Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2024, 05:46
Static task
static1
Behavioral task
behavioral1
Sample
ecc999e05862b544b2da323ddedbe218_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
ecc999e05862b544b2da323ddedbe218_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
ecc999e05862b544b2da323ddedbe218
-
SHA1
9855eb218928032b80a7d02b9e42b00eb6aadbf8
-
SHA256
45936fcde0e3407612d91f8c7902a4bf45ee265cc43e05b541dfd52df8b15ad7
-
SHA512
c9b56f1ebc57cf823dbad3aeae0638ea10cd9cf19cc97b6ee71e5d9de2ab814f1b26264b4ff76adece5371bada05ba3d7bf4f22e0097160f1ebfd086c6de2e56
-
SSDEEP
12288:JcwnLysBDa7gQH1AePJQG6PjWTn1r79bmSDlP/weulcojuiya7yrU9srT8bnFM1v:iwRsEQH1AGE7WTnxzbuJZq
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 freegeoip.app 5 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 ecc999e05862b544b2da323ddedbe218_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ecc999e05862b544b2da323ddedbe218_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 380 ecc999e05862b544b2da323ddedbe218_JaffaCakes118.exe 380 ecc999e05862b544b2da323ddedbe218_JaffaCakes118.exe 380 ecc999e05862b544b2da323ddedbe218_JaffaCakes118.exe 380 ecc999e05862b544b2da323ddedbe218_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 380 ecc999e05862b544b2da323ddedbe218_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecc999e05862b544b2da323ddedbe218_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ecc999e05862b544b2da323ddedbe218_JaffaCakes118.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD583160e63676371b50c1eb67540d4dd91
SHA1df061b68bbe33a4492f1094fdad303c647440dee
SHA2563f34b6915dfbd4c9ae0368eb34c105e8e378221d4c52f813a7f2a1f71933ae75
SHA512a03d359be3c9eda89a11abc30664e277aa940bf8e39da88c64cc447310bf4bd49d03ff0203532bfdaccf8823fc9ac2d3090fcf026453f5a88a0330933bd3dd5e