Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/10/2024, 22:41
Static task
static1
Behavioral task
behavioral1
Sample
7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe
-
Size
78KB
-
MD5
7cfcae244ac6874f2b32461bc5951211
-
SHA1
87cf097cd28d5ac97686d19a74553c22fc681e38
-
SHA256
c190c36ae18f007b7bb7d75ce40184beeae22f8943a35ca6bc010f6398828c74
-
SHA512
d54f70e2c23393729dc493f52465b73e2dbf9aa52ae28b9f6bfd3032d8a1140eabc5a116cd0f4cf91ad40069a80992b12741e77d8b0dc89e5b4208fc1612189b
-
SSDEEP
1536:6WtHHrdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLl9/n1yS:6WtHLdSE2EwR4uY41HyvYLl9/n
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Executes dropped EXE 1 IoCs
pid Process 2432 tmp9FD8.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2400 7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe 2400 7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmp9FD8.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp9FD8.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2400 7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe Token: SeDebugPrivilege 2432 tmp9FD8.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2236 2400 7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe 28 PID 2400 wrote to memory of 2236 2400 7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe 28 PID 2400 wrote to memory of 2236 2400 7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe 28 PID 2400 wrote to memory of 2236 2400 7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe 28 PID 2236 wrote to memory of 2956 2236 vbc.exe 30 PID 2236 wrote to memory of 2956 2236 vbc.exe 30 PID 2236 wrote to memory of 2956 2236 vbc.exe 30 PID 2236 wrote to memory of 2956 2236 vbc.exe 30 PID 2400 wrote to memory of 2432 2400 7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe 31 PID 2400 wrote to memory of 2432 2400 7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe 31 PID 2400 wrote to memory of 2432 2400 7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe 31 PID 2400 wrote to memory of 2432 2400 7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\15mwis7t.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1DB.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2956
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp9FD8.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9FD8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7cfcae244ac6874f2b32461bc5951211_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5bfd48b578787d245f0acb9e91ae89b46
SHA11e9f055e28e01a87723e2e65faab72d2aee45267
SHA25628a305fa704fdc2707daefd45c362334bb89eb8f67950c792fe44bda1b0086ac
SHA512bf8f8195da59592330bee7b1eb7d7652e66017c47eeaf944baf356564e5b25ca4b05f98a7a0ed8707b22e3aff7b4cb0d8f4dfd5614f5a9ab34abdf2d9021ec27
-
Filesize
266B
MD5d3f95975818fed6af51c292c4323a50c
SHA1f384537195fd7076dc16ab37f266e30ea3a2c91c
SHA2565f74fbfa9d8db9f6569ddfd11c45409fb0f773c01208e613f613ab34d1e6bf78
SHA51203c8adbd143590531eab0762eb237722be0357851fbbae4f14b503a1089f016cbc4e6229f78fac094df1651afcb4d8f453c2327b2a0cc038779aa0342db9990e
-
Filesize
1KB
MD564dcac81b7eadaec3dfd41dbdbe7c6bc
SHA1bcf608d1b97bdd9f3c2008a99b6d67ded974683f
SHA256e7ac043453e6f8a7cf262e0b181d923cb7e435e7db6bf10fd5701a4c2e559919
SHA512756c0d602575f70e0d8da90038abb05a784fe57b0cdb1d7430084898411bf36d7bd9ba69da853451b15b4812bf1531575670367b70eebafde6bf78ba763de16b
-
Filesize
78KB
MD5504e222856b386eb7f083ed7c096e703
SHA101522a05e61975b6c041bf14a5786cd4a851ab4b
SHA256e83882251988e9ece9b18ac42d9a43cb7af3a0848ec46ff116579fb4ce12e615
SHA51216bac59050193c9d74c4a4db436f8734664d52fbedf7726ca7b926f6c3c8fb5abefbb57fe10f31fe0bcff8d35d55a08cdd1ca3d074fa26de8fd5736e13349a47
-
Filesize
660B
MD5c324e500242e186ca28551be060879fa
SHA1a6784231cb6315cb479127d29538cc78c8d742fd
SHA256c33c9d5334a332ef97306f7fafdace8e28fad96bed55f2753425b00f1c9d6262
SHA512285c38736ce3d6a2bebd00456ca24ea3a899ba51fbc7e4b627e7902ee75519e962f2fd52141e81e7b92f3017bdeed640377c407c9ce03275d6398f5355c51acc
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809