Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    125s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 01:44

General

  • Target

    b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe

  • Size

    106KB

  • MD5

    b1ac4188ff7db6a842881b51614ffd9d

  • SHA1

    014adc2629a32bc0554235320ee5e18066a49bb4

  • SHA256

    95609aab540ea2f816056310e876a2b1e7d69260eedee72eff3aa347f3962d73

  • SHA512

    b18426488f2ff5c901bb6f5589e640a04e779d777900776ba1d3b75273c47604fcee1f95841def9a75dca8d3a0cf91c22f78d09ee727e397f10d1ed714c750b5

  • SSDEEP

    768:3LPXgEVU3PqRAGCmQRbUHj0tUlBlBlBlBlBlBlBlBlBllAb07AI:bPXHS/GCmQpUQtc

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe" >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NO_PWDS_report_21-08-2024_01-44-21-GFDG.bin

    Filesize

    1KB

    MD5

    44064d021b7092e4bc5d9bca2d974c17

    SHA1

    2570af5b35e20983feba6ae8046e17e1ef83165d

    SHA256

    3e021e31b47a0d367917dc15ae99bab17447563f9f4351825a5abdff1da8c6d9

    SHA512

    2dd9ec3d65bdf859f2bafff3a6a466e6b0620d202d49f2379bbea3c2adc964063d6713802a8c8f6a863f15d52506a588c95130f06f8e7a9b325eacf8bf25f1ab

  • C:\Users\Admin\AppData\Local\Temp\OAJDHPPP.exePGMJCFKF.exe

    Filesize

    16KB

    MD5

    28b69e6ad544d1dc930ccc850c371e9e

    SHA1

    e4ab884a674dcc02b24d3dc6fc6fb87f6e0220bf

    SHA256

    ee191adad5d025600c6e63907ecebb239f553c0d24893ec596665b49c209fdaa

    SHA512

    fadbcbbb40a53871a81b8fe9a7b2ea33864536a6a9b3bd1ca77473b1af4f15aa826c73ca10dc6718bddb6f4164b9be442c61f1171fe48106057017e53fdacdc2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b1ac4188ff7db6a842881b51614ffd9d_JaffaCakes118.exe

    Filesize

    106KB

    MD5

    b1ac4188ff7db6a842881b51614ffd9d

    SHA1

    014adc2629a32bc0554235320ee5e18066a49bb4

    SHA256

    95609aab540ea2f816056310e876a2b1e7d69260eedee72eff3aa347f3962d73

    SHA512

    b18426488f2ff5c901bb6f5589e640a04e779d777900776ba1d3b75273c47604fcee1f95841def9a75dca8d3a0cf91c22f78d09ee727e397f10d1ed714c750b5

  • memory/2656-0-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

  • memory/2656-10-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

  • memory/2720-12-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

  • memory/2720-13-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

  • memory/2720-23-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

  • memory/2720-31-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB

  • memory/2720-58-0x0000000000400000-0x0000000000477000-memory.dmp

    Filesize

    476KB