Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 01:56
Static task
static1
Behavioral task
behavioral1
Sample
72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe
-
Size
141KB
-
MD5
72286a2f8319db8606fb34892e88750a
-
SHA1
feb65e6daf7a5386c059ba171a32c39d109375f8
-
SHA256
d9522844d78148890f42f4b6747fea772dfd2af8c22118e082880866f37feebb
-
SHA512
b5a2673d8bbb59661d29a3228492eb8f865ed0a97eb91dfd0e82700095312ae3a7b434af7c0a771fbb34ef75cb37ed13bb2be8b97294c535f0a48bf8d52d10ee
-
SSDEEP
3072:Y8MT8d+KIcHzuj0kAuQT0c1vj6dJRUJChjmDhCPWu7B1C0LcV0kSX:YN8dJIf7OV7JChjmDQgVT
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2252 Recycle.Bin.exe 5036 Recycle.Bin.exe 3848 Hpe7BA8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/2496-7-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/2496-14-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/2496-12-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/2496-11-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/2496-9-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/2496-8-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/2496-5-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/2496-20-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/5036-34-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/5036-35-0x0000000000400000-0x0000000000460000-memory.dmp upx behavioral2/memory/5036-41-0x0000000000400000-0x0000000000460000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4Y3Y0C3AUYVV4Y9GCYBOPHFEUNNFBI = "C:\\Recycle.Bin\\Recycle.Bin.exe /q" Hpe7BA8.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4256 set thread context of 2496 4256 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 86 PID 2252 set thread context of 5036 2252 Recycle.Bin.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Recycle.Bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Recycle.Bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpe7BA8.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Internet Explorer\PhishingFilter Hpe7BA8.exe Set value (int) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" Hpe7BA8.exe Set value (int) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0" Hpe7BA8.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Internet Explorer\Recovery Hpe7BA8.exe Set value (int) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0" Hpe7BA8.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2496 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 2496 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 2496 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 2496 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 5036 Recycle.Bin.exe 5036 Recycle.Bin.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe 3848 Hpe7BA8.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2496 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe Token: SeDebugPrivilege 2496 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe Token: SeDebugPrivilege 2496 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe Token: SeDebugPrivilege 2496 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe Token: SeDebugPrivilege 5036 Recycle.Bin.exe Token: SeDebugPrivilege 5036 Recycle.Bin.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe Token: SeDebugPrivilege 3848 Hpe7BA8.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4256 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 2252 Recycle.Bin.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4256 wrote to memory of 2496 4256 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 86 PID 4256 wrote to memory of 2496 4256 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 86 PID 4256 wrote to memory of 2496 4256 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 86 PID 4256 wrote to memory of 2496 4256 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 86 PID 4256 wrote to memory of 2496 4256 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 86 PID 4256 wrote to memory of 2496 4256 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 86 PID 4256 wrote to memory of 2496 4256 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 86 PID 4256 wrote to memory of 2496 4256 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 86 PID 2496 wrote to memory of 2252 2496 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 87 PID 2496 wrote to memory of 2252 2496 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 87 PID 2496 wrote to memory of 2252 2496 72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe 87 PID 2252 wrote to memory of 5036 2252 Recycle.Bin.exe 89 PID 2252 wrote to memory of 5036 2252 Recycle.Bin.exe 89 PID 2252 wrote to memory of 5036 2252 Recycle.Bin.exe 89 PID 2252 wrote to memory of 5036 2252 Recycle.Bin.exe 89 PID 2252 wrote to memory of 5036 2252 Recycle.Bin.exe 89 PID 2252 wrote to memory of 5036 2252 Recycle.Bin.exe 89 PID 2252 wrote to memory of 5036 2252 Recycle.Bin.exe 89 PID 2252 wrote to memory of 5036 2252 Recycle.Bin.exe 89 PID 5036 wrote to memory of 3848 5036 Recycle.Bin.exe 90 PID 5036 wrote to memory of 3848 5036 Recycle.Bin.exe 90 PID 5036 wrote to memory of 3848 5036 Recycle.Bin.exe 90 PID 5036 wrote to memory of 3848 5036 Recycle.Bin.exe 90 PID 5036 wrote to memory of 3848 5036 Recycle.Bin.exe 90 PID 3848 wrote to memory of 2496 3848 Hpe7BA8.exe 86 PID 3848 wrote to memory of 2496 3848 Hpe7BA8.exe 86 PID 3848 wrote to memory of 2496 3848 Hpe7BA8.exe 86 PID 3848 wrote to memory of 2496 3848 Hpe7BA8.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Users\Admin\AppData\Local\Temp\72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\72286a2f8319db8606fb34892e88750a_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Recycle.Bin\Recycle.Bin.exe"C:\Recycle.Bin\Recycle.Bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Recycle.Bin\Recycle.Bin.exe"C:\Recycle.Bin\Recycle.Bin.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\Hpe7BA8.exe"C:\Users\Admin\AppData\Local\Temp\Hpe7BA8.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD572286a2f8319db8606fb34892e88750a
SHA1feb65e6daf7a5386c059ba171a32c39d109375f8
SHA256d9522844d78148890f42f4b6747fea772dfd2af8c22118e082880866f37feebb
SHA512b5a2673d8bbb59661d29a3228492eb8f865ed0a97eb91dfd0e82700095312ae3a7b434af7c0a771fbb34ef75cb37ed13bb2be8b97294c535f0a48bf8d52d10ee
-
Filesize
5KB
MD566c58bd5b39a6581f4fb593f9164db51
SHA10a28091e3bffa65fa507158e611bb8a7abc7e207
SHA2563b9d78109a59e5b1544bca9fefc85d1f47260d5037e0ca4927ebcbf7279b3391
SHA5122d5370dfa6e8f607c0e8c1b8c5d33357831fd044da6760410b5088a650f995299062c4ad3ecdeaa4ea97548afcad3100d87d020b097ceaca5d8ca64b68f95ee5
-
Filesize
3KB
MD529090b6b4d6605a97ac760d06436ac2d
SHA1d929d3389642e52bae5ad8512293c9c4d3e4fab5
SHA25698a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272
SHA5129121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be