Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
12/05/2024, 11:01
Static task
static1
Behavioral task
behavioral1
Sample
39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe
-
Size
3.3MB
-
MD5
39c368074a4380b85e3291d787f7562f
-
SHA1
82c8e32c6f3e8ab032d28c893495254562a7c8fd
-
SHA256
c4d194e400f2ea4c7df3b8d392c8b4fcb2868e1bddf2445e83c6baa2fe6524c6
-
SHA512
9ac0fa86cffec8afaa93ba65c467cb32043a75a2a8c36fc6a24f28a5db000caa143efd418924ffa6670ed16533b5fd9766002f765dd485b8d85050088f6256f5
-
SSDEEP
98304:1AI+RTAf+MzQSioq96WMb3O6pLve2WX69t6S9I+H:mtbMZq9666pLvejX06SOM
Malware Config
Extracted
azorult
http://92.63.192.72/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
pid Process 2476 busshost.exe 2596 YTLoader.exe -
Loads dropped DLL 8 IoCs
pid Process 2896 39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe 2896 39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe 2896 39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe 2752 WerFault.exe 2752 WerFault.exe 2752 WerFault.exe 2752 WerFault.exe 2752 WerFault.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\LetsSee!\YTLoader.exe 39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LetsSee!\busshost.exe 39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LetsSee!\Uninstall.exe 39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe File created C:\Program Files (x86)\LetsSee!\Uninstall.ini 39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2752 2596 WerFault.exe 29 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString YTLoader.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName YTLoader.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2596 YTLoader.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2896 wrote to memory of 2476 2896 39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe 28 PID 2896 wrote to memory of 2476 2896 39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe 28 PID 2896 wrote to memory of 2476 2896 39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe 28 PID 2896 wrote to memory of 2476 2896 39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe 28 PID 2896 wrote to memory of 2596 2896 39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe 29 PID 2896 wrote to memory of 2596 2896 39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe 29 PID 2896 wrote to memory of 2596 2896 39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe 29 PID 2896 wrote to memory of 2596 2896 39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe 29 PID 2596 wrote to memory of 2752 2596 YTLoader.exe 31 PID 2596 wrote to memory of 2752 2596 YTLoader.exe 31 PID 2596 wrote to memory of 2752 2596 YTLoader.exe 31 PID 2596 wrote to memory of 2752 2596 YTLoader.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\39c368074a4380b85e3291d787f7562f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Program Files (x86)\LetsSee!\busshost.exe"C:\Program Files (x86)\LetsSee!\busshost.exe"2⤵
- Executes dropped EXE
PID:2476
-
-
C:\Program Files (x86)\LetsSee!\YTLoader.exe"C:\Program Files (x86)\LetsSee!\YTLoader.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 11843⤵
- Loads dropped DLL
- Program crash
PID:2752
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5c53d2de8becdaf58caba89a297455c65
SHA1c60da079393025e63475683375e0a045cefa3473
SHA2567d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272
SHA512a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878
-
Filesize
318KB
MD5ff562e999268780e4e2127df81b5d59f
SHA1508d5281c4086da69edb1cac1abc74fd628e7527
SHA256226b143545f3c952d99a200c18cd06f90eb98e64b477f9ab2aa5838cd0e72cd0
SHA512d35d23a04a4f420ea8b2aae4f42979c3b9e2bc43ff1bfa240946789149996dd6880601ef9b02393be3201eaba9be7bd7198b14cd954bdba48e6a0ae29c4f7a01