Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/04/2024, 06:36
Static task
static1
Behavioral task
behavioral1
Sample
fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe
-
Size
78KB
-
MD5
fc26984cf509bab2d3cb2b181746164b
-
SHA1
4afd7471d736b3aa5f5f56dfcc2051cdca654451
-
SHA256
748df5bb358f93dc0c92161ce8688f014f3037b5cea683a3fd46383039aed5fd
-
SHA512
46292e9d8b9a551f6afe8f033bf8feebbfbe19203d3c1da681e278ffd7e3b67af02ce21802fe99f9ba5bd69d6231591fd3eb225c67a6845d60f4e404b36eb31a
-
SSDEEP
1536:eHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtk9/s210A:eHFon3xSyRxvY3md+dWWZyk9/f
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Executes dropped EXE 1 IoCs
pid Process 2612 tmp254C.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2012 fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe 2012 fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp254C.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2012 fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe Token: SeDebugPrivilege 2612 tmp254C.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1248 2012 fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe 28 PID 2012 wrote to memory of 1248 2012 fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe 28 PID 2012 wrote to memory of 1248 2012 fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe 28 PID 2012 wrote to memory of 1248 2012 fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe 28 PID 1248 wrote to memory of 2524 1248 vbc.exe 30 PID 1248 wrote to memory of 2524 1248 vbc.exe 30 PID 1248 wrote to memory of 2524 1248 vbc.exe 30 PID 1248 wrote to memory of 2524 1248 vbc.exe 30 PID 2012 wrote to memory of 2612 2012 fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe 31 PID 2012 wrote to memory of 2612 2012 fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe 31 PID 2012 wrote to memory of 2612 2012 fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe 31 PID 2012 wrote to memory of 2612 2012 fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n2pd3iey.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES25D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25D8.tmp"3⤵PID:2524
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp254C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp254C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc26984cf509bab2d3cb2b181746164b_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d9561765b7b26f7c6d29087d0913225e
SHA1b70d220d5a103ccdca65c11db27558e5af3d51d0
SHA256d64f3cdab74c3907500e56677756c84714f358dea12a659add11cdfa73fb2463
SHA512d5516789cdcd60e96507dadbe02c649ac74d9cf13db8faa0d9359b4eb1c9e55c088e23a95bc3009b16edf5c10fc3412848db510cbd6574f16eb1f1717c9c8bbb
-
Filesize
15KB
MD5553aa445b239428cbf6b5811090859dc
SHA1700203c77108a033e851bb6b21e60c2dcc1ae037
SHA2562c33689bf61e1f7338533b64229e733e60df4cbb7b474a15c25ad4e7909c8962
SHA5125ba2e3f2506885ed49b3b32535d9c3327c17f3c8fb8da60cc282570659cc6af01ff8d3a17db90a407d2e8ce91234649f3a040778b9e1da432cd77bde51d5a00e
-
Filesize
266B
MD50e5261753b4a31fd981b463b4d9c576b
SHA10942b2851a2174d0e0d83bbd16daa29d41392b63
SHA256c0f655b1b9fee1fb6028cf1dc6076636535fd9c0ecdbea5e69823a97d4900ef5
SHA512d9c74fd1bae10d89b84d5b0033725cdf331332bbd57a46d2d3494c1e925243cdb228061e591ab8acc4051dfd931f3b5443bdb1855b0e4a2e28077d15982fcd35
-
Filesize
78KB
MD539d38c5fd4f256dcaaae28fcf6e58385
SHA14d2f5963c8975c08a6d0e6dbe7423172a25a22e9
SHA256df90bbd2f86f463ce860208bd0f724b58fc9e9f8d474bd6748c26b7df968254f
SHA51259aafa99bec692be00bfc1f555010130904aae7427d1acc6d81ff6f3ba54ce8f14035d05fb0ed7bc5259c98c488080fb7f71daeb0dd5094edcc21403b6684700
-
Filesize
660B
MD539aba9fa0983975ca634e217b543c1c4
SHA1763931d853391b349bced38865e3c3635a7d5816
SHA256fdb40f0d3ad138218490eacc0c2951b5fab23f399cd5cd6fb1ce38e880f43796
SHA512a8317e31ab4ed4bd6c5cb9b25bedd90b643e0f91da381a083c77ea9daa67106a2508d293e45759cbeb6f012e3fb71ccb5f302254bc0b2b3e14bfa53cf3894ab8
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107