Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/10/2024, 02:56
Static task
static1
Behavioral task
behavioral1
Sample
1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe
-
Size
78KB
-
MD5
1f368df6f51473d7ef0ef21c9475923c
-
SHA1
96e0a4fcae3b756700b6786f4372cfbb2d256958
-
SHA256
08f95054861648c4076c33d524cba402de0467762cf8f7e965ce26565afebb18
-
SHA512
b2003c081888cfa4fb04cd67161859e1c272193aa020c4e51aeb20c8dac8dfc1ee8f786accc97220588297440b1749f10d3efd13ac2dd5db4a5aa1dde421f85c
-
SSDEEP
1536:ZRWV58bXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQti67I9/h1FE:ZRWV58bSyRxvHF5vCbxwpI6WjI9/e
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 4388 tmpB4C9.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4388 tmpB4C9.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\"" tmpB4C9.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB4C9.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2456 1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe Token: SeDebugPrivilege 4388 tmpB4C9.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2456 wrote to memory of 3336 2456 1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe 85 PID 2456 wrote to memory of 3336 2456 1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe 85 PID 2456 wrote to memory of 3336 2456 1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe 85 PID 3336 wrote to memory of 3092 3336 vbc.exe 88 PID 3336 wrote to memory of 3092 3336 vbc.exe 88 PID 3336 wrote to memory of 3092 3336 vbc.exe 88 PID 2456 wrote to memory of 4388 2456 1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe 89 PID 2456 wrote to memory of 4388 2456 1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe 89 PID 2456 wrote to memory of 4388 2456 1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w9tea_d8.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB71B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc28E4DAA868064B58B2B9DD49B06EC9E1.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3092
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB4C9.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB4C9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1f368df6f51473d7ef0ef21c9475923c_JaffaCakes118.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52f7a245b0c825631e0b2c3e449522f4a
SHA13f24a166dc1b2bb2e9f7770b514373ed67d93203
SHA256362589aea6e822105a3d4d27e8a49ca5b960cd83a8f650634e212582d73fdc4e
SHA51284978a0c1dd18a661fb9c440457eb156d71fd4af88703d7d8a368902015220469209939f2e83c0f0a59f2c5caa39a337cbdbb58aebc5342553a4bac8fd3b2315
-
Filesize
78KB
MD547f8785b2f09e166c986e902d753f954
SHA15b5e2b5d88667d38511aa9ac7c0bc58e538b3e18
SHA256bfd7d482b707d13dfe14a283d783b482d8dc643b056d92bf2eaacbadf2a9fd51
SHA5120fefbb1cd11bf3e5791b3e4927b293fc65ec17a8ef9f96a155ae6e787e5700b252bc3004263af9f2a5dfc08575ec6a29d96809d7cf7f437c96d5a47dd8b86e66
-
Filesize
660B
MD5d0d953b0e257531819a1293526d40e34
SHA12e0eee39e6f253db843970305d142199ee1a02d6
SHA2560704e9f6ac118ea51994e2ce195ce45456fe0c00a2bf459cabc699e4dabf735b
SHA51270ce17c54d424eb4477415762c7b1848f4dfef5986e7a84f849b3437ea1d2006718edd49cc5c515c3300310de2e679008657fbd05dc7d1e22919b12d5f222a7b
-
Filesize
14KB
MD51e514cc47d98ef17098ee7860b2dcc8b
SHA1f8f4d9b1715c7fb2cd3d0bdc62ec5b8e1fdfce5d
SHA2569f8899745c9fa0951472940bec858d0f77f01b783e6cfb16cd10539ee5dbcada
SHA51241027a1e15a8e10c114bf72a18448c22e89f2653f071eb33aaf435413a204faf69f5bce054496125b78d41fe6451f4b6eca71c435e4294255b10a2101650e91c
-
Filesize
266B
MD5c0558357f055d8e1e88a47883850ee7f
SHA107bdd991e671056f41d61964eb351e9114ead6b5
SHA2567d193c866c6df14f5c10c9c88ede24d331f84325a7649495fc5ca17eeaf5993d
SHA512e84f8958a324aedf69674ea063ffd4ca0da75e8b776f4afec09082f1c862c6c42cd0d3106769bf8321cf83dfa78e68ae1d5d67ecc123ae32447a1371ea164c1e
-
Filesize
62KB
MD5097dd7d3902f824a3960ad33401b539f
SHA14e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f
SHA256e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f
SHA512bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4