Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
107s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30/10/2024, 22:59
Static task
static1
Behavioral task
behavioral1
Sample
807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe
-
Size
818KB
-
MD5
807f0f985e9e4f3e8f0bcd4f55edfe33
-
SHA1
cda44708c3c8efe8d980250e791ee8cde1f7afc7
-
SHA256
18557447ecf0465479dbc151e8b1370550f10211373cd738e3a67e9112927bc8
-
SHA512
2f44a8ee43d7df95a4252d0223246f05de2e2909b0d2315c0b91d6e5ba234f6de29fe281a1ada596eb1eccf600e9b95a69837a8296382441dc11463beb17fee2
-
SSDEEP
12288:ErF379ZC7EbHCegVz9UPRdZ9fyWmqbA3:KhZDbfgVz9UPR9f9bA
Malware Config
Extracted
warzonerat
googleservers.org:5740
Signatures
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzonerat family
-
Warzone RAT payload 6 IoCs
resource yara_rule behavioral1/memory/2908-23-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2908-18-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2908-16-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2908-15-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2908-14-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral1/memory/2908-21-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2116 set thread context of 2908 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1832 2908 WerFault.exe 34 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1248 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2116 wrote to memory of 1248 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 31 PID 2116 wrote to memory of 1248 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 31 PID 2116 wrote to memory of 1248 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 31 PID 2116 wrote to memory of 1248 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 31 PID 2116 wrote to memory of 3056 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 33 PID 2116 wrote to memory of 3056 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 33 PID 2116 wrote to memory of 3056 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 33 PID 2116 wrote to memory of 3056 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 33 PID 2116 wrote to memory of 2908 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 34 PID 2116 wrote to memory of 2908 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 34 PID 2116 wrote to memory of 2908 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 34 PID 2116 wrote to memory of 2908 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 34 PID 2116 wrote to memory of 2908 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 34 PID 2116 wrote to memory of 2908 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 34 PID 2116 wrote to memory of 2908 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 34 PID 2116 wrote to memory of 2908 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 34 PID 2116 wrote to memory of 2908 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 34 PID 2116 wrote to memory of 2908 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 34 PID 2116 wrote to memory of 2908 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 34 PID 2116 wrote to memory of 2908 2116 807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe 34 PID 2908 wrote to memory of 1832 2908 vbc.exe 35 PID 2908 wrote to memory of 1832 2908 vbc.exe 35 PID 2908 wrote to memory of 1832 2908 vbc.exe 35 PID 2908 wrote to memory of 1832 2908 vbc.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\807f0f985e9e4f3e8f0bcd4f55edfe33_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LnyYSA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2E51.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1248
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵PID:3056
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 2003⤵
- Program crash
PID:1832
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57a6de921d658f2df27b2a5e4e56b2101
SHA1c62233abf3983a24eb38deba17bf01cf28430d75
SHA2568f955754b1c7cf4679f4842550a1a3738e6fb710de8ca351adcc4dcb610397f2
SHA5124892d761511242d40dc86f70c923ee530851570d2003f79ff236743c58f99119555684446c3e9b038f58e67b5fc48e8611692b3ed68be88bf3fc9eec38fa9235