Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/04/2024, 03:38

General

  • Target

    e92102456f8f5f07bcd03712b09fd0dd_JaffaCakes118.exe

  • Size

    496KB

  • MD5

    e92102456f8f5f07bcd03712b09fd0dd

  • SHA1

    fcadd9925a226bc0ace92195275f06eef28cf322

  • SHA256

    1ca711c55045efac2a5259b1c3f22df939f6cc18dd14fcf1c1cf28cbb8bab75b

  • SHA512

    d4dcc803972917b988bc4f1967b7af0a5473c0a787330a88ad837406807fc0f911a4562c9e47ce68a1a7671a531995293056b7b848b21be332a3b353031f4d3a

  • SSDEEP

    12288:Af4zdi3VemHZziQaGTf8B6/sdrsM66fyl:cVRlf8B68rHy

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e92102456f8f5f07bcd03712b09fd0dd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e92102456f8f5f07bcd03712b09fd0dd_JaffaCakes118.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Process.txt

    Filesize

    1KB

    MD5

    7415ce1faca3b4ef2e88aeba6679ee47

    SHA1

    beab2803cf47b65efc260386fea01a83285cfab3

    SHA256

    5df452f7a228dc906dbeea9e76f2608e3b4189f66de9a98f2d7f5058c9d88bcc

    SHA512

    75b527bfa2a9a29d2cd040b3a01eed440e391e272ccada04794a8da3c66c49351165066b7a6ec9db6d1e68fb5f5fa05c0e80f84638c53f281a5a9c45231787cb

  • C:\ProgramData\44\Process.txt

    Filesize

    604B

    MD5

    185384803164bdb1c910658e38a7695f

    SHA1

    b9f490b771c63628bbf81da79c3bf67aa6f10eb1

    SHA256

    89dc84db69a6433a9debf7dd42fc693e5c33b08accbc01e0fe5697a69209503e

    SHA512

    8d2b9190db56c004c7a65227e223c463260df2cc0844bd23dc1399ec324fb3c0c29511c848da19f5ad953d3a58eb1dab2fe0338ad33509af035e3648335a41bd

  • C:\ProgramData\44\Process.txt

    Filesize

    1KB

    MD5

    72838adfca99c8685d45ca9a1b5d9f88

    SHA1

    e1949f190d9420c2530079d937e7f693f91eaeea

    SHA256

    8349449b2c031a0f0ca5b26217af2545bdc5357e57ef62e9e32f76d1d0c679ef

    SHA512

    bd5c8dc92620d478b6b53eb8eed06965d655ab4494dc78c0de085b245b9beb5ad672b23076bcf4552d933a7df2e119a6946c77a809e12f166e3511d3ac00990a

  • memory/3040-0-0x0000000000850000-0x000000000093A000-memory.dmp

    Filesize

    936KB

  • memory/3040-1-0x00007FFFD7B70000-0x00007FFFD8631000-memory.dmp

    Filesize

    10.8MB

  • memory/3040-2-0x00007FFFD7B70000-0x00007FFFD8631000-memory.dmp

    Filesize

    10.8MB

  • memory/3040-25-0x00000000010D0000-0x00000000010D1000-memory.dmp

    Filesize

    4KB

  • memory/3040-34-0x000000001B900000-0x000000001B910000-memory.dmp

    Filesize

    64KB

  • memory/3040-121-0x00007FFFD7B70000-0x00007FFFD8631000-memory.dmp

    Filesize

    10.8MB