Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/07/2024, 03:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5a58e00038c4b03e057852bef98b4e29_JaffaCakes118.exe
Resource
win7-20240704-en
5 signatures
150 seconds
General
-
Target
5a58e00038c4b03e057852bef98b4e29_JaffaCakes118.exe
-
Size
238KB
-
MD5
5a58e00038c4b03e057852bef98b4e29
-
SHA1
3c7ba15d6ec5e2af3ac1c27f10ff735ee039067f
-
SHA256
1048521d6892c81660dc051ecb247a61d25bd4d59111f21190efe95af0f2d063
-
SHA512
f76a3c2678ab7804407a4f5b43b9233be02172fdee3bfaf0b871f1f7aef3a3e11dedd8b0507c8cd16434b3856206dbd041472986cb2015941a50503e11c78258
-
SSDEEP
6144:WmM0jBltDQdaRCgFvwA2dXlZ43Pk9FA+kOaB4YXdpb:bM0jBltDwa4pfVlef92alX3
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\winexec32.txt 5a58e00038c4b03e057852bef98b4e29_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2936 2432 WerFault.exe 28 -
Runs net.exe
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2784 2432 5a58e00038c4b03e057852bef98b4e29_JaffaCakes118.exe 29 PID 2432 wrote to memory of 2784 2432 5a58e00038c4b03e057852bef98b4e29_JaffaCakes118.exe 29 PID 2432 wrote to memory of 2784 2432 5a58e00038c4b03e057852bef98b4e29_JaffaCakes118.exe 29 PID 2432 wrote to memory of 2784 2432 5a58e00038c4b03e057852bef98b4e29_JaffaCakes118.exe 29 PID 2784 wrote to memory of 2844 2784 net.exe 31 PID 2784 wrote to memory of 2844 2784 net.exe 31 PID 2784 wrote to memory of 2844 2784 net.exe 31 PID 2784 wrote to memory of 2844 2784 net.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a58e00038c4b03e057852bef98b4e29_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5a58e00038c4b03e057852bef98b4e29_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\net.exenet stop SharedAccess2⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess3⤵PID:2844
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 4322⤵
- Program crash
PID:2936
-