Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 03:38
Behavioral task
behavioral1
Sample
e92102456f8f5f07bcd03712b09fd0dd_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e92102456f8f5f07bcd03712b09fd0dd_JaffaCakes118.exe
-
Size
496KB
-
MD5
e92102456f8f5f07bcd03712b09fd0dd
-
SHA1
fcadd9925a226bc0ace92195275f06eef28cf322
-
SHA256
1ca711c55045efac2a5259b1c3f22df939f6cc18dd14fcf1c1cf28cbb8bab75b
-
SHA512
d4dcc803972917b988bc4f1967b7af0a5473c0a787330a88ad837406807fc0f911a4562c9e47ce68a1a7671a531995293056b7b848b21be332a3b353031f4d3a
-
SSDEEP
12288:Af4zdi3VemHZziQaGTf8B6/sdrsM66fyl:cVRlf8B68rHy
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3040-0-0x0000000000850000-0x000000000093A000-memory.dmp vmprotect -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 freegeoip.app 4 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier e92102456f8f5f07bcd03712b09fd0dd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 e92102456f8f5f07bcd03712b09fd0dd_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3040 e92102456f8f5f07bcd03712b09fd0dd_JaffaCakes118.exe 3040 e92102456f8f5f07bcd03712b09fd0dd_JaffaCakes118.exe 3040 e92102456f8f5f07bcd03712b09fd0dd_JaffaCakes118.exe 3040 e92102456f8f5f07bcd03712b09fd0dd_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3040 e92102456f8f5f07bcd03712b09fd0dd_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e92102456f8f5f07bcd03712b09fd0dd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e92102456f8f5f07bcd03712b09fd0dd_JaffaCakes118.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57415ce1faca3b4ef2e88aeba6679ee47
SHA1beab2803cf47b65efc260386fea01a83285cfab3
SHA2565df452f7a228dc906dbeea9e76f2608e3b4189f66de9a98f2d7f5058c9d88bcc
SHA51275b527bfa2a9a29d2cd040b3a01eed440e391e272ccada04794a8da3c66c49351165066b7a6ec9db6d1e68fb5f5fa05c0e80f84638c53f281a5a9c45231787cb
-
Filesize
604B
MD5185384803164bdb1c910658e38a7695f
SHA1b9f490b771c63628bbf81da79c3bf67aa6f10eb1
SHA25689dc84db69a6433a9debf7dd42fc693e5c33b08accbc01e0fe5697a69209503e
SHA5128d2b9190db56c004c7a65227e223c463260df2cc0844bd23dc1399ec324fb3c0c29511c848da19f5ad953d3a58eb1dab2fe0338ad33509af035e3648335a41bd
-
Filesize
1KB
MD572838adfca99c8685d45ca9a1b5d9f88
SHA1e1949f190d9420c2530079d937e7f693f91eaeea
SHA2568349449b2c031a0f0ca5b26217af2545bdc5357e57ef62e9e32f76d1d0c679ef
SHA512bd5c8dc92620d478b6b53eb8eed06965d655ab4494dc78c0de085b245b9beb5ad672b23076bcf4552d933a7df2e119a6946c77a809e12f166e3511d3ac00990a