Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 06:04
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe
-
Size
300.0MB
-
MD5
3bfc4f5d058aac39f3cd1cc7771fb376
-
SHA1
4f400860ad6e90f17b6abe3f925de5fe47dac4ba
-
SHA256
05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6
-
SHA512
263be832f00990f423febb1be6f7871841c695c876f051a6f0906dfa9cb577f00b5a6a610fdf36a8c5d3323d2e8b5e171d78fe2e42b4bf6114d6c76476fa236e
-
SSDEEP
6144:duoCmQdnCJGib1C5mb67X3UIAPaQxgm5LqGZAoyT24sc+n9fiibGd2HzZ:duL8JGib05b7XE2Q4+4Y
Malware Config
Extracted
asyncrat
5.0.5
Venom Clients
venom12345.duckdns.org:4449
venomunverified.duckdns.org:4449
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Executes dropped EXE 2 IoCs
pid Process 3820 msdtc.exe 4684 msdtc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3832 set thread context of 3120 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 82 PID 3820 set thread context of 3112 3820 msdtc.exe 100 PID 4684 set thread context of 1380 4684 msdtc.exe 109 -
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdtc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdtc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4304 schtasks.exe 1372 schtasks.exe 804 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe Token: SeDebugPrivilege 3120 RegAsm.exe Token: SeDebugPrivilege 3820 msdtc.exe Token: SeDebugPrivilege 3112 RegAsm.exe Token: SeDebugPrivilege 4684 msdtc.exe Token: SeDebugPrivilege 1380 RegAsm.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 3832 wrote to memory of 3120 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 82 PID 3832 wrote to memory of 3120 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 82 PID 3832 wrote to memory of 3120 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 82 PID 3832 wrote to memory of 3120 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 82 PID 3832 wrote to memory of 3120 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 82 PID 3832 wrote to memory of 3120 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 82 PID 3832 wrote to memory of 3120 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 82 PID 3832 wrote to memory of 3120 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 82 PID 3832 wrote to memory of 4948 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 83 PID 3832 wrote to memory of 4948 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 83 PID 3832 wrote to memory of 4948 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 83 PID 3832 wrote to memory of 2904 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 85 PID 3832 wrote to memory of 2904 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 85 PID 3832 wrote to memory of 2904 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 85 PID 3832 wrote to memory of 3376 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 86 PID 3832 wrote to memory of 3376 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 86 PID 3832 wrote to memory of 3376 3832 JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe 86 PID 2904 wrote to memory of 4304 2904 cmd.exe 89 PID 2904 wrote to memory of 4304 2904 cmd.exe 89 PID 2904 wrote to memory of 4304 2904 cmd.exe 89 PID 3820 wrote to memory of 3112 3820 msdtc.exe 100 PID 3820 wrote to memory of 3112 3820 msdtc.exe 100 PID 3820 wrote to memory of 3112 3820 msdtc.exe 100 PID 3820 wrote to memory of 3112 3820 msdtc.exe 100 PID 3820 wrote to memory of 3112 3820 msdtc.exe 100 PID 3820 wrote to memory of 3112 3820 msdtc.exe 100 PID 3820 wrote to memory of 3112 3820 msdtc.exe 100 PID 3820 wrote to memory of 3112 3820 msdtc.exe 100 PID 3820 wrote to memory of 316 3820 msdtc.exe 101 PID 3820 wrote to memory of 316 3820 msdtc.exe 101 PID 3820 wrote to memory of 316 3820 msdtc.exe 101 PID 3820 wrote to memory of 4388 3820 msdtc.exe 102 PID 3820 wrote to memory of 4388 3820 msdtc.exe 102 PID 3820 wrote to memory of 4388 3820 msdtc.exe 102 PID 3820 wrote to memory of 2828 3820 msdtc.exe 105 PID 3820 wrote to memory of 2828 3820 msdtc.exe 105 PID 3820 wrote to memory of 2828 3820 msdtc.exe 105 PID 4388 wrote to memory of 1372 4388 cmd.exe 107 PID 4388 wrote to memory of 1372 4388 cmd.exe 107 PID 4388 wrote to memory of 1372 4388 cmd.exe 107 PID 4684 wrote to memory of 1380 4684 msdtc.exe 109 PID 4684 wrote to memory of 1380 4684 msdtc.exe 109 PID 4684 wrote to memory of 1380 4684 msdtc.exe 109 PID 4684 wrote to memory of 1380 4684 msdtc.exe 109 PID 4684 wrote to memory of 1380 4684 msdtc.exe 109 PID 4684 wrote to memory of 1380 4684 msdtc.exe 109 PID 4684 wrote to memory of 1380 4684 msdtc.exe 109 PID 4684 wrote to memory of 1380 4684 msdtc.exe 109 PID 4684 wrote to memory of 384 4684 msdtc.exe 110 PID 4684 wrote to memory of 384 4684 msdtc.exe 110 PID 4684 wrote to memory of 384 4684 msdtc.exe 110 PID 4684 wrote to memory of 2232 4684 msdtc.exe 111 PID 4684 wrote to memory of 2232 4684 msdtc.exe 111 PID 4684 wrote to memory of 2232 4684 msdtc.exe 111 PID 4684 wrote to memory of 2736 4684 msdtc.exe 113 PID 4684 wrote to memory of 2736 4684 msdtc.exe 113 PID 4684 wrote to memory of 2736 4684 msdtc.exe 113 PID 2232 wrote to memory of 804 2232 cmd.exe 116 PID 2232 wrote to memory of 804 2232 cmd.exe 116 PID 2232 wrote to memory of 804 2232 cmd.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\msdtc"2⤵
- System Location Discovery: System Language Discovery
PID:4948
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4304
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6.exe" "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:3376
-
-
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exeC:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\msdtc"2⤵
- System Location Discovery: System Language Discovery
PID:316
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1372
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exeC:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\msdtc"2⤵
- System Location Discovery: System Language Discovery
PID:384
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:804
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
517B
MD54d737622dcf53d4cf89810ec284fdf89
SHA1a71b0c3ac6b940047ca7730465c1f97342c8ca08
SHA2567d5529c9d51a138cea4ae46faa32497ccf1e55d6bd5aa43f746d413ce80fa1cb
SHA512acf53d9d2ffe5e3dd34760e3c8e138229ee9805387ddf0765266ee882268cf64f84fb4a1b79aee3f90b88b50f1a1bbf10c9ba7a1013496059b46f3abe9c859c6