Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 22:00
Static task
static1
Behavioral task
behavioral1
Sample
4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe
-
Size
69KB
-
MD5
4f423fbb6d7c31fd3cac2c3729e39762
-
SHA1
547daf4dc1fec5c0f81b6f63987f945b68e1f40a
-
SHA256
c5501222fa725c82f0e978d2bfdc1b8435dd7784b21e532531ec2e107077aa5c
-
SHA512
0158a6a56840bedceafa05e59b69888cc6be21d29b64d2c54ede1b39b7a11e2a9ecf0ce4221801758baed98bff8e21b3487722334ecf31fbd5efc9fff5aa54a9
-
SSDEEP
1536:3OtU5/9U/H52Bw+RqX82e7thSxUzKU4dHy7JH14qwqMWchkx:eta/uou+Re5cnKU4dkt6WchI
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral1/memory/1964-3-0x0000000000310000-0x0000000000328000-memory.dmp revengerat -
Executes dropped EXE 1 IoCs
pid Process 876 Micosoft.exe -
Loads dropped DLL 1 IoCs
pid Process 2640 RegSvcs.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Micosoft.exe RegSvcs.exe File opened for modification C:\Windows\SysWOW64\Micosoft.exe RegSvcs.exe File opened for modification C:\Windows\SysWOW64\Micosoft.exe RegSvcs.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1964 set thread context of 2640 1964 4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe 30 PID 2640 set thread context of 2916 2640 RegSvcs.exe 31 PID 876 set thread context of 2332 876 Micosoft.exe 35 PID 2332 set thread context of 2380 2332 RegSvcs.exe 36 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Micosoft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 RegSvcs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1964 4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe Token: SeDebugPrivilege 2640 RegSvcs.exe Token: SeDebugPrivilege 876 Micosoft.exe Token: SeDebugPrivilege 2332 RegSvcs.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2640 1964 4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2640 1964 4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2640 1964 4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2640 1964 4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2640 1964 4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2640 1964 4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2640 1964 4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2640 1964 4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2640 1964 4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2640 1964 4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2640 1964 4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe 30 PID 1964 wrote to memory of 2640 1964 4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2916 2640 RegSvcs.exe 31 PID 2640 wrote to memory of 2916 2640 RegSvcs.exe 31 PID 2640 wrote to memory of 2916 2640 RegSvcs.exe 31 PID 2640 wrote to memory of 2916 2640 RegSvcs.exe 31 PID 2640 wrote to memory of 2916 2640 RegSvcs.exe 31 PID 2640 wrote to memory of 2916 2640 RegSvcs.exe 31 PID 2640 wrote to memory of 2916 2640 RegSvcs.exe 31 PID 2640 wrote to memory of 2916 2640 RegSvcs.exe 31 PID 2640 wrote to memory of 2916 2640 RegSvcs.exe 31 PID 2640 wrote to memory of 2916 2640 RegSvcs.exe 31 PID 2640 wrote to memory of 2916 2640 RegSvcs.exe 31 PID 2640 wrote to memory of 2916 2640 RegSvcs.exe 31 PID 2640 wrote to memory of 876 2640 RegSvcs.exe 34 PID 2640 wrote to memory of 876 2640 RegSvcs.exe 34 PID 2640 wrote to memory of 876 2640 RegSvcs.exe 34 PID 2640 wrote to memory of 876 2640 RegSvcs.exe 34 PID 876 wrote to memory of 2332 876 Micosoft.exe 35 PID 876 wrote to memory of 2332 876 Micosoft.exe 35 PID 876 wrote to memory of 2332 876 Micosoft.exe 35 PID 876 wrote to memory of 2332 876 Micosoft.exe 35 PID 876 wrote to memory of 2332 876 Micosoft.exe 35 PID 876 wrote to memory of 2332 876 Micosoft.exe 35 PID 876 wrote to memory of 2332 876 Micosoft.exe 35 PID 876 wrote to memory of 2332 876 Micosoft.exe 35 PID 876 wrote to memory of 2332 876 Micosoft.exe 35 PID 876 wrote to memory of 2332 876 Micosoft.exe 35 PID 876 wrote to memory of 2332 876 Micosoft.exe 35 PID 876 wrote to memory of 2332 876 Micosoft.exe 35 PID 2332 wrote to memory of 2380 2332 RegSvcs.exe 36 PID 2332 wrote to memory of 2380 2332 RegSvcs.exe 36 PID 2332 wrote to memory of 2380 2332 RegSvcs.exe 36 PID 2332 wrote to memory of 2380 2332 RegSvcs.exe 36 PID 2332 wrote to memory of 2380 2332 RegSvcs.exe 36 PID 2332 wrote to memory of 2380 2332 RegSvcs.exe 36 PID 2332 wrote to memory of 2380 2332 RegSvcs.exe 36 PID 2332 wrote to memory of 2380 2332 RegSvcs.exe 36 PID 2332 wrote to memory of 2380 2332 RegSvcs.exe 36 PID 2332 wrote to memory of 2380 2332 RegSvcs.exe 36 PID 2332 wrote to memory of 2380 2332 RegSvcs.exe 36 PID 2332 wrote to memory of 2380 2332 RegSvcs.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2916
-
-
C:\Windows\SysWOW64\Micosoft.exe"C:\Windows\system32\Micosoft.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- System Location Discovery: System Language Discovery
PID:2380
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84B
MD597b5144a6507e68b558ef2c85c5ef23d
SHA13b3a5db27bdfea8a463df14e92301e57e194f492
SHA2567b2d574fa976abf4814d889601a7a8fc84575a97d0a7d715e257b890c931bc42
SHA51296a0125b415a34efef6b33915bd6fd0e2a144d853560ca7235d1135fab7d8e7d6a814f86534c366cdacdcca0e3e1349102a39cbf3d790f7107efdd34354aefcc
-
Filesize
32B
MD54a63c2de6de95f20781563620320bdfd
SHA16d1da625342dafb630e365914a09fac09a0c7fcb
SHA2568a0ec55c9f5ecf4e81c9bed8b0be26c1e123614c40b9f281aeaaf6bcf0869634
SHA51231e56e6f02338529887707aff9cb965e899be45ef806bbb4ab09695511b12e422f2dabd17c181170d38ff569592f21060ffa5ea059149b0fb51b80b0139becbf
-
Filesize
69KB
MD54f423fbb6d7c31fd3cac2c3729e39762
SHA1547daf4dc1fec5c0f81b6f63987f945b68e1f40a
SHA256c5501222fa725c82f0e978d2bfdc1b8435dd7784b21e532531ec2e107077aa5c
SHA5120158a6a56840bedceafa05e59b69888cc6be21d29b64d2c54ede1b39b7a11e2a9ecf0ce4221801758baed98bff8e21b3487722334ecf31fbd5efc9fff5aa54a9