Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/03/2024, 20:54 UTC
Static task
static1
Behavioral task
behavioral1
Sample
0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
0fba87d3b94e1f90df22213f00d5ea7e
-
SHA1
15c7efa94dd69adcf53d54b743549ddb5193f129
-
SHA256
0f9b427738584fc7f7614e83d4b4bd3ba20c51302b5f8ed8f3615e92de1cdf8e
-
SHA512
dcfbdd6eacd9fe2490e237a62f9dbb1fada7d1418b711f30f8a1c42b116e634d6ca7e563d6cc213c02a3a04595b0d11d622008fd30d828a0ddb52035d41699b2
-
SSDEEP
24576:8uPmLDUMihIXCE59yc2Ag2JMH70vvAHzfw4Up6:8u+LIIX7+cFg2JMH70vvA84Up6
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2828 Isass.exe 2532 Isass.exe 2720 Isass.exe 2748 Isass.exe -
Loads dropped DLL 8 IoCs
pid Process 2196 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 2196 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 2196 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 2196 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 2640 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 2640 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 2724 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 2724 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Isass.exe = "C:\\Users\\Public\\Microsoft Build\\Isass.exe" 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2196 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 2828 Isass.exe 2532 Isass.exe 2532 Isass.exe 2532 Isass.exe 2640 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 2720 Isass.exe 2720 Isass.exe 2720 Isass.exe 2724 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 2748 Isass.exe 2748 Isass.exe 2748 Isass.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2828 2196 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 28 PID 2196 wrote to memory of 2828 2196 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 28 PID 2196 wrote to memory of 2828 2196 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 28 PID 2196 wrote to memory of 2828 2196 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 28 PID 2196 wrote to memory of 2532 2196 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 29 PID 2196 wrote to memory of 2532 2196 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 29 PID 2196 wrote to memory of 2532 2196 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 29 PID 2196 wrote to memory of 2532 2196 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 29 PID 2532 wrote to memory of 2640 2532 Isass.exe 30 PID 2532 wrote to memory of 2640 2532 Isass.exe 30 PID 2532 wrote to memory of 2640 2532 Isass.exe 30 PID 2532 wrote to memory of 2640 2532 Isass.exe 30 PID 2640 wrote to memory of 2720 2640 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 31 PID 2640 wrote to memory of 2720 2640 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 31 PID 2640 wrote to memory of 2720 2640 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 31 PID 2640 wrote to memory of 2720 2640 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 31 PID 2720 wrote to memory of 2724 2720 Isass.exe 32 PID 2720 wrote to memory of 2724 2720 Isass.exe 32 PID 2720 wrote to memory of 2724 2720 Isass.exe 32 PID 2720 wrote to memory of 2724 2720 Isass.exe 32 PID 2724 wrote to memory of 2748 2724 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 33 PID 2724 wrote to memory of 2748 2724 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 33 PID 2724 wrote to memory of 2748 2724 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 33 PID 2724 wrote to memory of 2748 2724 0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2828
-
-
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe"5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Public\Microsoft Build\Isass.exe"C:\Users\Public\Microsoft Build\Isass.exe" Tablet C:\Users\Admin\AppData\Local\Temp\0fba87d3b94e1f90df22213f00d5ea7e_JaffaCakes118.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2748
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
523KB
MD50e59026a169fbebd4a88ff793c706b99
SHA1b8334fc382ee174fe0b0f32f0bfbc5975e21e3c8
SHA2567902034a4a3bf6a71063168b16f1b1a274b9c055a0304cd112581bab4e6cf4d7
SHA512eb886659c48ec8cb8cb2ac5bccf9c2a7dc10530e8939282276bdd955d2756cc5fddcc155307d1487c571fd7aba79fc81e82c05dd206e097861aec51fedb7f9ae
-
Filesize
624KB
MD5dae4bbef37deb0c26ec121430f81ee25
SHA1df3be42781e6b3ccfdb2987114003076fc675a87
SHA2568a5e9f6d5820622955ed70e5b88ab82ce3919cbf22d2178ac9232482c435e896
SHA512b54cdf0814312609b5d7f6e69e3b2ddd7a7e4fddef1dd73a36e3d8a4ae3b3bfb6436699b2cc0b8f7efecfe2ea4295d548911f384402c65721e117828e8bc3c96