Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 01:44
Static task
static1
Behavioral task
behavioral1
Sample
b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe
-
Size
106KB
-
MD5
b1ac4188ff7db6a842881b51614ffd9d
-
SHA1
014adc2629a32bc0554235320ee5e18066a49bb4
-
SHA256
95609aab540ea2f816056310e876a2b1e7d69260eedee72eff3aa347f3962d73
-
SHA512
b18426488f2ff5c901bb6f5589e640a04e779d777900776ba1d3b75273c47604fcee1f95841def9a75dca8d3a0cf91c22f78d09ee727e397f10d1ed714c750b5
-
SSDEEP
768:3LPXgEVU3PqRAGCmQRbUHj0tUlBlBlBlBlBlBlBlBlBllAb07AI:bPXHS/GCmQpUQtc
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ufr_files\NO_PWDS_report_21-08-2024_01-44-21-GFDG.bin b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ufr_files\NO_PWDS_report_21-08-2024_01-44-21-GFDG.bin b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ufr_files b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2720 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe -
Loads dropped DLL 2 IoCs
pid Process 2656 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 2656 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 whatismyip.akamai.com -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2656 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 2656 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 2656 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 2656 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 2720 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 2720 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 2720 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 2720 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 2720 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2720 2656 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 30 PID 2656 wrote to memory of 2720 2656 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 30 PID 2656 wrote to memory of 2720 2656 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 30 PID 2656 wrote to memory of 2720 2656 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 30 PID 2720 wrote to memory of 2192 2720 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 33 PID 2720 wrote to memory of 2192 2720 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 33 PID 2720 wrote to memory of 2192 2720 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 33 PID 2720 wrote to memory of 2192 2720 b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe" >> NUL3⤵
- System Location Discovery: System Language Discovery
PID:2192
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD544064d021b7092e4bc5d9bca2d974c17
SHA12570af5b35e20983feba6ae8046e17e1ef83165d
SHA2563e021e31b47a0d367917dc15ae99bab17447563f9f4351825a5abdff1da8c6d9
SHA5122dd9ec3d65bdf859f2bafff3a6a466e6b0620d202d49f2379bbea3c2adc964063d6713802a8c8f6a863f15d52506a588c95130f06f8e7a9b325eacf8bf25f1ab
-
Filesize
16KB
MD528b69e6ad544d1dc930ccc850c371e9e
SHA1e4ab884a674dcc02b24d3dc6fc6fb87f6e0220bf
SHA256ee191adad5d025600c6e63907ecebb239f553c0d24893ec596665b49c209fdaa
SHA512fadbcbbb40a53871a81b8fe9a7b2ea33864536a6a9b3bd1ca77473b1af4f15aa826c73ca10dc6718bddb6f4164b9be442c61f1171fe48106057017e53fdacdc2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe
Filesize106KB
MD5b1ac4188ff7db6a842881b51614ffd9d
SHA1014adc2629a32bc0554235320ee5e18066a49bb4
SHA25695609aab540ea2f816056310e876a2b1e7d69260eedee72eff3aa347f3962d73
SHA512b18426488f2ff5c901bb6f5589e640a04e779d777900776ba1d3b75273c47604fcee1f95841def9a75dca8d3a0cf91c22f78d09ee727e397f10d1ed714c750b5