Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04/05/2024, 18:14

General

  • Target

    b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe

  • Size

    3.0MB

  • MD5

    b7c4fc6aa5efa0afb92bdad4e8a3348f

  • SHA1

    045b58c4401a3b74c98c926e8ac2f12e67412a8f

  • SHA256

    b7ee14ffe7b41ac80a21d276c17baaeaa688b8b31a18a459df31898359740b62

  • SHA512

    6551ab923c7b12f038dc76a1ac88dd6c7fb54fd24befff5f9006499b9d47bfa18878379898c49f259508eb9845bf88bac640df976350c3e70cf461cc4da5d79a

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBbB/bSqz8b6LNX:sxX7QnxrloE5dpUpUbVz8eLF

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b7c4fc6aa5efa0afb92bdad4e8a3348f.jaffacakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2984
    • C:\UserDotJP\adobsys.exe
      C:\UserDotJP\adobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\UserDotJP\adobsys.exe

    Filesize

    3.0MB

    MD5

    3931d42908151642b3fd06c6ab40137a

    SHA1

    733e92af9a3e2c4e936c5c995a51e14794d735d8

    SHA256

    80cf86ca7b7816b9b6c3c248db29552787b57b33409263c1754e7841cb128c08

    SHA512

    8d3929f529344941f84323e1d1d7e916d5699fe0168acfb053d33070c6738ce7f701530f4456bd3bbc790467c3319e0505561fb6122c70e94b51b24e21e0c83e

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    9ef81326d65223c917a90ae619495495

    SHA1

    554d5035935d43d1505c092b7ea4658363ff1555

    SHA256

    e02e6d6ff8165351baefb12d102ba2433286f019f0439a038af733849d9864ac

    SHA512

    910aa40f34b3ed41ae1d6f0df4be4533cd1bf7b860ed0a126372eef1a241905902a118d10c4561b8eaf94501799eef89549e3862531fc47be55d2231e7c6e7c5

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    78530850aa0c1c1649287352bc01aa47

    SHA1

    7542035ad74eef8bdcece6814c62a0fb42c545df

    SHA256

    4f96f7020617f55d910dbeac777230f1f56196f806703bd4f8244e1294633fbc

    SHA512

    6ec8b4a4cfd9bd459b0ff240c5f61b19ae0c5ecdc3d0b15108cdefed42eaa652e94a6904fda133b00d194bd656c0520d242ca04ab34b78458687a3f971a53738

  • C:\Vid5N\optixloc.exe

    Filesize

    3.0MB

    MD5

    70ef0b3f9fda05c1a1fc0f7ba89e1b02

    SHA1

    2be9e7565a2effd0f7eda0a957ef9e73c6a1dc2e

    SHA256

    c0f6f341e4c6cde54f909a8770cc576c6d46b17176e7b61fead9ff8064adab41

    SHA512

    c604ebc1b106bff057f7b7b43d5c8698d6840666dd290279522ab78db007354da18aef3a10d3fdd9ac47464987f3d0e16819ac2519039b1840a2eea1d4b6630b

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe

    Filesize

    3.0MB

    MD5

    f81b27b1b46b6391074846172287bb0e

    SHA1

    4d2eea543587bfbd034395e1a31c37dbee6640ed

    SHA256

    36b322b8e864e7ea2a89398bd39f4e0e9eda881cb5a54c846c14f10e45ad1417

    SHA512

    7157de93be90e230fa2443c65cf0602f961464d883348c40f49bf5398e10d29148c4d643673684709e2d70ed1686eafb181561d5a5cba94465972ea6d1ae1045