Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/09/2024, 16:59
Behavioral task
behavioral1
Sample
fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe
-
Size
249KB
-
MD5
fef89b11c40ba67c88e0b02fcb495c63
-
SHA1
935db72361f09f21e75b20273b8186983d6cf611
-
SHA256
a2b18afee1bc8dceb3b39a3b55c7c0a2eb4bfaaf814968610cf709f4ebea3b59
-
SHA512
36fa1c821d8b057cf6360f2b90916e0fab09cfc567c08083643df617577f38a225651ae0b8a9d40c116743efe355574026b8c22da3ddccaf931dcfab1dc9deab
-
SSDEEP
6144:aKhoOpdqoHNN4fyciRsbZoF/3jFuf9POx12CXW3ei0C9o7:9pLtu6cWsbuF/91X+eih
Malware Config
Signatures
-
Detect Blackmoon payload 5 IoCs
resource yara_rule behavioral2/files/0x00080000000234b1-6.dat family_blackmoon behavioral2/memory/3720-13-0x0000000000400000-0x00000000004D7000-memory.dmp family_blackmoon behavioral2/files/0x00070000000234b8-25.dat family_blackmoon behavioral2/files/0x00070000000234b2-22.dat family_blackmoon behavioral2/files/0x00070000000234b2-37.dat family_blackmoon -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3720-13-0x0000000000400000-0x00000000004D7000-memory.dmp family_gh0strat -
Boot or Logon Autostart Execution: Port Monitors 1 TTPs 2 IoCs
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\RunDllExe fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\RunDllExe\Driver = "C:\\Windows\\Logs\\RunDllExe.dll" fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe -
Executes dropped EXE 4 IoCs
pid Process 2140 Process not Found 1340 RunDllExe.exe 1792 RunDllExe.exe 1096 RunDllExe.exe -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1096 set thread context of 4476 1096 RunDllExe.exe 89 -
resource yara_rule behavioral2/memory/3720-0-0x0000000000400000-0x00000000004D7000-memory.dmp upx behavioral2/memory/3720-13-0x0000000000400000-0x00000000004D7000-memory.dmp upx -
Drops file in Windows directory 17 IoCs
description ioc Process File created C:\Windows\Logs\Ver.txt fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe File opened for modification C:\Windows\Logs\RunDllExe.dll RunDllExe.exe File created C:\Windows\Logs\RunDllExe_New RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe.dll RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe RunDllExe.exe File created C:\Windows\Logs\RunDllExe_New RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe.dll RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe RunDllExe.exe File created C:\Windows\Logs\RunDllExe fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe File created C:\Windows\Logs\RunDllExe.dll fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe File created C:\Windows\MpMgSvc.dll fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe File created C:\Windows\Logs\RunDllExe_New.dll RunDllExe.exe File created C:\Windows\Logs\RunDllExe_New.dll RunDllExe.exe File created C:\Windows\Logs\RunDllExe.exe fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe File created C:\Windows\Logs\RunDllExe_New.dll RunDllExe.exe File created C:\Windows\Logs\RunDllExe_New RunDllExe.exe File opened for modification C:\Windows\Logs\RunDllExe RunDllExe.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RunDllExe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RunDllExe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RunDllExe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeRestorePrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeBackupPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeSecurityPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeRestorePrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeBackupPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeSecurityPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeRestorePrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeBackupPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeSecurityPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeRestorePrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeBackupPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeSecurityPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeRestorePrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeBackupPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeSecurityPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeRestorePrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeBackupPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeSecurityPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeRestorePrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeBackupPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeSecurityPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe 1340 RunDllExe.exe 1792 RunDllExe.exe 1096 RunDllExe.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3720 wrote to memory of 1288 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe 85 PID 3720 wrote to memory of 1288 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe 85 PID 3720 wrote to memory of 1288 3720 fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe 85 PID 1340 wrote to memory of 1356 1340 RunDllExe.exe 87 PID 1340 wrote to memory of 1356 1340 RunDllExe.exe 87 PID 1340 wrote to memory of 1356 1340 RunDllExe.exe 87 PID 1792 wrote to memory of 3536 1792 RunDllExe.exe 88 PID 1792 wrote to memory of 3536 1792 RunDllExe.exe 88 PID 1792 wrote to memory of 3536 1792 RunDllExe.exe 88 PID 1096 wrote to memory of 4476 1096 RunDllExe.exe 89 PID 1096 wrote to memory of 4476 1096 RunDllExe.exe 89 PID 1096 wrote to memory of 4476 1096 RunDllExe.exe 89 PID 1096 wrote to memory of 4476 1096 RunDllExe.exe 89 PID 1096 wrote to memory of 4476 1096 RunDllExe.exe 89 PID 1096 wrote to memory of 4476 1096 RunDllExe.exe 89 PID 1096 wrote to memory of 4476 1096 RunDllExe.exe 89 PID 1096 wrote to memory of 4476 1096 RunDllExe.exe 89 PID 1096 wrote to memory of 4476 1096 RunDllExe.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe"1⤵
- Boot or Logon Autostart Execution: Port Monitors
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\*.exe /e /d system2⤵
- System Location Discovery: System Language Discovery
PID:1288
-
-
C:\Windows\Logs\RunDllExe.exeC:\Windows\Logs\RunDllExe.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:1356
-
-
C:\Windows\Logs\RunDllExe.exeC:\Windows\Logs\RunDllExe.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3536
-
-
C:\Windows\Logs\RunDllExe.exeC:\Windows\Logs\RunDllExe.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:4476
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD548d40b7e1f63ea4913b90a000d0c4eb6
SHA18f1f63b0d63cd7f12dc59afc76ce4c1281b0fff0
SHA25647387258eb65722196c91c5ee1d6ca9fecf0bc0d696c4590f8799f9d9cd3d01e
SHA512b6515e146336295f2e367ec9f088c29d9ccea894d9867052cdf9ec36268084fe673e8d87f793545a299796004e26e104f11f5569ac206253bbc5f39c89f47398
-
Filesize
160KB
MD58d667041806f2b9689529fb2969930be
SHA15f654e79f6680dc21039652fda77d381ed3d03d0
SHA2561d21ca4aa53b3089b2dc9645c131792d6c6c7a08a848aa8b9b4b3b5bd1abb979
SHA512dc1dd9128659b73fc021ee858e245cf4267b4054d8401664cb4b3b093bcedd2899aca14fac6f1aface2f848aab3c9e4fbc461b6d86373ea12e439159f875e8ad
-
Filesize
89KB
MD52dbb48047fcd2476ae0337b9bdb6b8fb
SHA1fd8e8823449b4e569eec522c488d0223c31bf337
SHA256ef1c22b4e8c461e54dee81b8ad69c0e6823551012c69233a0ff8ce37eb7a9518
SHA5125ca2fc75087776dba81a671aa7d7ba737f3c27d3370ad48c955a740a3a301890ad4ba521e6e3d7b5a6d9520ebcbf35dd0112afe5275b1e9cd9c41a0d82f09511
-
Filesize
89KB
MD51a371ffa3a59d7c29e0bf3948dd0a3dd
SHA15bf87456155f3477d56780304c231910dcfebcec
SHA2566c920ccc28450418e24fb08348aa3933db927ced75f6c0af1994821464e238b5
SHA5121f016f65105400c883cbee501bf612d799d67fc295df49ca09e0a9eb31d067c8b5e519f3b7466842c3ac094fbf54a1839905784ca1c4ead907c24602c5564399
-
Filesize
89KB
MD5c02d9300deea8aaa42bf5e9c56ddcf29
SHA14c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89
SHA25654dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5
SHA512c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1
-
Filesize
160KB
MD5645564cf1c80e047a6e90ac0f2d6a6b7
SHA135e4b5e065b90fe5b1713e5a4645875f023b6a18
SHA2566f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9
SHA512e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21
-
Filesize
160KB
MD51ed05b19071c5e823d793ffe7556ec45
SHA145ff2431e3c4460f123a3b4a4bd599902c26af04
SHA25678803c914d43a14b5c8f3b4141b3d80b80abaa0bf3d2f39d88ead12d29761434
SHA51247aba4a4ea7e515e7a44e05c9d7930bda3bb2e2b5c6221ef2597cc55e2b3cbf65305bf70e94df6f3e340cd433686c7706304fe66532e9ef63a7059178a417214