Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 23:35
Static task
static1
Behavioral task
behavioral1
Sample
8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
8c2e3d87b590b8acdf3b0aa26a3a115b
-
SHA1
ee96e21cfa70bb9082a08f1468bae6754778ee38
-
SHA256
1d82b1e76c9c79da1f563a3b990ad6ef521aa0685694b1e5e5acab2cb843d161
-
SHA512
99501f6c599f4267d0dc73590b807769ee6032b3d7cf22372a2370e0d6e54502a34e07d3405a599255411cc5f977dfaac2b0f9dbbe5782f139573a96081a376d
-
SSDEEP
49152:jEfKUv4KjEL7xOIpZ3RHDLfzS34XMXgSh:QRIBZHDLfG3qMX7
Malware Config
Extracted
azorult
http://siteverification.site/azo/gate.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine 8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3632 8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 4268 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3632 8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe 3632 8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3632 wrote to memory of 2028 3632 8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe 85 PID 3632 wrote to memory of 2028 3632 8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe 85 PID 3632 wrote to memory of 2028 3632 8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe 85 PID 2028 wrote to memory of 4268 2028 cmd.exe 87 PID 2028 wrote to memory of 4268 2028 cmd.exe 87 PID 2028 wrote to memory of 4268 2028 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 1 & del "C:\Users\Admin\AppData\Local\Temp\8c2e3d87b590b8acdf3b0aa26a3a115b_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:4268
-
-