Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    11/05/2024, 09:10

General

  • Target

    33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe

  • Size

    5.6MB

  • MD5

    33d509d70645f62cd3dee6ff59d52a91

  • SHA1

    162276e5905f99d2c31268c67b9b06b578203cdf

  • SHA256

    eac7ae70b5f3519eebef0d2a61c8390295c74bd798774bb75dfc0fcda73a7bab

  • SHA512

    60222959003b2b9a96433042f5bcf71a1039a6a7a839e8f4a640c475193f1d4bedb937cb9fa166c570cd29dc61d9ae149da4ebc7af0760223316d060fcd74e1c

  • SSDEEP

    98304:09yZmgcCNvuTZLIEIKwLGiVIhIy9vFcdm7M6gBjc5DfdYSP/b0bVuIcPHUdKGIpm:ntuTZ8EIKwLTeKy9XEjcVfdYSHAbVEPm

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • VMProtect packed file 6 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C start C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
        C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe
          C:\Users\Admin\AppData\Local\Temp//Browser//Mozillla.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies system certificate store
          PID:1216
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Default\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Default\Login1
          4⤵
            PID:1096
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login1
            4⤵
              PID:1608
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login1
              4⤵
                PID:1952
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login1
                4⤵
                  PID:900
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login1
                  4⤵
                    PID:2368
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login1
                    4⤵
                      PID:2060
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login1
                      4⤵
                        PID:1488
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Default\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Default\Login1
                        4⤵
                          PID:1992
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login1
                          4⤵
                            PID:3040
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login1
                            4⤵
                              PID:2720
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login1
                              4⤵
                                PID:2212
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login1
                                4⤵
                                  PID:2112
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login1
                                  4⤵
                                    PID:1504
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login1
                                    4⤵
                                      PID:2688
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat" "
                                      4⤵
                                        PID:536
                                        • C:\Windows\SysWOW64\timeout.exe
                                          TIMEOUT 3
                                          5⤵
                                          • Delays execution with timeout.exe
                                          PID:1732
                                        • C:\Windows\SysWOW64\attrib.exe
                                          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe"
                                          5⤵
                                          • Views/modifies file attributes
                                          PID:1728
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat" "
                                    2⤵
                                    • Deletes itself
                                    • Suspicious use of WriteProcessMemory
                                    PID:2636
                                    • C:\Windows\SysWOW64\attrib.exe
                                      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"
                                      3⤵
                                      • Views/modifies file attributes
                                      PID:2824

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  344B

                                  MD5

                                  847e8b2becaa66eb72cacabd458fa552

                                  SHA1

                                  1403d136d21bd3c8d04dcf2af472c9b0fa69fb50

                                  SHA256

                                  692dc2f395753805710130b0c9e5c40770c7533281db259e68070cfed186d117

                                  SHA512

                                  89fd33cf18d93be213356c6f50eaeb12a4c257aaa60b6366f35c311450f92d51ec4c2c980b94f0feeb210aaf5d479999a990ade887a2568def273b4b0a6a955f

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login1

                                  Filesize

                                  46KB

                                  MD5

                                  02d2c46697e3714e49f46b680b9a6b83

                                  SHA1

                                  84f98b56d49f01e9b6b76a4e21accf64fd319140

                                  SHA256

                                  522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

                                  SHA512

                                  60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

                                • C:\Users\Admin\AppData\Local\Temp\Browser\Log\Browsers\Passwords.txt

                                  Filesize

                                  33B

                                  MD5

                                  82b688a7b1ec263bbaa6cf1453c61ccd

                                  SHA1

                                  cbaf77f4d302ef5952df9ea056f103a8397d38cd

                                  SHA256

                                  7ff88f3df4a401ac9c57f3e1418d4225f933e107e5d19f4a8cca9cc3200244f2

                                  SHA512

                                  f7502830709cf1afdf41b08f433199dbacb15dd8eb60a127476993bb050762820058e80d334269c8ba7993f6663d452532c7f31fa6b1c17180e62d0d2deef412

                                • C:\Users\Admin\AppData\Local\Temp\Browser\sqlite3.dll

                                  Filesize

                                  13KB

                                  MD5

                                  c80f07348f1dad1044b18069d516b9b8

                                  SHA1

                                  ba6cff5f84219b0a64bfe8d25f7709708a881271

                                  SHA256

                                  62cab66de46e429c833a2fbeb8e3b97b4dcfb912a0e0d67f3c04c1bfd5a7146c

                                  SHA512

                                  f3151d15add4bc887c721366f178b3ee05dbdb612eb5be581ad4393389332cdcf6c58e5aa2dd530b7658946faf63f6a0c1ac94825e88c3b57e487e088073afc0

                                • C:\Users\Admin\AppData\Local\Temp\Cab2C40.tmp

                                  Filesize

                                  68KB

                                  MD5

                                  29f65ba8e88c063813cc50a4ea544e93

                                  SHA1

                                  05a7040d5c127e68c25d81cc51271ffb8bef3568

                                  SHA256

                                  1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

                                  SHA512

                                  e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

                                • C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat

                                  Filesize

                                  473B

                                  MD5

                                  a2994a53852aade4eab4692c48c0dc8b

                                  SHA1

                                  22dc78669238e064967fc843866c9797c41d5be1

                                  SHA256

                                  d0dc12322b5f629a3b17dc79102beb57aa67c0a414f537a01b53da0dc9efdd5f

                                  SHA512

                                  b976cae09f0d287557f87c5eec3f69671551b64d3bf2c52c46a7c0ad4d41d0a3cd5440c4300943647979280cd14827c3d1c263c0d5399d59c7916298de934fb5

                                • C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat

                                  Filesize

                                  363B

                                  MD5

                                  f87c56e8469034c3fdbac19e4828ef8f

                                  SHA1

                                  956d17bca9d30b60c852f4b52b2054457fa94403

                                  SHA256

                                  20acbf4d96b5fc518ebb265aca79254a7c0685d5efc4ef3ccacb595620bfb368

                                  SHA512

                                  f00f56a4ddd250f08284304f5d0aa8c57eb5d88ab3d1ce4611d4bf83b9721209f274d5aa4ce8d8e54a38b5dff1f29d6105231acb9d9138848bc77c8ee523e927

                                • C:\Users\Admin\AppData\Local\Temp\Tar2C53.tmp

                                  Filesize

                                  177KB

                                  MD5

                                  435a9ac180383f9fa094131b173a2f7b

                                  SHA1

                                  76944ea657a9db94f9a4bef38f88c46ed4166983

                                  SHA256

                                  67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

                                  SHA512

                                  1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

                                • C:\Users\Admin\AppData\Local\Temp\archive77.zip

                                  Filesize

                                  22B

                                  MD5

                                  76cdb2bad9582d23c1f6f4d868218d6c

                                  SHA1

                                  b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

                                  SHA256

                                  8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

                                  SHA512

                                  5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

                                • C:\Users\Admin\AppData\Local\Temp\archive77.zip

                                  Filesize

                                  1.6MB

                                  MD5

                                  23e746ed80c005ce32987bbcaadf6e0e

                                  SHA1

                                  2ca61e8244a9c30a321012c8ae1d6f32071dc46e

                                  SHA256

                                  9fd3924c19447444c11388df8665c58b9846223a81dd9df8e22b7bdd67fc1a37

                                  SHA512

                                  937c2c15552e5cdc6bfda9e9b24949437a4ac58f0087044e249207bb49db551450d742707140b9bc0d25acb04404ffdf508845256b8ed4b59cf4061bc4d4c1ea

                                • \Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe

                                  Filesize

                                  5.6MB

                                  MD5

                                  33d509d70645f62cd3dee6ff59d52a91

                                  SHA1

                                  162276e5905f99d2c31268c67b9b06b578203cdf

                                  SHA256

                                  eac7ae70b5f3519eebef0d2a61c8390295c74bd798774bb75dfc0fcda73a7bab

                                  SHA512

                                  60222959003b2b9a96433042f5bcf71a1039a6a7a839e8f4a640c475193f1d4bedb937cb9fa166c570cd29dc61d9ae149da4ebc7af0760223316d060fcd74e1c

                                • \Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe

                                  Filesize

                                  276KB

                                  MD5

                                  21670cc3ebd12408f4e28eb15e238eec

                                  SHA1

                                  cef1b5bb121fd851d1711b7fe68a7822d9d1c5d4

                                  SHA256

                                  10c5422be39fe19e7d5d5ccade4280236b26aef63247223a50ab5f3b34e01799

                                  SHA512

                                  80e60c5e62b57c4823e4a775c85ac67804306a7e67c8c79c8986822d04ae660f94a0816f5c9204f7b1a992dc6d9107452bacd9e72c7508a451fe24e36a19700a

                                • \Users\Admin\AppData\Local\Temp\Browser\mozglue.dll

                                  Filesize

                                  694KB

                                  MD5

                                  f5e0950aff26d65cf9e1789b7a013a94

                                  SHA1

                                  6d305e3da92afa3a188e9b63a55ff99b2a82e425

                                  SHA256

                                  55ab9f9667e5bdee16613fcb972cc89516b85ceaa4184a65da54deaf51b42de9

                                  SHA512

                                  7d752921900ca41b1ecc0e199f905d145d90a3068485b05f2fad351f457fc7b20957bfff738d082c64f92c276a55fad2863d1c2f365ca3307e7e1d7f01c70cec

                                • memory/1676-3-0x00000000000F0000-0x00000000000F1000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1676-6-0x0000000000100000-0x0000000000101000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1676-11-0x0000000000230000-0x0000000000BAA000-memory.dmp

                                  Filesize

                                  9.5MB

                                • memory/1676-10-0x0000000000100000-0x0000000000101000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1676-8-0x0000000000100000-0x0000000000101000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1676-14-0x0000000000230000-0x0000000000BAA000-memory.dmp

                                  Filesize

                                  9.5MB

                                • memory/1676-27-0x0000000000230000-0x0000000000BAA000-memory.dmp

                                  Filesize

                                  9.5MB

                                • memory/1676-1-0x00000000000F0000-0x00000000000F1000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1676-0-0x0000000000230000-0x0000000000BAA000-memory.dmp

                                  Filesize

                                  9.5MB

                                • memory/1676-5-0x00000000000F0000-0x00000000000F1000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/2548-36-0x0000000000090000-0x0000000000091000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/2548-39-0x0000000001350000-0x0000000001CCA000-memory.dmp

                                  Filesize

                                  9.5MB

                                • memory/2548-38-0x0000000000090000-0x0000000000091000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/2548-31-0x0000000000080000-0x0000000000081000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/2548-33-0x0000000000080000-0x0000000000081000-memory.dmp

                                  Filesize

                                  4KB