Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 00:36
Static task
static1
Behavioral task
behavioral1
Sample
e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe
-
Size
78KB
-
MD5
e8cd94209fa88d7b99a6bbc21738b947
-
SHA1
40a923b789cd455468e80123c1acac6a3681440e
-
SHA256
a78d29187a50431c5865c0e25979055dfb76737a12c2bfdee725013d056fe471
-
SHA512
2c798e7f729986392e71eb0d50f476fc29629ef408d31e3e306a4fc9a01880929e05b4147b0d2cd662612ea1ba4bd8866bfac634e08c4454ac65745d65b62ca4
-
SSDEEP
1536:aPWV58eLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6T9/m1RS:aPWV58gE2EwR4uY41HyvYr9/7
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3848 tmp3671.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmp3671.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1400 e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe Token: SeDebugPrivilege 3848 tmp3671.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1400 wrote to memory of 4300 1400 e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe 86 PID 1400 wrote to memory of 4300 1400 e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe 86 PID 1400 wrote to memory of 4300 1400 e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe 86 PID 4300 wrote to memory of 1832 4300 vbc.exe 89 PID 4300 wrote to memory of 1832 4300 vbc.exe 89 PID 4300 wrote to memory of 1832 4300 vbc.exe 89 PID 1400 wrote to memory of 3848 1400 e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe 90 PID 1400 wrote to memory of 3848 1400 e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe 90 PID 1400 wrote to memory of 3848 1400 e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g5vdoxwt.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37AA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6BC49DA5BF824CB5B7D772CF717C2680.TMP"3⤵PID:1832
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp3671.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3671.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e8cd94209fa88d7b99a6bbc21738b947_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5aa0925686b6b0959f91a4e9bcce05376
SHA19ba2e34e566d09a7fc8234496e1f7d3985417920
SHA256b22f8ce579efd820885f29f83182fc026699c9c156802de205e2ec608be42371
SHA5125e5cb4a51c0d33584cd32eaf53428a29e818fd1ee3395ba1d55d74ea047711f4d65736bdaecb573796e8b75c017c1418fd0949ccb8b2b93b188d5837f685387e
-
Filesize
14KB
MD5054378a57a4c9547d7ec9a8b690c2d60
SHA1181f868f54542e98b22abefcbf32ac32611dc172
SHA256fed81a9d3d6d60d533d151d7e1d68060420b2539b0bb7ffe3c72aec837d2328a
SHA51233dbc1a7a4af4d2cf257c052d4c256a7fac336d3fa925a8c04d3b7e5c5ca73330ece2cf5a5125e38859506821cd538fdf6b8366a1f46f8f78046cd44267433b8
-
Filesize
266B
MD5f7fda0845214bd3d6d9f65be2d069ec2
SHA1e5c5ed828498d67531adbff787cf66e5818c7adc
SHA256a47b5f6fcba98366ec322aaebab1168ed2815d84e686369d2a5dbc7e9f20747d
SHA5126efbcaaa2d7c6f5f2dd824ab46daed14e8549f6fe8b75440bc68597415eb7ce2e98d571e5a14503f9c739d2572b9dfc0728fa9dd3b26b2a0b645c04f56beefbe
-
Filesize
78KB
MD54c2bc8182affb695bc645ef5c4a54c34
SHA115b9b95f42c1ffc7aa35f172511a1ae90b190d66
SHA2567e681457f4860f7d18653e9c959db1d9583c6707e70012b564fbda2cc2454c2d
SHA51273cd5f4be944fa87378129e8d6ca90f478fe046f54dde42efd7d894aa490fd60d08a83c2fc8a7713e8d4535335c449aba3ff1b63905f51f5889d3fe8d2923638
-
Filesize
660B
MD5bfc14c97113e7bf86d735c4624cbbbc1
SHA194d97a4c96d6399d5bc2b825b355c82d44f72467
SHA25605a9281e8a9d470aab7c22a9059350957201f008ec47834bc82230ebf4c94d0d
SHA5122dc9df37ef061ff0069412f0fdb897bcf4fee7a6a73941a4cc3d571a2702055dba86a1759ddd19c7b63054481eccd57ed6bd7e02d937b87e20eab6f7da2b6aa7
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809