Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/04/2024, 07:57
Behavioral task
behavioral1
Sample
f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe
-
Size
389KB
-
MD5
f309f13b086438be0a979bfba51097b6
-
SHA1
ee8b446af0f73adb726cb7ab72725441cac270c7
-
SHA256
72a9cb716529660a0026e61b0b4ad8a61d6be594d06e3ade9cf57186e62f6c3b
-
SHA512
a3b426214fa4794e694b28ec7453775b0968f5146fb4f8b6917ebe28ec47e189e110f0a2a7bb43e800af3d5f72e168c406d7015354cf992470a08ab64ae2360d
-
SSDEEP
6144:o1vG8GgGTe1GbgaxDgXtIClMiRAqXKlUBYRA9G5EGl0uvn7A+z6:YTaaRAqqviVYvT6
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/2748-0-0x0000000000F00000-0x0000000000F66000-memory.dmp family_zgrat_v1 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 freegeoip.app 5 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2748 f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe 2748 f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe 2748 f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe 2748 f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2748 f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f309f13b086438be0a979bfba51097b6_JaffaCakes118.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309B
MD5a23a60e6e5b66c619bacd5109714c4cd
SHA19db479408c13cfbe6643e41a0ac6bf14b0eea58e
SHA256e0de67fa76b6bc63e04e39aade9e80ea7aae75e207b0be4f3fa59bc60f7a50ee
SHA5124396d70629ffb4148a91d6134ec4e27ceb5f72d5c1bbcf438d9cc36dfd375cfdd6d3179613bb2fd3cf566a1d278689cb09d03991bcbf15a25fadc47cf8e32236
-
Filesize
324B
MD5e28f55b8d8a9e1238c5ef67edb1cba53
SHA137ed72a6b26053e06f0d9d1c8c68fb7ed279c0c5
SHA2568e857463c627b2e8525d17e7d86bd926ffd065f2d01211b8b05811f586141a9b
SHA512e241a84c752bae402df9bd42a446af7268953ad91d4bdd97fd469f6adaa5656a310eedd5785197c7b4a22a6f4a7029e3e9f0b3b7ddee1562e19330c23ca0f013