Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

JaffaCakes...e1.ps1

windows7-x64

10

JaffaCakes...e1.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    14s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2024, 10:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_b6c806fccfeb1bae95a4f02a14b5d1676df10166d7fda4e6a053d4e4bf931fe1.ps1

  • Size

    734KB

  • MD5

    ad0871c1aa964d2617379e8424091e83

  • SHA1

    0da34d9fc8f474dcc0c871c7626fa6ffa350250a

  • SHA256

    b6c806fccfeb1bae95a4f02a14b5d1676df10166d7fda4e6a053d4e4bf931fe1

  • SHA512

    b6a44495ff96ac032a48a497c6d63d69f2393eef666751f3ac0ec8024d37155ff4f0f1ede906a5c3299d2d7f369a25912606e7c3a4019f70727944689fe85a77

  • SSDEEP

    12288:1/wxxwwHubxxwxx8xxwWxIwwwwwwwLxxewxwxxwSwAxxxwwwwwwwwwwwwwbxtwwI:fFWGyBpLepNnnWJ

Score
10/10
metasploitbackdoorexecutiontrojan

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://157.230.184.142:443/ST/TWGRYKf0/d/du92w/RUk/Z2l.htm

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b6c806fccfeb1bae95a4f02a14b5d1676df10166d7fda4e6a053d4e4bf931fe1.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dz-ec4u4.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEF4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCED3.tmp"
        3⤵
          PID:3012
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        dw20.exe -x -s 808
        2⤵
          PID:1452

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESCEF4.tmp
        Filesize

        1KB

        MD5

        87bd67065b5a6ef55731c29e31b3fb36

        SHA1

        9932743d3e46aa656b18bb233575b5f90a3e0098

        SHA256

        5b3af98d3420f94f4f76c5c954cce3fec66cf902faef73cff9a6796230c45231

        SHA512

        577e4005d45ef9a4764643e46a4c685ad2cb5ac912c9afd5bea599f29be42f0733ba79bd745c5c92eb27fd03a507df297b627ec4914831ca97fca4507b5304d5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\dz-ec4u4.dll
        Filesize

        3KB

        MD5

        6aaa576d4de3dbcd804918d5491172ed

        SHA1

        0abbcb67bad3436ba964c520ddef6e5d7a098377

        SHA256

        8bddb26ef06d3f7c7832b319b2da425ba39c3ed3ceb53711f8e0a7acd73c38da

        SHA512

        e9cf91ed0d2461a93334812b76f5a55d831f107cadde7cabdc9ff2a86ee9ed04775fc8ca68a444aacdbc558945b16f9ee715e3e29e0711d2b4dd3caa9af774e4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\dz-ec4u4.pdb
        Filesize

        7KB

        MD5

        83a626004c7b8dc4249eb76d1c803d70

        SHA1

        4f2148c5afcb3f3711997690383cb615528e5c18

        SHA256

        4aec0e8dfa1210bbb3e28d003d9b01c91c8a2102593ed4822e278df437d776e9

        SHA512

        7f4e9458e3bf38cb45f2ec345afc572428ea7cc4d9bbece4fd77c994bfe3d1a7428122679a54623f370b851feaccd99ac4db5f73e38ff5c774c4719c14588fa3

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\CSCCED3.tmp
        Filesize

        652B

        MD5

        aa06975e7f43764863c1e422d5906954

        SHA1

        f2ae0922ac6f471a5da00b54686b5190b0842908

        SHA256

        9ff50b501b6141019621efe5b243473a9e9a3dd049dac4fb577d3f9c0904450f

        SHA512

        d5ed1009e3d898a285d7ee02631f515e0b027c11f37c2f3d72274f24d266f26fc3b5580d036afff4132a9a56b616b1893d3868ae748d9cc52af27c52d255a07b

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\dz-ec4u4.0.cs
        Filesize

        766B

        MD5

        55849ed53c1f40026d13055936ebf200

        SHA1

        c1f3dc4dde4619f6aa72ec1f4ab9e4595c2e7b57

        SHA256

        37f921e7eb12a6f30ddf45670e5edfd06e9796d57d6566bddbfc0b328f9a86c9

        SHA512

        b689e2f07eb8695f41bd1411218087c1e2e4a00484c981df99da1148d95b14fc24c831a7c06e107a0b5c7a4d35cd52c670e495d08eee4b9864e2e2686b819bc3

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\dz-ec4u4.cmdline
        Filesize

        309B

        MD5

        bb7d996ecd6a60441bd59ccaa310a863

        SHA1

        52ef10b54197e45dc530b5239f9f05336eeadb67

        SHA256

        0df4304a39600238cc27aef8f9e19f3ee7dc976a9a59daac7fb768f55bdb34b4

        SHA512

        3ded972eb93343c1311ce9e23884a509b1a2db827ac61bb689d3368df78c24efbfa1a9b7be9a42b7eb0cf5fb39a08d45b20015625523ce3031017d24a63f8781

        Download Submit

      • memory/2076-8-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2076-10-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2076-9-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2076-4-0x000007FEF4ACE000-0x000007FEF4ACF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2076-7-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2076-6-0x00000000022A0000-0x00000000022A8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2076-5-0x000000001B2B0000-0x000000001B592000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2076-26-0x0000000002950000-0x0000000002958000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2076-29-0x0000000002980000-0x0000000002981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2076-30-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2076-31-0x000007FEF4ACE000-0x000007FEF4ACF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2644-16-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2644-24-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

        Filesize

        9.6MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.