Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

7

bb22b7cd18...18.exe

windows7-x64

7

bb22b7cd18...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23/08/2024, 09:13 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb22b7cd181856e19f41db0463c2a6da_JaffaCakes118.exe

  • Size

    263KB

  • MD5

    bb22b7cd181856e19f41db0463c2a6da

  • SHA1

    19eabacb8fcb30d8695e09b7a30ead73c61367bc

  • SHA256

    921da0a7b383822beed81fae81762b525bced3706af6d791ebfcd1c546ab6810

  • SHA512

    7a737a68e227f6ecf9f724d09aa069d2275a89336edbad7bb75131b6b687b108519f9fda572f64d9f6f349fa3df1dfee091e90986ffc88f164985d433e7d9819

  • SSDEEP

    3072:T4d5Eow66VJaolwYG0/SSOIYyPrOeYysgUFuku8dD3/R9cIROdwJEax0byj164S4:kdv6KY4uRh+Zx/RuINx0+w/bD6KL

Score
7/10
credential_accessdiscoveryspywarestealerupx

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 21 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookAW 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb22b7cd181856e19f41db0463c2a6da_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bb22b7cd181856e19f41db0463c2a6da_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookAW
    PID:2028
  • C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    1⤵
    • Drops file in Windows directory
    PID:2724
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2756
  • C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\SearchIndexer.exe /Embedding
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\system32\SearchProtocolHost.exe
      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:2052
    • C:\Windows\system32\SearchFilterHost.exe
      "C:\Windows\system32\SearchFilterHost.exe" 0 516 520 528 65536 524
      2⤵
        PID:2156
      • C:\Windows\system32\SearchFilterHost.exe
        "C:\Windows\system32\SearchFilterHost.exe" 0 516 520 528 65536 524
        2⤵
          PID:836

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
        Filesize

        1024KB

        MD5

        d10c27f59dfdc972c4de635687df4614

        SHA1

        3ebd0ac94d845bca26c36a05e3a70f75561fe3e4

        SHA256

        71636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65

        SHA512

        4c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c

        Download Submit

      • memory/2028-0-0x0000000001000000-0x000000000106B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2028-87-0x0000000001000000-0x000000000106B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2888-18-0x0000000002BF0000-0x0000000002C00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2888-34-0x0000000002CF0000-0x0000000002D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2888-57-0x0000000002370000-0x0000000002378000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2888-63-0x0000000002490000-0x0000000002491000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2888-69-0x0000000002370000-0x0000000002378000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2888-71-0x00000000022A0000-0x00000000022A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2888-80-0x00000000023D0000-0x00000000023D8000-memory.dmp

        Filesize

        32KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.