Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
12/06/2024, 23:48
General
-
Target
a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe
-
Size
455KB
-
MD5
a2ff9b452041a6ff6097db779da26d70
-
SHA1
d9fb90605868c19cdc91c556fb9abfcd09fcdff5
-
SHA256
c4d9db58c442972cbcb09632bd06b477c6a33f3827a00ac0ec2baeb6a0e6e9cc
-
SHA512
2c2012fb5821a26d3aa4f5bb645d087978b846ddecd87cc5c4ece039dbac011f44bcf263fbfc383f5546d906391c9c5d5af7e81d7aa92427832de107505c3867
-
SSDEEP
12288:bRVbfvJSlmOPufGjKH2KcDx/2aTxryFM0v+YXO:bfNonjKH2KcF/RM2
Malware Config
Signatures
-
Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\a2ff9b452041a6ff6097db779da26d70_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UwAqxT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDBE9.tmp"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c7b95e5f692958978a8d6a979d74f6c8
SHA1fed2d45865370bcafb126ca5ac997f7aeeb8834e
SHA25647a41d43257d9d323c83606aa2c49832f458624e018fcd29c67e452cd8c49029
SHA512227e9bfde31acabc6813e822af62bc5975f852d98f95be266e1f23257b4fb5440f9457cbf0d2e82baf2a32ad4559aee4812857a4235aabe7f112ece5619bfbd8
-
Filesize
1KB
MD51486c0434bb411c86087fa3f8249a966
SHA1f3da7dd2674610dc46c76b4eb7aa9f80ea81d3cd
SHA256f0fd04db6633f929948bfdb4d63b54043e76229ace4fb3ea9425e0b4fd103137
SHA5120ffcdb4aae72d6692dfdb03c82dd7c96cdd066680a843cc1d20f0a9a96682d7ba28a6f98a493faa6c3ad6279bcb855a6b09a1914da1b56cca9b84377ef2b128b
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
376KB
-
Filesize
48KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
480KB
-
Filesize
7.7MB
-
Filesize
344KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
160KB
-
Filesize
696KB
-
Filesize
408KB
-
Filesize
96KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
7.7MB