Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2024, 12:21
Static task
static1
Behavioral task
behavioral1
Sample
22616cd11e8369815965211071778a31_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
22616cd11e8369815965211071778a31_JaffaCakes118.exe
-
Size
186KB
-
MD5
22616cd11e8369815965211071778a31
-
SHA1
dcd4aa5174031c97ad5a16aea0f3ca201412d295
-
SHA256
84b1532207c2c125388f8f576708b96bacc3dd31de9c41f64edf0a083cf9f1a3
-
SHA512
f10832b8701e2ee5355a5b641f5a0cc96b2d9dd7986c4082f9008df32631084c82acca2bf46af02b3b6505ce41948e02dea1d8024ab06a0800f07cf53d1924f4
-
SSDEEP
3072:6IJ08+joCgu6ODtWgpwX11JXKHgGNfhKeG/4IlEVDnx7M9FPaQS8UpyZPS3ekq24:6IS8wR6rJpKAGNfMRCLmnaV8Iyp63q2
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/740-1-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/5012-12-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/1676-116-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/740-114-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/740-195-0x0000000000400000-0x0000000000471000-memory.dmp upx -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 740 wrote to memory of 5012 740 22616cd11e8369815965211071778a31_JaffaCakes118.exe 90 PID 740 wrote to memory of 5012 740 22616cd11e8369815965211071778a31_JaffaCakes118.exe 90 PID 740 wrote to memory of 5012 740 22616cd11e8369815965211071778a31_JaffaCakes118.exe 90 PID 740 wrote to memory of 1676 740 22616cd11e8369815965211071778a31_JaffaCakes118.exe 103 PID 740 wrote to memory of 1676 740 22616cd11e8369815965211071778a31_JaffaCakes118.exe 103 PID 740 wrote to memory of 1676 740 22616cd11e8369815965211071778a31_JaffaCakes118.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵PID:5012
-
-
C:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\22616cd11e8369815965211071778a31_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵PID:1676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:81⤵PID:4932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
996B
MD574aa342edfc755075a45cae55d0f3192
SHA1cfe94986ec04023249a1e0ed4349cd9ea661dd8b
SHA256988784882e4e6c7ace9388bf69a797968ca643618170be0da0e3d140282556f4
SHA5123aa42bbd982f5e5a9006023db8ecab773948df417b39558bc5b49d19bdffdf2283e2abff99e49585c6f62dc3d902b6280a4c29271e265c99704054656739d730
-
Filesize
600B
MD5dbcfedf9eb9c24da71fdef57e1e9225d
SHA18acc23a169fec3c85d6949eff5d866f9ef7278df
SHA256ac3625bc0c4d54f9bcc1ac322955d12f333eb8057d4adb5d80133e29b2c459fc
SHA512cd5f957650b29976cb1cf5bf73a60caab3aeff3df47e95800ffe1ffc4e07236062c74bcbc4936de0d0ba0e32bc6b6e7e638678a6d3090953740c024346bac0e4