Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 11:26
Static task
static1
Behavioral task
behavioral1
Sample
b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe
-
Size
704KB
-
MD5
b7740b80e7e55c51122870c5b9bcc743
-
SHA1
2047d1d0910dadfbc163f09192ffdb8bc8c1717e
-
SHA256
2c04ee4cb87e9e0997b7572c12d34281375947f56927b766bf4ac25775521aac
-
SHA512
98685f155e4ddf37bc49625b20fdc85a78f658b6ffd6300dc3ef3780e5171bde51e70ab2714e1b90972f2d4989661bf2af49a6b2e07fb13e1434bde6436c3414
-
SSDEEP
12288:6qEqoY9oQsxB5FAYxl4hskilwg84Qx5guzunXMKobsETrKjMU4xO7KjMU4xO:6ZqRPsvchskilwgiMnXMRsQKjYQKjY
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2804 DeviceMetaus.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Qjc3NDBCODBFN0U1NUM1MT = "C:\\Users\\Admin\\DeviceMetaus.exe" DeviceMetaus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DeviceMetaus.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 DeviceMetaus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier DeviceMetaus.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe 2804 DeviceMetaus.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3024 b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3024 b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe Token: SeDebugPrivilege 2804 DeviceMetaus.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3024 wrote to memory of 2804 3024 b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe 30 PID 3024 wrote to memory of 2804 3024 b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe 30 PID 3024 wrote to memory of 2804 3024 b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe 30 PID 3024 wrote to memory of 2804 3024 b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b7740b80e7e55c51122870c5b9bcc743_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\DeviceMetaus.exe"C:\Users\Admin\DeviceMetaus.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
704KB
MD5b7740b80e7e55c51122870c5b9bcc743
SHA12047d1d0910dadfbc163f09192ffdb8bc8c1717e
SHA2562c04ee4cb87e9e0997b7572c12d34281375947f56927b766bf4ac25775521aac
SHA51298685f155e4ddf37bc49625b20fdc85a78f658b6ffd6300dc3ef3780e5171bde51e70ab2714e1b90972f2d4989661bf2af49a6b2e07fb13e1434bde6436c3414