Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 17:26
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_a8e591ecd1aafcfa6e1a870be72987776f6fbce07e9e32d2a49a86b15d737b56.ps1
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_a8e591ecd1aafcfa6e1a870be72987776f6fbce07e9e32d2a49a86b15d737b56.ps1
-
Size
119KB
-
MD5
a93b0ec43734f077d5d853fc60501180
-
SHA1
2941fe0a75d42197faa8187bd349ef00a2f1fe11
-
SHA256
a8e591ecd1aafcfa6e1a870be72987776f6fbce07e9e32d2a49a86b15d737b56
-
SHA512
1ee7d11d6ea065ac944d9bd291d4398e04b5b36aacacbf890ad90323fcb753b650b95055744e7a6a06cd3c0a5be1634a259a536cae2b228c068b28961c4be492
-
SSDEEP
1536:ae9x1r3st/0i/FXT676pe+wqota8YOnOQHuy+P3fkLG8VYk8Qk6fK:/r3stS0Lwqua8YJQd+P3fkdYkBK
Malware Config
Extracted
asyncrat
1.0.7
Default
daveblack.publicvm.com:3861
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLogin.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1488 set thread context of 376 1488 powershell.exe 85 -
pid Process 1488 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1488 powershell.exe 1488 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1488 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1488 wrote to memory of 3292 1488 powershell.exe 83 PID 1488 wrote to memory of 3292 1488 powershell.exe 83 PID 3292 wrote to memory of 2772 3292 csc.exe 84 PID 3292 wrote to memory of 2772 3292 csc.exe 84 PID 1488 wrote to memory of 376 1488 powershell.exe 85 PID 1488 wrote to memory of 376 1488 powershell.exe 85 PID 1488 wrote to memory of 376 1488 powershell.exe 85 PID 1488 wrote to memory of 376 1488 powershell.exe 85 PID 1488 wrote to memory of 376 1488 powershell.exe 85 PID 1488 wrote to memory of 376 1488 powershell.exe 85 PID 1488 wrote to memory of 376 1488 powershell.exe 85 PID 1488 wrote to memory of 376 1488 powershell.exe 85
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a8e591ecd1aafcfa6e1a870be72987776f6fbce07e9e32d2a49a86b15d737b56.ps11⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d4cpsri0\d4cpsri0.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6B0.tmp" "c:\Users\Admin\AppData\Local\Temp\d4cpsri0\CSC8962EB54E85C43B59B6AF3E9119EED5.TMP"3⤵PID:2772
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
PID:376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58e80fe18a2540ed5f13fba86a73e427e
SHA14aa859b0eb8daece38e8b67c7e9b1a8ed8763405
SHA2560b9ff607d698240374ceeaf0bcbf58ecb1175db82a726b1b83224417a1082412
SHA5123b989152e96155d842b51816cf1e25a4dbcb4a161b2157e60b07325f805ed93e5b6c76ecbe614297bcd726b51b8c42a1117a3bb4136d5fd38b59c633f5bca845
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11KB
MD5285f937a02cac2879c4254bbecd25ecd
SHA11675177d6796ebd9ad9a3c186a1fc8a49f448b1f
SHA256b5d3b06e0b55190701021f6964f2314538338843be4f4ff5c7abcd1015915488
SHA51220a493eb4a33a62451b25b7037940a688294a3cda87c21fc95d1cd31497cb4d974427c535bc5a30f9ecfe9f00884ce0747d3aaf3b8872aacb2f419f4e27b7dd2
-
Filesize
652B
MD59ef49c6ef01bc03d159303ea53d92487
SHA168e61bb9088f934692ff248f61978879844833c3
SHA2568439b2d4163f9a75b8abd936e8165ecd16109f49d8e6ceb2f859a15e9223b1de
SHA512b95d03c7b72012b2dff9456e2f12a72e600ab207e38b70f87c39dadfa46b8df09350e3cef1157c3791a4dee599e3882b8381be1ffead7472e852d00c7f9aab7f
-
Filesize
14KB
MD55b28648a4e188b0ebdf2d5edcda61624
SHA1faf0ba6c2ef8d8184881eda8a276796449969e1c
SHA256e92acafc5a9dd128b120809aaf76178275c3d22b13fb7cc2f0d9c624befed1b1
SHA512972fca6205f8927363b751ff51c6cf07c3b42f7cbd8fbe12c1098df539118ecf3d3ce1af3b5d376c8710ed183786fc911279ff81941aba4202a11ca5670b9937
-
Filesize
327B
MD52a6c5f27aa85f1bb610dd1f8fa8b90ec
SHA1eacd16be85122703c4337f007677f0e9ded9555a
SHA2565095d18cac297322bc6804f173fa904666feafb81a96f10ae5e114a6235f4c2a
SHA5122d3bb3f001b5c459c089de34e87c23826828e636790d7f8d405d0268e1def850f025e32352961a3d34d9390e8ff3b4375dc1bc3af64a154c46a01c08e5248c31