Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2024, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe
-
Size
359KB
-
MD5
5ab98fa374fb3354a17b9f2ae40b2b32
-
SHA1
64cf30c5ed3aee9b1d29e296988aa93d9f3bcf3a
-
SHA256
1cf8af841511bc3a1210c9c02276627d87dd07d38bbb2baa44c20cf55c3a76f3
-
SHA512
c673116e62e79a128093f34dda0abb04e59a2bf2ac13e967cd1882551bf63f9e779a6f6e23933bed2d91440005bac3e7724eef31e722c6c243a43c821cfa0a52
-
SSDEEP
6144:0BFybY/7YsXUmrXgEXrMzp14WaumddWFlhdYBb+vDDTH0DcPGCa3DLb8NHiB:0Cm/XXgsdumdIlnYqDDTUwPbWLb8NCB
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3448 wrote to memory of 744 3448 5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe 86 PID 3448 wrote to memory of 744 3448 5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe 86 PID 3448 wrote to memory of 744 3448 5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe 86 PID 744 wrote to memory of 3748 744 cmd.exe 88 PID 744 wrote to memory of 3748 744 cmd.exe 88 PID 744 wrote to memory of 3748 744 cmd.exe 88 PID 744 wrote to memory of 2276 744 cmd.exe 90 PID 744 wrote to memory of 2276 744 cmd.exe 90 PID 744 wrote to memory of 2276 744 cmd.exe 90 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2276 attrib.exe 3748 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\7B1BTM~1.BAT2⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\5ab98fa374fb3354a17b9f2ae40b2b32_JaffaCakes118.exe"3⤵
- Views/modifies file attributes
PID:3748
-
-
C:\Windows\SysWOW64\attrib.exeattrib -R -S -H "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\7B1B.tmp.bat"3⤵
- Views/modifies file attributes
PID:2276
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
474B
MD5eb091c39c901bae627af5d9fe6514a6e
SHA1c0adad347bf1f4832ebf4e1b6448b55bc39a90e9
SHA25667cfc8f02717140f4d0e31290e2e0b006810343b6d5a4ad3a1d0ab4454bbd17f
SHA512575171b2b3165ee608c67cbfc8560c484c1bb59c80f9b396c056c7fa75a97343924b7587a734e217049dbebfbd172a7688c8f204e5770c201114251fe4485467