Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/09/2024, 19:01
Behavioral task
behavioral1
Sample
dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe
-
Size
124KB
-
MD5
dcdd1f5ef6db6fce55ddef5949eca403
-
SHA1
7ec48483ac912b1b58923d7412ed53985962c301
-
SHA256
eb8ddb4030665a4bee35306bb1a44d2faeb6e44c451d6ab4c7a39d105e396679
-
SHA512
e53ef1a7711fda1945a6d59036fa52454722fa68bde9c6ae0f79ca341e715b3adc1fada67d352f1c8c7ce6c553d2e613fd9f32e4c4584a0254b9a5c45adb3c37
-
SSDEEP
3072:lFNUcekHxRkuHxSWMDUajQJf/p/itxBCBpEzImXnr+vHI+zIcdQr12u1p:lHUcLxRkuRSWMDUaGf/p/sxWpEzImXqI
Malware Config
Extracted
remcos
2.0.5 Pro
persomacro
lenovoscanner.duckdns.org:2607
lenovoscannerone.duckdns.org:2607
lenovoscannertwo.duckdns.org:2607
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
UjgRsaW.exe
-
copy_folder
jFhktyE
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%Temp%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
poger
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
col12345-M4OQGH
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
InstallDiret
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ UjgRsaW.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2104 UjgRsaW.exe -
Loads dropped DLL 2 IoCs
pid Process 2924 cmd.exe 2924 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\InstallDiret = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jFhktyE\\UjgRsaW.exe\"" UjgRsaW.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InstallDiret = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jFhktyE\\UjgRsaW.exe\"" UjgRsaW.exe Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\InstallDiret = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jFhktyE\\UjgRsaW.exe\"" dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InstallDiret = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jFhktyE\\UjgRsaW.exe\"" dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UjgRsaW.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2104 UjgRsaW.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2992 wrote to memory of 2612 2992 dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe 30 PID 2992 wrote to memory of 2612 2992 dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe 30 PID 2992 wrote to memory of 2612 2992 dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe 30 PID 2992 wrote to memory of 2612 2992 dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe 30 PID 2612 wrote to memory of 2924 2612 WScript.exe 31 PID 2612 wrote to memory of 2924 2612 WScript.exe 31 PID 2612 wrote to memory of 2924 2612 WScript.exe 31 PID 2612 wrote to memory of 2924 2612 WScript.exe 31 PID 2924 wrote to memory of 2104 2924 cmd.exe 33 PID 2924 wrote to memory of 2104 2924 cmd.exe 33 PID 2924 wrote to memory of 2104 2924 cmd.exe 33 PID 2924 wrote to memory of 2104 2924 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dcdd1f5ef6db6fce55ddef5949eca403_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\jFhktyE\UjgRsaW.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\jFhktyE\UjgRsaW.exeC:\Users\Admin\AppData\Local\Temp\jFhktyE\UjgRsaW.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2104
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
428B
MD5a1ee86fa851b7335c433024f2943b9c2
SHA1b6c60141b61e3cb1466a7740b5209a809fe1d785
SHA2563523293ab79009cf895b6549e1414c2d4f64c46eb3629c454c63e3e97e50eca0
SHA5127972ea2a5293e681c75b23d6e2f17fe76ce01ca5d113b234c2f1aa654975f54d2ac1a78ec9a38876fecef7a5293261c556bbfd2e5e6135fa06eccad7ecae9822
-
Filesize
79B
MD54593c17c126c5394ac6a6ac0b3f9bb5c
SHA16ec8766e7da2b4d9a6deff465e5b54f6d16ecea2
SHA256e164ac1088301f74105ba102f533b03657b83c7c2cd1a96b01cd277f9965af20
SHA5129a7a402ba8286f5c6aafaad607638e49ec85003dcff9e7ddb59a2280863a8251d226fb052996f14b7aa73769e4a52b21b2b1f9d0756d83a6e42db77725a0b163
-
Filesize
124KB
MD5dcdd1f5ef6db6fce55ddef5949eca403
SHA17ec48483ac912b1b58923d7412ed53985962c301
SHA256eb8ddb4030665a4bee35306bb1a44d2faeb6e44c451d6ab4c7a39d105e396679
SHA512e53ef1a7711fda1945a6d59036fa52454722fa68bde9c6ae0f79ca341e715b3adc1fada67d352f1c8c7ce6c553d2e613fd9f32e4c4584a0254b9a5c45adb3c37