Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04/01/2025, 11:49
General
-
Target
JaffaCakes118_7986dfc5ba3a34272aad6b1128d04462.exe
-
Size
512KB
-
MD5
7986dfc5ba3a34272aad6b1128d04462
-
SHA1
1f26a98dafa6d33c09b57cc719df618eabe8d830
-
SHA256
cf0a727b7407810bf9200e55c35569c2816e5f9213dcbc18c778955b5d69dfe8
-
SHA512
4582fd8c31f977faf3c815723f77b95406e67de9d5405b20cb8e35586b3cf9deb0de1299779160a88274cc711a82d88dfe235d2e3ef9ea496a336ee6fc4dea80
-
SSDEEP
12288:Ih1Lk70TnvjcM5ez2rZEo2J1nPIs9iQLsRZYqhipVgtPp:Uk70TrcUTrV2J1nWQOce
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7986dfc5ba3a34272aad6b1128d04462.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7986dfc5ba3a34272aad6b1128d04462.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c6b8sg3p.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F1EEF07F1F4640B3DBAE8487C79E5.TMP"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp972F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp972F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7986dfc5ba3a34272aad6b1128d04462.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD538154e3451b3a2f983a2aef0d97e4648
SHA1e78c424d5c9a507876cb36bbcf00001da30498e0
SHA256ee69654fc9f7ad7a88050f994fd2fb3195586bb7a9e1b19cd9f71ae3c947cc76
SHA512e8a951a670daf5c3739805272b2450ae607cb802c67b78c179fe146a11f10de22f9fc65ac0fbfbebeb566d21ec399b72a720a1329657e74a392a34b6a0aa73ac
-
Filesize
107KB
MD56e004fb2c3a38bb03d6d71ae57b95d8e
SHA12fc95003f0aaf510380541a029f71d62be772e85
SHA25695f82f8e9cb638a88d1e3052b3653cd68475906230cf69dc01dbaa9561d4794f
SHA5126f258dace35499cf7e6695680b12d14d579a6db9cbcb1c06b33d873715d3c8db26ea17efaa41eb80222a07b34789d29b7a1132a3f20d7495f03bb2dce918f303
-
Filesize
266B
MD5891138ea4e34b4347f3b7cdeb3989829
SHA1ae07a0696bd5325f43c150a1f14f109dcee47cf6
SHA256f19b523e0fefd235f517c47fcb294092e783da3615df764edb7972cdbc3af79a
SHA512a9d218f3bc12088abe22d163b0080362abe39d68d1eb17f977ce9400840c48fddccf96804b565d482f035d601910fade85a5054e13430f4fc23a9d0e473ed6c7
-
Filesize
113KB
MD5a4e6ac0cdc592e7e2a966a62cdf05b07
SHA147c88f512e6fc7f90fb263f87424ba26a28f7b7a
SHA256eb72c838228b8b40fc5378ff189459b76d09281279774533bd234d6f8b90650a
SHA512f15c7242321bd66c8d39af75909fb941f6173e20b5bd59dab0295e14fb1c8db05fde34281156ebefff54e9d1f04bfd90909cae37dc40ccb6995b6a500c8beb7f
-
Filesize
660B
MD51b8c7204e80963e406509412cd8b4079
SHA1fe1290ef321bd83cbd3b051eea33edd4b6ba22aa
SHA256ba3524b7e84e1580728464ab476956af2cd8d3b3674fd12ea5c0f21a683ab282
SHA5123107d4a27286f26d64401fd9bea39f8c6c4a95769cd4896e649e1992e76ad8cfea5663abdd018c3840a9b7c981c63671a4aaae7e2a37f53a802162f484686b34
-
Filesize
62KB
MD5b8fb7009403489ea2ceda4e5abb969aa
SHA1caeeda2b652f02370501de51b599dc82b89a996b
SHA256340012732dc6952273a5892d09869d171235b6221d0f6773b31c0df5a2b9e8d4
SHA5129595f829f9354c9851fc4f280ecb642bb47881e0b920a031409f58e3cbbe0e6e881dc10a98a8d48b7459130f005ee1d00917f6a826ae9ae0bbe08ba9dafeb407
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
4KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
5.7MB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
5.7MB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
628KB
-
Filesize
5.7MB
-
Filesize
5.7MB