Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 23:46
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_da09dcb834819e8acd123a7fb06e38c8dd584522753003cfa9d501df0a2b3a83.tar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_da09dcb834819e8acd123a7fb06e38c8dd584522753003cfa9d501df0a2b3a83.tar
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
456-Invoice.js
Resource
win7-20240903-en
General
-
Target
456-Invoice.js
-
Size
166KB
-
MD5
c000b245272ad81b74958689e4b3352e
-
SHA1
ce74042c88b852c6a5b00186096f0ce42afc38b6
-
SHA256
f19462db16c63e8c26095f8ee024340649e0b2cb26a9ba9d08691b6d01e4f2be
-
SHA512
f9b3f811a4be2bee356d9265d15a20a00d41b4a5933d8ab5adcf683ce23cab0ac0b6a7cbdbc97abb509385082aa038d11f1b4f8e502f61e6a42535bbd4df155c
-
SSDEEP
3072:Z6EsOoG2OGyjn37WIMnhHXmhRZkIQQZ9ophBCvD9hsbVhjv5:PsOotKeIMnimk+EIb5
Malware Config
Signatures
-
Vjw0rm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YgrKtkfSUZ.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YgrKtkfSUZ.js wscript.exe -
Executes dropped EXE 3 IoCs
pid Process 2432 New Client.exe 836 New Client.exe 3468 New Client.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\YgrKtkfSUZ.js\"" wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1480 schtasks.exe 4564 schtasks.exe 3456 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe Token: 33 2432 New Client.exe Token: SeIncBasePriorityPrivilege 2432 New Client.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 5020 wrote to memory of 756 5020 wscript.exe 82 PID 5020 wrote to memory of 756 5020 wscript.exe 82 PID 5020 wrote to memory of 2432 5020 wscript.exe 83 PID 5020 wrote to memory of 2432 5020 wscript.exe 83 PID 5020 wrote to memory of 2432 5020 wscript.exe 83 PID 2432 wrote to memory of 1104 2432 New Client.exe 85 PID 2432 wrote to memory of 1104 2432 New Client.exe 85 PID 2432 wrote to memory of 1104 2432 New Client.exe 85 PID 2432 wrote to memory of 1480 2432 New Client.exe 87 PID 2432 wrote to memory of 1480 2432 New Client.exe 87 PID 2432 wrote to memory of 1480 2432 New Client.exe 87 PID 836 wrote to memory of 3924 836 New Client.exe 98 PID 836 wrote to memory of 3924 836 New Client.exe 98 PID 836 wrote to memory of 3924 836 New Client.exe 98 PID 836 wrote to memory of 4564 836 New Client.exe 100 PID 836 wrote to memory of 4564 836 New Client.exe 100 PID 836 wrote to memory of 4564 836 New Client.exe 100 PID 3468 wrote to memory of 656 3468 New Client.exe 103 PID 3468 wrote to memory of 656 3468 New Client.exe 103 PID 3468 wrote to memory of 656 3468 New Client.exe 103 PID 3468 wrote to memory of 3456 3468 New Client.exe 105 PID 3468 wrote to memory of 3456 3468 New Client.exe 105 PID 3468 wrote to memory of 3456 3468 New Client.exe 105
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\456-Invoice.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YgrKtkfSUZ.js"2⤵
- Drops startup file
- Adds Run key to start application
PID:756
-
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F3⤵
- System Location Discovery: System Language Discovery
PID:1104
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 13⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1480
-
-
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵
- System Location Discovery: System Language Discovery
PID:3924
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 12⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4564
-
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /tn NYAN /F2⤵
- System Location Discovery: System Language Discovery
PID:656
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 12⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3456
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1JavaScript
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
588B
MD580be65da858b28232bbb0f926fafcbcc
SHA1f7647b8969e6642939b0d0b249db50a191bead49
SHA256f147961fcb74f2cc8d8d1528bc77db6671ade4cd61b7a71b01c58c184364c6fc
SHA5127795a9aa9f5702ca35dcf4900e2dac0994bd1a5a14cd0c8a25388110f47b1ce8f8032099067668146e8af56bf5966a3c854ccc1ddf586fe9ae22e9836880549c
-
Filesize
78KB
MD54c1c9fdf28215ae2f0f681349b66bbff
SHA18ab23d0ee7a361c8f29622fa9ba05f6644e24e9a
SHA25650842fb63d2308152a3d6c25bf5c45b2a71906193e299975401e8cc5189abd7a
SHA512f0415187e7f7dc15546ea4bc8e6c53281aa407df064a2d73e0360e796caf807430d7ab565ba842e8d1c58c1bc35eefffcd868042c65357906a625b92064e96c5
-
Filesize
10KB
MD54e1188211bc0a1f728e5a97cf47a7105
SHA1740914054d0824fbacf494855eb9121355a49740
SHA256ada3ac15b6fd893f1f8b1a4ad1f6d4cbc86c566c0d5a639c4dda15f4727f2cee
SHA512b37d9c26c44b45e89a4732439480bf6d09e292fb85ef054a4a591cb7228eeef0f8595aeaf12824771c033297ea218996d6e4c9006972c15a58d02b89365b2a14