Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
17/06/2024, 06:41
Static task
static1
Behavioral task
behavioral1
Sample
b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
b73c62ae01e5afb4e6f9295663d6e4d7
-
SHA1
4bc872c0d89e5790de2f8d531d1c940714a6749c
-
SHA256
83e6a80db984b2ca27ad53fa4b5dbda611ac315eda9ddbcbe96067d3e15816fa
-
SHA512
89dc11c7f3d5aaf998adbb5e79e7cf1ef74bc9eb89809cfe3b485a4ef6c20982c8add263db64c5df3d38541cb51d58e6b37530da079cb425870349bc0836f24a
-
SSDEEP
24576:1IQwzFQMJFFSzlCqGv5pUDH+RMRQtPO5Xj9snGmUqf/yj2RCSGux9pYYwqF:uQ96IGBxRs22VSnGmUqCqnxrYm
Malware Config
Extracted
orcus
88.150.189.98:9989
888d0d2baff647a0a0872845c71c5fc6
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%appdata%\AudioDriver\AudoDriver.exe
-
reconnect_delay
10000
-
registry_keyname
AudioDriver
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcurs Rat Executable 1 IoCs
resource yara_rule behavioral2/memory/1556-50-0x0000000000400000-0x00000000004E8000-memory.dmp orcus -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2388 AudoDriver.exe 1556 AudoDriver.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1748 set thread context of 1092 1748 b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe 84 PID 2388 set thread context of 1556 2388 AudoDriver.exe 89 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1556 AudoDriver.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1556 AudoDriver.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1748 wrote to memory of 1092 1748 b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe 84 PID 1748 wrote to memory of 1092 1748 b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe 84 PID 1748 wrote to memory of 1092 1748 b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe 84 PID 1748 wrote to memory of 1092 1748 b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe 84 PID 1748 wrote to memory of 1092 1748 b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe 84 PID 1748 wrote to memory of 1092 1748 b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe 84 PID 1748 wrote to memory of 1092 1748 b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe 84 PID 1748 wrote to memory of 1092 1748 b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe 84 PID 1092 wrote to memory of 5048 1092 b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe 85 PID 1092 wrote to memory of 5048 1092 b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe 85 PID 1092 wrote to memory of 5048 1092 b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe 85 PID 5048 wrote to memory of 1812 5048 csc.exe 87 PID 5048 wrote to memory of 1812 5048 csc.exe 87 PID 5048 wrote to memory of 1812 5048 csc.exe 87 PID 1092 wrote to memory of 2388 1092 b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe 88 PID 1092 wrote to memory of 2388 1092 b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe 88 PID 1092 wrote to memory of 2388 1092 b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe 88 PID 2388 wrote to memory of 1556 2388 AudoDriver.exe 89 PID 2388 wrote to memory of 1556 2388 AudoDriver.exe 89 PID 2388 wrote to memory of 1556 2388 AudoDriver.exe 89 PID 2388 wrote to memory of 1556 2388 AudoDriver.exe 89 PID 2388 wrote to memory of 1556 2388 AudoDriver.exe 89 PID 2388 wrote to memory of 1556 2388 AudoDriver.exe 89 PID 2388 wrote to memory of 1556 2388 AudoDriver.exe 89 PID 2388 wrote to memory of 1556 2388 AudoDriver.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\djtmpzlf.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E9E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4E9D.tmp"4⤵PID:1812
-
-
-
C:\Users\Admin\AppData\Roaming\AudioDriver\AudoDriver.exe"C:\Users\Admin\AppData\Roaming\AudioDriver\AudoDriver.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Roaming\AudioDriver\AudoDriver.exe"C:\Users\Admin\AppData\Roaming\AudioDriver\AudoDriver.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1556
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe.log
Filesize496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
Filesize
1KB
MD5109225f8374e54a66823c10d6d934b0b
SHA1d12c4fd3ddd6a90d890422cf011ea6f6a7d90fff
SHA256733d4b35ea0520f01e9e86a9daf6c43b4656080080072c64fcb3c122f7fbccd7
SHA512ca45495621f41cdd4abb28993cc00040bc8c498c55bf121329a382cd88a83722d7a875dc967c1d7a5fa9615b5b1afcc468fa3cf88aab766c9b11e5d8ac6bacd6
-
Filesize
76KB
MD549b6757fa822faad0bf25ecdc9a871a9
SHA18a64eec67545d92df5f36cbd1a2b396ffdc9afee
SHA256d0ecf5de80afe95f6c454fea90c3e968b60c71a5dc02b8dc495011c810c22950
SHA512ceaff2c273a2d26e3851797261603e71cc9942fb2d8575cb508b24b42adc9d36973fc210b2b6301f77a46676462f3dc56fb3f81c98ee75923f64de188bc5be44
-
Filesize
1.5MB
MD5b73c62ae01e5afb4e6f9295663d6e4d7
SHA14bc872c0d89e5790de2f8d531d1c940714a6749c
SHA25683e6a80db984b2ca27ad53fa4b5dbda611ac315eda9ddbcbe96067d3e15816fa
SHA51289dc11c7f3d5aaf998adbb5e79e7cf1ef74bc9eb89809cfe3b485a4ef6c20982c8add263db64c5df3d38541cb51d58e6b37530da079cb425870349bc0836f24a
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
676B
MD5a631df23f5f0084bd260ca7766ad82a4
SHA14a15a30f607ecfc24dbada52cf361ce117382cdd
SHA256e029fa78b0531b7e0f34787844f86435af87ff82c1d28f0a6f368611d2d1ad32
SHA51275cde01fdfadace6ddfba74f72c8e8473b1d9e34e3767b5c383d022b8b52db2259dec1bf09ef57b06bf8d5ecaaf7d681e31202069f1323f0b0b990c0673bdc87
-
Filesize
208KB
MD5baacad55a67206aaaa62cd8d6604089f
SHA1ce17cc9e1701bd3c354d6393646ec21643ad73bc
SHA256a8d0a71c4f0e573b679d5a48d62b186bac97a16f3b56133a1195da1a7eb5907d
SHA512eead297c6f10a7bf7cf20701632a2539761f4bc45f51fcff4b2ccc5728b9d85f6e36010e209b90ebc1220e17ee59b99fe8e79cf6349de51e596fdf3460089046
-
Filesize
347B
MD558599bb798bb7ab939b92505b2b16047
SHA1fd3b6015b8052ec78c65981beb1e4eada988c8bd
SHA256082ae5562a67ad539448afd5c2a0878bf4794eb4af193d95a21cd027d18f02da
SHA512e36925f207e99145c95b53da376786f41a11ef1684e5f091e7a78597289e419d425e89bc50c781aac873174054b8d05261c513df1f10613785e399f50f38e924