Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2024, 17:58
Static task
static1
Behavioral task
behavioral1
Sample
5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe
-
Size
684KB
-
MD5
5de9dcc57b578bf915e553ae272269dc
-
SHA1
162ef6514901b7783261eb12f68f8798dc0e8f3d
-
SHA256
5b14d9674cbd536403423c9822182497469034a86ad12ced50ab02bdc9166cce
-
SHA512
98f2d30c39ef4706ed95579dfccf6e6637b5643c06c41dcc0dd4f61f6628f1d9691684b92699045b80486313fbb9d076e734419d83e31a036c36a1e30cd7dff5
-
SSDEEP
6144:XkKRDBCU++To9SLXGvRitOcpuAtk42a85SZvmSj/IHhiohh0RZHy4Y4uGtBzcVT:PgSLGI4AgJ5SZ9QHhhCXqGPz
Malware Config
Extracted
blacknet
v3.7.0 Public
D7tJ7v
http://officialcomerce1.xyz/lee
BN[f9a1b17a]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
e162b1333458a713bc6916cc8ac4110c
-
startup
false
-
usb_spread
false
Signatures
-
BlackNET payload 1 IoCs
resource yara_rule behavioral2/memory/1756-16-0x0000000000400000-0x000000000041E000-memory.dmp family_blacknet -
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/1756-16-0x0000000000400000-0x000000000041E000-memory.dmp disable_win_def -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2464 set thread context of 1756 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1280 cmd.exe 536 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 536 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2064 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe Token: SeDebugPrivilege 1756 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1756 RegSvcs.exe 1756 RegSvcs.exe 1756 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2064 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 96 PID 2464 wrote to memory of 2064 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 96 PID 2464 wrote to memory of 2064 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 96 PID 2464 wrote to memory of 1296 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 98 PID 2464 wrote to memory of 1296 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 98 PID 2464 wrote to memory of 1296 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 98 PID 2464 wrote to memory of 1756 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 99 PID 2464 wrote to memory of 1756 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 99 PID 2464 wrote to memory of 1756 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 99 PID 2464 wrote to memory of 1756 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 99 PID 2464 wrote to memory of 1756 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 99 PID 2464 wrote to memory of 1756 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 99 PID 2464 wrote to memory of 1756 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 99 PID 2464 wrote to memory of 1756 2464 5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe 99 PID 1756 wrote to memory of 1280 1756 RegSvcs.exe 101 PID 1756 wrote to memory of 1280 1756 RegSvcs.exe 101 PID 1756 wrote to memory of 1280 1756 RegSvcs.exe 101 PID 1280 wrote to memory of 536 1280 cmd.exe 103 PID 1280 wrote to memory of 536 1280 cmd.exe 103 PID 1280 wrote to memory of 536 1280 cmd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TiqvqaWbL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp46C8.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2064
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵PID:1296
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 5 -w 50004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:536
-
-
-
Network
MITRE ATT&CK Enterprise v15
Discovery
Peripheral Device Discovery
1Query Registry
5Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fa991282c015d583800c4d01e8af5b3a
SHA16c61731d6bd848dbc51734b58e646e904bfe7080
SHA256421f03c3ac9880cd07c37f877e11bcb882d5edd5cc8ba39269dec63040b6231c
SHA5123244c75c397e28f031e7b83a99050393e4bd7eb146612094686e1ab16f1923697c898119a26eea88c886d3fd700bb82792841659becca929867b0a21c1a5dd6b