Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/04/2024, 11:57
Behavioral task
behavioral1
Sample
eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe
-
Size
12.9MB
-
MD5
eb045f6f1699993a09871b1b184c78f1
-
SHA1
7466f95d1bbcb5aec42de0cd214fc0604fe2e01e
-
SHA256
3faedcc22bc895edc7233f536334f3279ba5a37981a785161aeab0475ef663d9
-
SHA512
223bf649bfd7519b9be57d26c6b8dae1153b95eae2afaa479c967e9a23bc94d31444673ce1fde4503c8f7f68761298ef129ef301e8b49984d9df3a3185194ca1
-
SSDEEP
393216:hJBaDSaO5n2q/aRvO7HGnBeoCurvpkiO8k9f:SIARW7qB1kibkJ
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/900043826423529532/EWbFb5juNPSPjtMYmjttPuTpP5_GU9kfOyaD_5kSpHjK12-mwDRIjTIcxPRYwSjJ0QE8
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2540 ExLoader_Installer.exe 2516 Insidious.exe -
Loads dropped DLL 5 IoCs
pid Process 1912 eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe 2540 ExLoader_Installer.exe 2540 ExLoader_Installer.exe 2540 ExLoader_Installer.exe 2540 ExLoader_Installer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1912-3-0x0000000000400000-0x0000000001C16000-memory.dmp vmprotect behavioral1/memory/1912-12-0x0000000000400000-0x0000000001C16000-memory.dmp vmprotect behavioral1/memory/1912-24-0x0000000000400000-0x0000000001C16000-memory.dmp vmprotect -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 freegeoip.app 5 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1912 eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Insidious.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Insidious.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1912 eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe 2516 Insidious.exe 2516 Insidious.exe 2516 Insidious.exe 2516 Insidious.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2516 Insidious.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1912 wrote to memory of 2540 1912 eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe 28 PID 1912 wrote to memory of 2540 1912 eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe 28 PID 1912 wrote to memory of 2540 1912 eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe 28 PID 1912 wrote to memory of 2540 1912 eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe 28 PID 1912 wrote to memory of 2540 1912 eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe 28 PID 1912 wrote to memory of 2540 1912 eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe 28 PID 1912 wrote to memory of 2540 1912 eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe 28 PID 2540 wrote to memory of 2516 2540 ExLoader_Installer.exe 29 PID 2540 wrote to memory of 2516 2540 ExLoader_Installer.exe 29 PID 2540 wrote to memory of 2516 2540 ExLoader_Installer.exe 29 PID 2540 wrote to memory of 2516 2540 ExLoader_Installer.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
374B
MD5ed18a5203df8d6990635eb5da8e0effc
SHA13c7004710c6fa04c7c33223e01ef4d050fa91f3f
SHA25678f9d4cb0ae0f5b6a81dd98625b9845867d6e6b8fa5f0ccc8ecfa4e73b4e7663
SHA51224b08dcd9f86d8bd4bc559ea7add99920a8222bd528d089457c360e331019f633b49f00df328ebd7ae952f768b2b27eee3e7b8ddf174b145eb75b560cae70f66
-
Filesize
274KB
MD51f84bfa9402647277bcff75f9ba54831
SHA103711684abf8667d385f8a1d3e2d7a0e5e4bdedc
SHA256a7c0cab5dafe40fcffc114b6baac7ab9978bf5885a035d01d6f326cf095a87df
SHA512c6584b81c55c221c3662b0c9a9ee54cfcd63ad935e4eb659aaa206ac47d584d9e51910934ab153e6bf9963134dc550fa6613cf8b4dde1d9c1bc6de0796687eef
-
Filesize
8.4MB
MD5a7460df7a66f891e21f4ba5739f495fc
SHA1cf0211a12e8e930d21d28c467b1724aea5f26fbd
SHA256866414d88f9d620b0258c3cbf389d505b4e5a0a189bda76d3d08acd108cf7809
SHA5129da71a404ad145982a24dd1160d7132b1a842892ade437106be377ecad4df7621208d9685ba0797efa638afcacbb31158d5497b3263b0394c52bb7670408d7f8