Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 11:57

General

  • Target

    eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe

  • Size

    12.9MB

  • MD5

    eb045f6f1699993a09871b1b184c78f1

  • SHA1

    7466f95d1bbcb5aec42de0cd214fc0604fe2e01e

  • SHA256

    3faedcc22bc895edc7233f536334f3279ba5a37981a785161aeab0475ef663d9

  • SHA512

    223bf649bfd7519b9be57d26c6b8dae1153b95eae2afaa479c967e9a23bc94d31444673ce1fde4503c8f7f68761298ef129ef301e8b49984d9df3a3185194ca1

  • SSDEEP

    393216:hJBaDSaO5n2q/aRvO7HGnBeoCurvpkiO8k9f:SIARW7qB1kibkJ

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/900043826423529532/EWbFb5juNPSPjtMYmjttPuTpP5_GU9kfOyaD_5kSpHjK12-mwDRIjTIcxPRYwSjJ0QE8

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eb045f6f1699993a09871b1b184c78f1_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe
      "C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
        "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Process.txt

    Filesize

    374B

    MD5

    ed18a5203df8d6990635eb5da8e0effc

    SHA1

    3c7004710c6fa04c7c33223e01ef4d050fa91f3f

    SHA256

    78f9d4cb0ae0f5b6a81dd98625b9845867d6e6b8fa5f0ccc8ecfa4e73b4e7663

    SHA512

    24b08dcd9f86d8bd4bc559ea7add99920a8222bd528d089457c360e331019f633b49f00df328ebd7ae952f768b2b27eee3e7b8ddf174b145eb75b560cae70f66

  • C:\Users\Admin\AppData\Local\Temp\Insidious.exe

    Filesize

    274KB

    MD5

    1f84bfa9402647277bcff75f9ba54831

    SHA1

    03711684abf8667d385f8a1d3e2d7a0e5e4bdedc

    SHA256

    a7c0cab5dafe40fcffc114b6baac7ab9978bf5885a035d01d6f326cf095a87df

    SHA512

    c6584b81c55c221c3662b0c9a9ee54cfcd63ad935e4eb659aaa206ac47d584d9e51910934ab153e6bf9963134dc550fa6613cf8b4dde1d9c1bc6de0796687eef

  • \Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe

    Filesize

    8.4MB

    MD5

    a7460df7a66f891e21f4ba5739f495fc

    SHA1

    cf0211a12e8e930d21d28c467b1724aea5f26fbd

    SHA256

    866414d88f9d620b0258c3cbf389d505b4e5a0a189bda76d3d08acd108cf7809

    SHA512

    9da71a404ad145982a24dd1160d7132b1a842892ade437106be377ecad4df7621208d9685ba0797efa638afcacbb31158d5497b3263b0394c52bb7670408d7f8

  • memory/1912-5-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/1912-24-0x0000000000400000-0x0000000001C16000-memory.dmp

    Filesize

    24.1MB

  • memory/1912-7-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/1912-11-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/1912-9-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/1912-12-0x0000000000400000-0x0000000001C16000-memory.dmp

    Filesize

    24.1MB

  • memory/1912-6-0x0000000077900000-0x0000000077901000-memory.dmp

    Filesize

    4KB

  • memory/1912-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/1912-3-0x0000000000400000-0x0000000001C16000-memory.dmp

    Filesize

    24.1MB

  • memory/1912-2-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2516-31-0x0000000000CC0000-0x0000000000D0A000-memory.dmp

    Filesize

    296KB

  • memory/2516-32-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

    Filesize

    9.9MB

  • memory/2516-33-0x000000001AB00000-0x000000001AB80000-memory.dmp

    Filesize

    512KB

  • memory/2516-80-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

    Filesize

    9.9MB

  • memory/2540-30-0x0000000000400000-0x0000000000C6E000-memory.dmp

    Filesize

    8.4MB