Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/05/2024, 18:19
Static task
static1
Behavioral task
behavioral1
Sample
4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe
-
Size
965KB
-
MD5
4c6d077efc220f1f2b940a55c22055d3
-
SHA1
e37cfad0a8e328d2d60b2fbaf19db91a73966849
-
SHA256
bda2ca03c7cc1a1176e210747275d8f05cf1ad5eadb608859ff90db1a591071e
-
SHA512
1054748a878896eb330545b1eaf80ab016091d77ed0a37e6aea8046985858199a97a41d983bb251d3d518d0394c321182b7c2d5e805c305a3e87a23ea6d20429
-
SSDEEP
12288:qh995HQnOWZ9r2VMrmgOkCiXn9fsKMt54P9YE4BDIfrpnzTvoX5u2xOcF1QTn0wI:qhHMDfrOgWq9UznzDIfNzTaPfu7w5XN
Malware Config
Extracted
azorult
http://fxcoin.in/fxcoin/4/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 3 IoCs
pid Process 3272 StikyNot.exe 3720 StikyNot.exe 4176 StikyNot.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe" StikyNot.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3604 set thread context of 4800 3604 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe 100 PID 3604 set thread context of 4644 3604 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe 101 PID 3272 set thread context of 3720 3272 StikyNot.exe 103 -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe diskperf.exe File created C:\Users\Admin\AppData\Local\Chrome\C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe diskperf.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe 4644 diskperf.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 3604 wrote to memory of 4800 3604 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe 100 PID 3604 wrote to memory of 4800 3604 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe 100 PID 3604 wrote to memory of 4800 3604 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe 100 PID 3604 wrote to memory of 4800 3604 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe 100 PID 3604 wrote to memory of 4800 3604 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe 100 PID 3604 wrote to memory of 4800 3604 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe 100 PID 3604 wrote to memory of 4800 3604 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe 100 PID 3604 wrote to memory of 4800 3604 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe 100 PID 3604 wrote to memory of 4800 3604 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe 100 PID 3604 wrote to memory of 4644 3604 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe 101 PID 3604 wrote to memory of 4644 3604 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe 101 PID 3604 wrote to memory of 4644 3604 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe 101 PID 3604 wrote to memory of 4644 3604 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe 101 PID 3604 wrote to memory of 4644 3604 4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe 101 PID 4644 wrote to memory of 3272 4644 diskperf.exe 102 PID 4644 wrote to memory of 3272 4644 diskperf.exe 102 PID 4644 wrote to memory of 3272 4644 diskperf.exe 102 PID 3272 wrote to memory of 3720 3272 StikyNot.exe 103 PID 3272 wrote to memory of 3720 3272 StikyNot.exe 103 PID 3272 wrote to memory of 3720 3272 StikyNot.exe 103 PID 3272 wrote to memory of 3720 3272 StikyNot.exe 103 PID 3272 wrote to memory of 3720 3272 StikyNot.exe 103 PID 3272 wrote to memory of 3720 3272 StikyNot.exe 103 PID 3272 wrote to memory of 3720 3272 StikyNot.exe 103 PID 3272 wrote to memory of 3720 3272 StikyNot.exe 103 PID 3272 wrote to memory of 3720 3272 StikyNot.exe 103 PID 3272 wrote to memory of 1320 3272 StikyNot.exe 104 PID 3272 wrote to memory of 1320 3272 StikyNot.exe 104 PID 3272 wrote to memory of 1320 3272 StikyNot.exe 104 PID 4644 wrote to memory of 4176 4644 diskperf.exe 105 PID 4644 wrote to memory of 4176 4644 diskperf.exe 105 PID 4644 wrote to memory of 4176 4644 diskperf.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4c6d077efc220f1f2b940a55c22055d3_JaffaCakes118.exe"2⤵PID:4800
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe"C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe"C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe"4⤵
- Executes dropped EXE
PID:3720
-
-
C:\Windows\SysWOW64\diskperf.exe"C:\Windows\SysWOW64\diskperf.exe"4⤵PID:1320
-
-
-
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe"C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe"3⤵
- Executes dropped EXE
PID:4176
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3812 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
965KB
MD54c6d077efc220f1f2b940a55c22055d3
SHA1e37cfad0a8e328d2d60b2fbaf19db91a73966849
SHA256bda2ca03c7cc1a1176e210747275d8f05cf1ad5eadb608859ff90db1a591071e
SHA5121054748a878896eb330545b1eaf80ab016091d77ed0a37e6aea8046985858199a97a41d983bb251d3d518d0394c321182b7c2d5e805c305a3e87a23ea6d20429