    MD5

    45dfc6a8c9007610d0530e262c00756d

    SHA1

    89f4b70a4514e0ea73fe4dd356a7fd2654e88d6c

    SHA256

    d144a9c405d6b32b346e12124b8f68bff8f5ca1e95fc1f237638703f1d7a8dfc

    SHA512

    69d64a2084c7d1a31629fed9b8c5abefed0e914f5e86f6b825fd44452dd7c944192c7e5fcb13a2a0e6cd3e9575f65432ed37acb2c7a48cc09cf53fec4059047c