Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2025, 10:27
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe
-
Size
80KB
-
MD5
5da3837530dd6b1a9666ea002aef5238
-
SHA1
41893ba57e61f8b177775c4d8ff982a8ec73e94e
-
SHA256
81e6145cbc93443083f2398466f3a7d39c52dcac816b92b4619576ce531c0624
-
SHA512
666fd1978741d8b4d6360bf46d93e957af5931f1777021e75ed403a125d5d9d0123410b41c88329d4595c587b125a2e85e09ec5e0f5498651d690ff344f64cd4
-
SSDEEP
1536:9HFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLg39/CF1b:9HFo8dSE2EwR4uY41HyvYLg39/Cz
Malware Config
Signatures
-
MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
-
Metamorpherrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe -
Executes dropped EXE 1 IoCs
pid Process 432 tmpF397.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmpF397.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpF397.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3916 JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe Token: SeDebugPrivilege 432 tmpF397.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3916 wrote to memory of 400 3916 JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe 83 PID 3916 wrote to memory of 400 3916 JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe 83 PID 3916 wrote to memory of 400 3916 JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe 83 PID 400 wrote to memory of 544 400 vbc.exe 85 PID 400 wrote to memory of 544 400 vbc.exe 85 PID 400 wrote to memory of 544 400 vbc.exe 85 PID 3916 wrote to memory of 432 3916 JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe 86 PID 3916 wrote to memory of 432 3916 JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe 86 PID 3916 wrote to memory of 432 3916 JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oump31uz.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0B5F4C2ED4C43549BA0A98CFEEFEA.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:544
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF397.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF397.tmp.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5da3837530dd6b1a9666ea002aef5238.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fdd0bf98b8369b0f1642d2874ee594a3
SHA173e625a9c010ddb89829e104ab6e6ec982e09746
SHA256a94fa461328872913feb5c83f3b4c2627ad3ae8e158942faca8ecc6b8d7fa35c
SHA512e4b8a471774bd273c108b644275bf6483be1badcbca6f9880b7943ac63c8dd7ac16644c330eaac6fab2fe9cfec44abe2364205a7c55ac09019ca4e7d02dcff6e
-
Filesize
15KB
MD520fe44093bca19609754298e89eada83
SHA1ae0620cfbc7cebb87f24690bb8a879bbdcf10939
SHA256db142f91baaaf02d3a7b39a30090c576f00bc702b2f85995864ea953a8e45118
SHA512f4e660452bc661c9e6a64f654964fd1329ca09099ff13e5dcc2be8d9ed7b62e4f8745239245cb6cc8cd8eccdc30dd17437a12a6f5c5e1aca44e1ed317bd17e66
-
Filesize
266B
MD5f8480542c77da1180f43a770a5575467
SHA1709cc21b0c651c5c416cd1fdb3f23024cf073a85
SHA256d57d709a21ccaa48d0dd5ace2a8b57b9b76020770c366b8e804cf098398e1c76
SHA51212d21ecfe898b72ba6face26488b3ceb07b1f05be36679b6c8bf90b1b441ed11e5ce303530146f4d8520752d29b23932aaded3cfd1039dbbb72bcb61fc021643
-
Filesize
78KB
MD5df5b9cecb8c14b7eafa46143e45ae23b
SHA191e6cea3ce2a454383e683241a2ccd22a0e8cc67
SHA25656f60e7339bcd125f3e294b68b6fbc61784d1f520f6c5fed613eb26148e5cc0c
SHA512044f348b0cc7ce96aeaa74ee1c343f4fca1200a1ef49e72ba0b5cd41447a701905cea87df37407567caff884d89c0b4ea7c5bbe7d6cd2f945b790059a1610259
-
Filesize
660B
MD5035a926bc35dce4caaa750ea2a516cbc
SHA14cd34a3775252e60ca6a714d85fea788eb2a8771
SHA2569eb5763c515c06c6726c7d9a9424c7fad882a4a61ba22b35d9e42c52c510f693
SHA512f08a2f1f257e533c6d56810b6b3cd8adef783c3d72da927aaad91aeca4b4dc34c5f9bc802e06b9055504a5ae00815a08ac6e25429908bf2a7867756296273761
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809