Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 14:39
Static task
static1
Behavioral task
behavioral1
Sample
d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe
-
Size
410KB
-
MD5
d49652f293d246529d2102c8e962d85e
-
SHA1
04e31d28408be9d2963d402f368a880987b3851c
-
SHA256
5d29602ace80728915a5dcbcf3fdb46bc8a82bc5dacbe0c339cd9b544fbc17fc
-
SHA512
1e1c43fc685549bafc8be9d29f7f97935874b215e7b435d652eedce9c9946bb4370f2e41e3e6476ed0fabd3deaceab02f4f715e5d3475285802b170afee003af
-
SSDEEP
6144:QsVn8Y/2+3x5spUN1yY0zyZcVFVmPE45Ono0n4ed9PcTJpCvQLF:t58WhWmNEYOypPE450n4ewTJk
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.petrotos.gr - Port:
587 - Username:
[email protected] - Password:
Tiger@456
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral2/memory/3980-407-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
System Binary Proxy Execution: InstallUtil 1 TTPs 2 IoCs
Abuse InstallUtil to proxy execution of malicious code.
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe Key opened \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\InstallUtil.exe system32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3040 system32.exe 3980 InstallUtil.exe -
Loads dropped DLL 2 IoCs
pid Process 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 3040 system32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system32 = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\system32.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3040 set thread context of 3980 3040 system32.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 3040 system32.exe 3980 InstallUtil.exe 3980 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe Token: SeDebugPrivilege 3040 system32.exe Token: SeDebugPrivilege 3980 InstallUtil.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4620 wrote to memory of 4516 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 93 PID 4620 wrote to memory of 4516 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 93 PID 4620 wrote to memory of 4516 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 93 PID 4516 wrote to memory of 4324 4516 cmd.exe 95 PID 4516 wrote to memory of 4324 4516 cmd.exe 95 PID 4516 wrote to memory of 4324 4516 cmd.exe 95 PID 4620 wrote to memory of 3040 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 98 PID 4620 wrote to memory of 3040 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 98 PID 4620 wrote to memory of 3040 4620 d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe 98 PID 3040 wrote to memory of 3980 3040 system32.exe 99 PID 3040 wrote to memory of 3980 3040 system32.exe 99 PID 3040 wrote to memory of 3980 3040 system32.exe 99 PID 3040 wrote to memory of 3980 3040 system32.exe 99 PID 3040 wrote to memory of 3980 3040 system32.exe 99 PID 3040 wrote to memory of 3980 3040 system32.exe 99 PID 3040 wrote to memory of 3980 3040 system32.exe 99 PID 3040 wrote to memory of 3980 3040 system32.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d49652f293d246529d2102c8e962d85e_JaffaCakes118.exe"1⤵
- System Binary Proxy Execution: InstallUtil
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v system32 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v system32 /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4324
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32.exe"2⤵
- System Binary Proxy Execution: InstallUtil
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
Filesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
Filesize
410KB
MD5d49652f293d246529d2102c8e962d85e
SHA104e31d28408be9d2963d402f368a880987b3851c
SHA2565d29602ace80728915a5dcbcf3fdb46bc8a82bc5dacbe0c339cd9b544fbc17fc
SHA5121e1c43fc685549bafc8be9d29f7f97935874b215e7b435d652eedce9c9946bb4370f2e41e3e6476ed0fabd3deaceab02f4f715e5d3475285802b170afee003af