Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/10/2024, 21:07
Behavioral task
behavioral1
Sample
4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe
-
Size
329KB
-
MD5
4ab5a7a21ee8943b1e78513e20dc25f0
-
SHA1
b80f2bfcd47e38d520f88263907080282ec64dd5
-
SHA256
4c1497ab75a29dc8fbbffa6d4cefe6629f43bdbec9f6cdb08c450a6e89d0871c
-
SHA512
c520d80b17352b582418b35a0e3efd4b35a835b771517ae3e3c91a5b2c332bf5b21af8ae7b9ce665692b15f47b6476a1c1a0318e95ac987c1543ea9ee77a32e7
-
SSDEEP
3072:NdXi+V5Kgxpdxj8gbib20xTyst542t8ZHWBow8+zoB91wDQgJl0x2AEMenKbZisB:Nd7rpL43btmQ58Z27zw39gY2FeZhp
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
resource yara_rule behavioral1/files/0x0009000000016409-38.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 2316 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 1156 rybel.exe 2764 zoujqo.exe 1848 qemuz.exe -
Loads dropped DLL 5 IoCs
pid Process 1796 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe 1796 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe 1156 rybel.exe 1156 rybel.exe 2764 zoujqo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rybel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zoujqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qemuz.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe 1848 qemuz.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1796 wrote to memory of 1156 1796 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe 31 PID 1796 wrote to memory of 1156 1796 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe 31 PID 1796 wrote to memory of 1156 1796 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe 31 PID 1796 wrote to memory of 1156 1796 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe 31 PID 1796 wrote to memory of 2316 1796 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe 32 PID 1796 wrote to memory of 2316 1796 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe 32 PID 1796 wrote to memory of 2316 1796 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe 32 PID 1796 wrote to memory of 2316 1796 4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe 32 PID 1156 wrote to memory of 2764 1156 rybel.exe 34 PID 1156 wrote to memory of 2764 1156 rybel.exe 34 PID 1156 wrote to memory of 2764 1156 rybel.exe 34 PID 1156 wrote to memory of 2764 1156 rybel.exe 34 PID 2764 wrote to memory of 1848 2764 zoujqo.exe 35 PID 2764 wrote to memory of 1848 2764 zoujqo.exe 35 PID 2764 wrote to memory of 1848 2764 zoujqo.exe 35 PID 2764 wrote to memory of 1848 2764 zoujqo.exe 35 PID 2764 wrote to memory of 1800 2764 zoujqo.exe 36 PID 2764 wrote to memory of 1800 2764 zoujqo.exe 36 PID 2764 wrote to memory of 1800 2764 zoujqo.exe 36 PID 2764 wrote to memory of 1800 2764 zoujqo.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4ab5a7a21ee8943b1e78513e20dc25f0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\rybel.exe"C:\Users\Admin\AppData\Local\Temp\rybel.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\zoujqo.exe"C:\Users\Admin\AppData\Local\Temp\zoujqo.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\qemuz.exe"C:\Users\Admin\AppData\Local\Temp\qemuz.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1848
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1800
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2316
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304B
MD5e65262878a5b9eef64d14cfdedda0f5c
SHA1b8d0f837306f25fd401065434a8b8d874eec66dc
SHA256518ac386ba6b3e18737d5301e2c3ab7683ced914ebeca1e89d5e603706851af9
SHA5124292f01eed8cc90f8d12a7b0b712cc0d77d5114e726ec6cca359766f3838325c9c54e5498c132e19fe9ddf3fe1fc061a3162df82edc44b4f7c6be1fd3b118fda
-
Filesize
224B
MD5518834379078ce0fe7331b793ac1842f
SHA18998a5586c4684d27315031b35d54891e40503ea
SHA2564220506cc156e3e4d3fb98c067376139400b74aa771e011cb2af99620325bcfd
SHA512d701ebfbe760cb8edc09ba30766f7608c09cffd9912393f538d56d51c9d4ae060ab7045c7a3f10b7fa22fb49640363c4d4daa62c76d0edc2d41181b74c074047
-
Filesize
512B
MD5991e03aa6cc5fe14b87625c68b587a11
SHA113eab63ff994e15f936a707ae861d663440bd7bb
SHA256f2bc590eb42bd872d20bfd5f28238f2b6504732f9a4828ca6e554441926de83b
SHA512955fec493129a9a471a6be898bedc79fed03379506ca71932b4c9e851144879570a0c4465a2e934ccef46292784aba9aa29fc00cf70e089d47c802069c3b0582
-
Filesize
136KB
MD57f24d9645cdca42aa20360d62be5655d
SHA1118e7dbba251a4e5da8395d1255e44c745286cd9
SHA25669ea031887dfe783d7dd9e947c60076f8d559c06a0101a4ec303235cd301fa65
SHA51234aed3b3a3aab96eb26e5c93b105cb27b081c82316125db919b1c928fe453849a19400f9324b7ac8c0a34823769ae91142299a540591eed7d77469464597e6aa
-
Filesize
329KB
MD56492888d30442b43e728725b09616f06
SHA10da8777b35245dd3eab04ad07d6cd989ec02408a
SHA2569fb1247e305f7e01ef56b1a1950cedf249b6e2bc918e7bde879101cf044afe5b
SHA512c33a6c47b6d9a73c53ecb7b4038db76f8b08d96b56ef0890ff54642825895eaa69a59631f42cb0350fa9747ad4a612439e6c2ff82f3addac3b52ed1d1c25c956