Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2024, 17:16
Static task
static1
Behavioral task
behavioral1
Sample
4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
4733a823253e50d03fac643b86bfc988
-
SHA1
f665d1e999f428ff6c737eed26e83790dbee024d
-
SHA256
9d1c7694e5d77b85d7b408ce5c7b2b4c83fe75458ec3d3cd320ea5eed7de2cba
-
SHA512
17c8e90f316004f38dc92e5102ee78903f7d7bf62c40231b868e8182740b9f659cc95bb9d5e19b2830671e43855f3a90d0b380cef2236213227f99fe538b1984
-
SSDEEP
49152:hnJMKPdHuS8MaScLZuQVAUT1G2KygVRb1VAaoSjBqH3L:hn1PduU3cAp4nG1qxv
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine 4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 35 checkip.amazonaws.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4268 4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3848 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4268 4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe 4268 4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe 4268 4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe 4268 4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4268 4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4268 wrote to memory of 4756 4268 4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe 97 PID 4268 wrote to memory of 4756 4268 4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe 97 PID 4268 wrote to memory of 4756 4268 4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe 97 PID 4756 wrote to memory of 3848 4756 cmd.exe 99 PID 4756 wrote to memory of 3848 4756 cmd.exe 99 PID 4756 wrote to memory of 3848 4756 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.1 -n 3 > nul &del "C:\Users\Admin\AppData\Local\Temp\4733a823253e50d03fac643b86bfc988_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
PID:3848
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
131KB
MD5e55d7f58df0b83cbb7536bfbc792d1b1
SHA1a3f053ad4903a8a66431521796cc13bd5e76a189
SHA2566f21fa2af712c97ea3371e87dfc7c09220142df82bdf3520593426c93121c041
SHA5125f836348154acdcdde90f98ee89a54ece2c757eb86b38cc1174013a5109bd8ce3f96147c8220ebfb4ac14b733f7cf39f12e4feefed8e66dc4b2fb99cdf93161e
-
Filesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
Filesize
100KB
MD56d7ef092add3330a33162536d6a34a07
SHA1b2646ee43195149c40daaadfada376f58169534e
SHA25684d90c18fdb84664ac660760bb9a201f672407ad5bc5da01655ac0209f7c67a7
SHA512579cf4851103bb8a3db2f24050c6b79229a968f0d5fb1ea92ccfb55e045b2a8ca82532200557f57052e39357b40a17ebac437007116d45de0f97d7189a3f251f
-
Filesize
8KB
MD5554187ec42a63490fbd24746e531a544
SHA1a92399ed19fde8131a3843924c44027606e4ab2e
SHA2561841c87dd39fb775f2b35f5a5a5eae82694e3c6c616aa0936990edcc0f9cafc5
SHA51289eef8cb8d020a2afd58cedbab9530284cf7f14c7503e913dbac2b6c9c1f6ea8ceb4c148ecd07607ba56dd86c7f9d0de8eb3d5524d256065662fe83b4eca74dc
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84