Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
19/07/2024, 07:53
General
-
Target
5b0eec2cad9696c56031231cd3aadfe7_JaffaCakes118.exe
-
Size
220KB
-
MD5
5b0eec2cad9696c56031231cd3aadfe7
-
SHA1
f89faf0532fcef570a12dc14c9ecec5cded37d1b
-
SHA256
3f88c9843cb12cb83e1428bd4518a62f6e057904d065a1ff379f4173fc238d50
-
SHA512
eb368a9a030120e89be4881ee28defe381135b5e9be42dbdbe858d9b97c7f359e0d7a692c457375378f020fe8e18cad98c70e2bd8c0cdb3fdfef22b7a51a17ff
-
SSDEEP
3072:tVUmiLbThQWh4gSPqMcFr1TIVBbF/WmzoaVaBvWRHLQiydGKzrulc0POiwLw9YG:knLbNsg6EzTI7J/poa0BeRQi9YC/POyZ
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
mr7bashbab.ddns.net:6606
mr7bashbab.ddns.net:7707
mr7bashbab.ddns.net:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
OBS.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b0eec2cad9696c56031231cd3aadfe7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5b0eec2cad9696c56031231cd3aadfe7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "OBS" /tr '"C:\Users\Admin\AppData\Roaming\OBS.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "OBS" /tr '"C:\Users\Admin\AppData\Roaming\OBS.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC479.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\OBS.exe"C:\Users\Admin\AppData\Roaming\OBS.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD564ce6c7ca2e38324183af712a10d4691
SHA1f82af7065019f72670a1ea39cdf5164d9034ec5c
SHA256dd627fdc154744cd10ac7df53ddf65b1ec2625446c6023da47b28ae9416b5c0a
SHA512881dcdb11462671f1d90c5fb2b2abbeb5458a8d0780a8cf6a0e109beebf747a24ff0bab9f2575dfccaa233ff6cf5fe6c3061750569f7802bc9613424ed9ce0aa
-
Filesize
220KB
MD55b0eec2cad9696c56031231cd3aadfe7
SHA1f89faf0532fcef570a12dc14c9ecec5cded37d1b
SHA2563f88c9843cb12cb83e1428bd4518a62f6e057904d065a1ff379f4173fc238d50
SHA512eb368a9a030120e89be4881ee28defe381135b5e9be42dbdbe858d9b97c7f359e0d7a692c457375378f020fe8e18cad98c70e2bd8c0cdb3fdfef22b7a51a17ff
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
624KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
7.7MB