Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 14:32
Static task
static1
Behavioral task
behavioral1
Sample
af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe
-
Size
165KB
-
MD5
af985d4008865ceb92b99b79e9d2a1ec
-
SHA1
943913af93434f6eddbb3c57b1ddfccce3c70169
-
SHA256
c8f9b766c190d78e8f8676e16b45ced909605ae3ce27fd17f6bdd53cc92cb328
-
SHA512
b33d1b77ce9f91f0c0d17ae22f07c1ef53b2069f227813f8a8efe647b7e9181432c799cb6680f18424ffa44d6d58a70719f66e2a5866451f8b6928d74655126f
-
SSDEEP
3072:4iY/vHi2r8KhmF6CVjwSkLga+tpznaM8JoGD2Kv839yjzK7kuZRpVRNmddPSi:UHFIQCRkLEaZoGD2G839yzq9RBNKdqi
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/712-2-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2428-5-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/712-8-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/712-68-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2160-70-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/2160-71-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/712-131-0x0000000000400000-0x000000000043C000-memory.dmp upx behavioral1/memory/712-134-0x0000000000400000-0x000000000043C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 712 wrote to memory of 2428 712 af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe 30 PID 712 wrote to memory of 2428 712 af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe 30 PID 712 wrote to memory of 2428 712 af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe 30 PID 712 wrote to memory of 2428 712 af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe 30 PID 712 wrote to memory of 2160 712 af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe 32 PID 712 wrote to memory of 2160 712 af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe 32 PID 712 wrote to memory of 2160 712 af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe 32 PID 712 wrote to memory of 2160 712 af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Users\Admin\AppData\Local\Temp\af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2428
-
-
C:\Users\Admin\AppData\Local\Temp\af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\af985d4008865ceb92b99b79e9d2a1ec_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:2160
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300B
MD5d678054ba7343317463e596f823f195d
SHA102d01e62aa28ccb6dc9f4f956ffbc1d072e5b8fc
SHA256de1f9310384e02543c7294f9f3a2f6dfc080f0049d98d0d378c49348f06b9001
SHA512539fbdb65e79b12a07d6b96dbb1644fa628472967c6966d02e16a63a27c5ca54b09c34e5a0ad5b9916f5029b35445aa89dde23779ee54da20a91a218989d04a2
-
Filesize
1KB
MD59a956e1a6a00b8d875b3034aa121c495
SHA132c8cce92aefc6ec70f641fc232d54ea9a282231
SHA2566301194cd97cf13fbb819ab7dfe73666643b52cd36ad53e31c8b0a278bed0c72
SHA512aad6d4b2864051c56094e1f4fc68ef121fbb79df2f1deec25368cedeebfec2177c709eedd0f01fe15f99ed21e28db822a68bc1e85f35348a0f22028c431d26bd
-
Filesize
696B
MD55b4f76687cfbfad71ee4103d04a305a0
SHA1ab0df1624d342ae47f8d1c65e9c8274da2b4b9bc
SHA256eeed86373c0600c136e8ba624978f939ad76ccbeb212d6249b7cd5ccf10fe81a
SHA51271d13f89077967282d1b0a6e7f5b2ae74bf50b773bcd72d88fc692351fc31690e82346a8df8d6c2dd68bf8dd0d0c994d0b57532893ea3ead0bed8675b31c4bdd