Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2024, 12:53
Static task
static1
Behavioral task
behavioral1
Sample
307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe
-
Size
502KB
-
MD5
307376c3bc70be7e27a4da7c51ee1121
-
SHA1
cae0674af06a6b623d1cc66d3fdd4e8aafd8e258
-
SHA256
e5a5ddfd3726e56e9dd8671cffeb415f29e3c81b5dda36a8483d81659fd44d39
-
SHA512
d6f7afecacb88b1d82d1c323bf6f97b8c71382aaf7d80c4c7f7a1142dcdf24a6f836c38b6f4b166c28558ff4c80f55ac0d0a93b1f35d590ae68457686321481c
-
SSDEEP
12288:Pt4Rx/JDRFLswlO3J5R2PpIPavXF6CH6dm8xNr5GYto:Pt4j9R5JQXRWIPCHje9GYq
Malware Config
Extracted
cybergate
2.7 Final
0
spynet20.no-ip.info:83
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
install
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
1231077r
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 14874.exe Set value (str) \REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\14874.exe" 14874.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 14874.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\14874.exe" 14874.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GAJS22C3-6VR3-1U73-7GLP-52LMT142M7R0} 14874.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GAJS22C3-6VR3-1U73-7GLP-52LMT142M7R0}\StubPath = "C:\\Windows\\system32\\14874.exe Restart" 14874.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{GAJS22C3-6VR3-1U73-7GLP-52LMT142M7R0} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{GAJS22C3-6VR3-1U73-7GLP-52LMT142M7R0}\StubPath = "C:\\Windows\\system32\\14874.exe" explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation 307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3508 14874.exe -
resource yara_rule behavioral2/files/0x0009000000023289-13.dat upx behavioral2/memory/3508-17-0x0000000000400000-0x00000000004AD000-memory.dmp upx behavioral2/memory/3508-1368-0x0000000000400000-0x00000000004AD000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\14874.exe" 14874.exe Set value (str) \REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\14874.exe" 14874.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\14874.exe explorer.exe File opened for modification C:\Windows\SysWOW64\ explorer.exe File created C:\Windows\system32\14874.exe 307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\14874.exe explorer.exe File opened for modification C:\Windows\SysWOW64\ explorer.exe File created C:\Windows\SysWOW64\14874.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3508 14874.exe 3508 14874.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3180 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3180 explorer.exe Token: SeDebugPrivilege 3180 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3508 14874.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3068 wrote to memory of 3508 3068 307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe 85 PID 3068 wrote to memory of 3508 3068 307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe 85 PID 3068 wrote to memory of 3508 3068 307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe 85 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56 PID 3508 wrote to memory of 3440 3508 14874.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\307376c3bc70be7e27a4da7c51ee1121_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\14874.exe"C:\Windows\system32\14874.exe"3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
PID:2040
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
588KB
MD5e54f4c6a7306cb5fecb2ab00b8ff4845
SHA18e48cea7dd292ccce28e80bdae53de994717b01c
SHA25674f537652f21dccaef32d880208107e9d2e0579c8fb9e28314af364079184608
SHA51255745017322403147bd99a59c45f017543fd7ead638fddd16be431e11ef05c8945cf43c807e171b88d6652747f7e062f6c99d53a2efa5ab47de462c55003d3a9
-
Filesize
8B
MD5c515d956b160a9bdb1aa78f04cb78b59
SHA1c16a4eca7726e80e55e8f41d77adb1d7f675fd47
SHA2561e021175ca33aaa7b35fa47edec6f37ca8bee9831245ebe675273900c399082b
SHA51278bd863b905ad3b7efc837a898322219aae70af1de208bc3089b85842e241312ddb885db61f62256d6340d161f7555543a1885672b3925d96502e061c563127b
-
Filesize
8B
MD5b24bff817567995292ab5aa614fa22bd
SHA1ace8c5fe32a9d9012df628c369471fa800117680
SHA256417004625662482407325d4d954984a3b23972200e270cf8e58e2e025c9d8487
SHA512e71399e91af80824c1b274cdb2a47f2b5227d68c2e4ddc4901c98dfe9ba97042eda6fc5ab30f10a3bdb9d5e1590b8454a8b13a7368b0daae8f2eb2ba07dfe0df
-
Filesize
8B
MD53aa2d712d7b5f90870acde3c47f0ea08
SHA134a3fbbeeaa5300cb4508f60f9895463e6d53a6c
SHA2563c71bd173b8314086a589f7d26277f2ef92a348dad82e0124d2f81d3648343df
SHA5125419fcce0a8b4ec86499062f0f336230698dd3df729c98d636030cc0084b39f0f3a0b995f6a5b9d6977a13992daac4a0d150bd82b173ee74e23e6473482b7361
-
Filesize
8B
MD5f874dea4be94ac6a4d323b97ed63bd05
SHA127102c585662457e01403cdc9379c18952e1d0a6
SHA25669094071473ab71968446c162096a484a28b0929f313314d94af3d0bde343a9b
SHA512e3b4d03960aefae0d46b4ddf8f24f4d439c3defa77b7e663e619a30baf30ae103de993d5c1934c21e403e23fbc2329ed0f3044a9b75be9c230b55ae3f6978e81
-
Filesize
8B
MD5a68906155e3f2a3364de10b4cdbce781
SHA13c40db2d8206e1a1325e4be68b808ab6f84df6ce
SHA256109bbad3268f15bded1532e3180febffdb2a7057e470ec58849949f3498de48d
SHA51210963e3927bcfe0e8313c1740081118ee9ef7503bab93b5e5d5357c4ad97a7c89fab6b7a9ce57c041a9287fc673e3fee4672919c116ed9f5a324912702e96c9c
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
Filesize
472KB
MD5fa810017376abe6ed9b0840f90e38fa7
SHA19f5d6696fd8d00b62afef9f3015ac0e41a11cb1d
SHA25678c223eced9fb8fafb8c8f1267681096756c559b4a1f4bf051dc347dd50e4665
SHA5129010003eaeb385db49b052c03b1321493f5ecf39f4407fab5b7dc2ebc6f28838b6a9925d02c857b4468890532a64558cd6dd9a934c9843f5f458a0571dfbec72