Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 22:13
Behavioral task
behavioral1
Sample
JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe
-
Size
124KB
-
MD5
8b62975c6ddaa41bae24ce12cede46c5
-
SHA1
fb182a7d0975fe1509ff69caa0f21a2574bb6258
-
SHA256
88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12
-
SHA512
e980d7784fac9a5d16ee84930cbc12aa524d774c2bbcd11e2ede8fa5a52232cc98652df842e770c585bc225401c52512e34c1482a8437357e6e224391db5d1ac
-
SSDEEP
3072:mlh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUra:Ch1qn3IF9Obbj/a1cpcQjeHOzqhUr
Malware Config
Extracted
remcos
2.5.0 Pro
RemoteHost
91.193.75.145:1604
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
firefox1.exe
-
copy_folder
firefox
-
delete_file
true
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs9.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-IVNP1E
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
firefox
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\firefox\\firefox1.exe\"" JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\firefox\\firefox1.exe\"" firefox1.exe -
Remcos family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation WScript.exe -
Deletes itself 1 IoCs
pid Process 2332 WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 1592 firefox1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox = "\"C:\\Users\\Admin\\AppData\\Roaming\\firefox\\firefox1.exe\"" JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox = "\"C:\\Users\\Admin\\AppData\\Roaming\\firefox\\firefox1.exe\"" firefox1.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ firefox1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language firefox1.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1592 firefox1.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3532 wrote to memory of 2332 3532 JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe 83 PID 3532 wrote to memory of 2332 3532 JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe 83 PID 3532 wrote to memory of 2332 3532 JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe 83 PID 2332 wrote to memory of 3804 2332 WScript.exe 84 PID 2332 wrote to memory of 3804 2332 WScript.exe 84 PID 2332 wrote to memory of 3804 2332 WScript.exe 84 PID 3804 wrote to memory of 1592 3804 cmd.exe 86 PID 3804 wrote to memory of 1592 3804 cmd.exe 86 PID 3804 wrote to memory of 1592 3804 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Checks computer location settings
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\firefox\firefox1.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Roaming\firefox\firefox1.exeC:\Users\Admin\AppData\Roaming\firefox\firefox1.exe4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1592
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
692B
MD5a86b6d7e80c9b3568ea72832ff512e8a
SHA19956983e499222955b86255747034251f4e63ed5
SHA2561bce219a4bfa0ba3a2564a8e0b0dd3a176429d3f536119e2aa8264a2365925b8
SHA51299a445ec335844ccc0d2c2a47d56f6bc4c7b2e0368adff62c34233f08e31e881726f1e4c300b4e7c4cde9a3ba81e1cf9f973c580a1b0f9beae5af00fa3e0e1e5
-
Filesize
124KB
MD58b62975c6ddaa41bae24ce12cede46c5
SHA1fb182a7d0975fe1509ff69caa0f21a2574bb6258
SHA25688b5e8bf2561c9e5843c182357079e8f65a51f0de66f11e2e8f489789f822d12
SHA512e980d7784fac9a5d16ee84930cbc12aa524d774c2bbcd11e2ede8fa5a52232cc98652df842e770c585bc225401c52512e34c1482a8437357e6e224391db5d1ac
-
Filesize
74B
MD5d1d6c6069c471f5ff2df97d866023786
SHA1a0f87526a3c024c15f21ffdc83393ac12fe06bd9
SHA2564eec30926df6eab97aa1e37bd0d26c2bab5c592cbd3e157a4cae60db60c27326
SHA5125adb7deadbc0570274a0cba8497519ff3550b280c7cc95640f0e56893389e30851afe0ae53dbb61be8701eb6c1667d479b71c4cfc645f667f0c6949ec940bb50