Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 15:13
Behavioral task
behavioral1
Sample
beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe
-
Size
368KB
-
MD5
beddbb481807de962d2c9cb030d405f5
-
SHA1
f864aea216bc513edb1a88660aa111b5a9176d8f
-
SHA256
52fae1ba28593ce0478042ee499f02333c1b671971c619bf7528a50ac051625a
-
SHA512
8590086ea1e8951b6262d04f5e54a54fe846b996109fd9a8c02a0c4d5369d939d23f008434f2162739fc913b0c3c3a5061957822ce42a77ce2298a42bbd9927e
-
SSDEEP
6144:7jUs3SXfURPGwaP3aDJ0jmvv3F45jL2/EgAGrMRA+83PB7WP+nZyLPo7uo:7pRPGJaDnFwH2/Eg5ruT8/tWPNg/
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral2/memory/1904-1-0x0000000000D60000-0x0000000000DC0000-memory.dmp family_stormkitty behavioral2/memory/1904-2-0x000000001BA60000-0x000000001BAE4000-memory.dmp family_stormkitty -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000a000000023378-14.dat vmprotect behavioral2/memory/1904-269-0x000000001CE30000-0x000000001CEB4000-memory.dmp vmprotect -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 24 raw.githubusercontent.com 25 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 36 icanhazip.com 39 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 4952 cmd.exe 668 netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2664 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 1684 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe Token: SeSecurityPrivilege 4424 msiexec.exe Token: SeDebugPrivilege 1684 taskkill.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1904 wrote to memory of 4952 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 94 PID 1904 wrote to memory of 4952 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 94 PID 4952 wrote to memory of 1508 4952 cmd.exe 97 PID 4952 wrote to memory of 1508 4952 cmd.exe 97 PID 4952 wrote to memory of 668 4952 cmd.exe 98 PID 4952 wrote to memory of 668 4952 cmd.exe 98 PID 4952 wrote to memory of 552 4952 cmd.exe 99 PID 4952 wrote to memory of 552 4952 cmd.exe 99 PID 1904 wrote to memory of 1784 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 102 PID 1904 wrote to memory of 1784 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 102 PID 1784 wrote to memory of 2784 1784 cmd.exe 104 PID 1784 wrote to memory of 2784 1784 cmd.exe 104 PID 1784 wrote to memory of 912 1784 cmd.exe 105 PID 1784 wrote to memory of 912 1784 cmd.exe 105 PID 1904 wrote to memory of 864 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 106 PID 1904 wrote to memory of 864 1904 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe 106 PID 864 wrote to memory of 4460 864 cmd.exe 108 PID 864 wrote to memory of 4460 864 cmd.exe 108 PID 864 wrote to memory of 1684 864 cmd.exe 109 PID 864 wrote to memory of 1684 864 cmd.exe 109 PID 864 wrote to memory of 2664 864 cmd.exe 110 PID 864 wrote to memory of 2664 864 cmd.exe 110 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\beddbb481807de962d2c9cb030d405f5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1904 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1508
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:668
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:552
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2784
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCCE2.tmp.bat2⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:4460
-
-
C:\Windows\system32\taskkill.exeTaskKill /F /IM 19043⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
C:\Windows\system32\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:2664
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\658660f852ab1ab1e9f02a012c4008bc\Admin@PVMNUDVD_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\658660f852ab1ab1e9f02a012c4008bc\Admin@PVMNUDVD_en-US\Directories\OneDrive.txt
Filesize25B
MD5966247eb3ee749e21597d73c4176bd52
SHA11e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA2568ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa
-
C:\Users\Admin\AppData\Local\658660f852ab1ab1e9f02a012c4008bc\Admin@PVMNUDVD_en-US\Directories\Startup.txt
Filesize24B
MD568c93da4981d591704cea7b71cebfb97
SHA1fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA51263455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402
-
C:\Users\Admin\AppData\Local\658660f852ab1ab1e9f02a012c4008bc\Admin@PVMNUDVD_en-US\Directories\Videos.txt
Filesize23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
Filesize
6KB
MD5fbb04a5363a8700a687df7174f365a3b
SHA18c900bd2910ab076b123b44aa8aa700d42d40454
SHA2569fe902f25310da36e921c890830bead6b9b3ed255ebc2aec1e109c753a9af223
SHA512be89bacab2eaa068a25b9bdd2f45266561878ce321991237cb0f8e0334e09b765ab0fbb7a03c4eec0f24805da0d31ef39e564b3b1b56222e88b539e00eea9008
-
C:\Users\Admin\AppData\Local\658660f852ab1ab1e9f02a012c4008bc\Admin@PVMNUDVD_en-US\System\Process.txt
Filesize2KB
MD5a8efa13f54dd9945bcf7a8881035d8f6
SHA17d1bf8b5f57a99adddf4877315dac7760139edca
SHA25692526d0cce29e16865f0a2aa327d5131443b27954e6ce28a5d3fa56344c1d44c
SHA5121f29dd69d1f4cafea6740dee603a444210fa210294320954ec2442df3f9a5ff61ce85f79bebc1c282e06be933b1396f86842ceb62db1c05dcaa1a38ec59de647
-
C:\Users\Admin\AppData\Local\658660f852ab1ab1e9f02a012c4008bc\Admin@PVMNUDVD_en-US\System\Process.txt
Filesize3KB
MD5821b1b35758aaa27ab0052116ef54f87
SHA1c9d452a89fa937829acf4d7d89e033448440b9ef
SHA256a73df27a56ce9a62289885c9fd99fc2e3c78188026a27432bdc985b69a854307
SHA5123a94441e946034efc63947dd536525a533c4f6597f407824cf2aa8a7c2768e83bcb5545aca851189ae5e9332a1289d932eadfcd0b188737a1ec266ad59fab38f
-
C:\Users\Admin\AppData\Local\658660f852ab1ab1e9f02a012c4008bc\Admin@PVMNUDVD_en-US\System\Process.txt
Filesize4KB
MD592a54895f848792c061c5dc407da3a8f
SHA1801eefd3fe1ab28e4f1b100a8026c3edad3843ab
SHA2560367657f4680d29d2b8b21cb8891bc209aa28149c5ddb8f0d44ac044ac9f2d37
SHA51252c1d5d2a12a2f6dba5b7f9c9b579a7e78935ccf10c01480d56a9bde6e4b4a50b6e46629ce7e375c8b3a922c62bc4c581ae6d2039fc95ae6768694d3c838a7a2
-
C:\Users\Admin\AppData\Local\658660f852ab1ab1e9f02a012c4008bc\Admin@PVMNUDVD_en-US\System\Process.txt
Filesize572B
MD58b970cc2bfab7289f149b2df714a1cc7
SHA1ed5f27af38e85bb1e19e68ce82b1c36ae6f89548
SHA256c5d5478ac85209d799166608e2d3d1f242367cca19526e1edf9f537f41d9cf16
SHA51280e972de056015bbdb3a9ed1d746f597f6fd71013fb0edb119a5402b7e4f50f38722e965d28a91a033447bfecdadfd150e11d182b13142a3072668008453d4f7
-
C:\Users\Admin\AppData\Local\658660f852ab1ab1e9f02a012c4008bc\Admin@PVMNUDVD_en-US\System\Process.txt
Filesize1KB
MD5c01710a929f39a78db8fa9690a0184d1
SHA13b18185bee29b4827485e973054230eceb150f68
SHA25697dd93b5079c18aeb836147642a83931ac9f235298749ac979f149bbdeefd403
SHA51273f59165e525f4c3fba922c307b376845c06dfc326448bb21af97a6588172eebb38fd1f58a46e0f142e5fd41eda164bfc01b2bf93b58485218a4d52edcbd85b7
-
C:\Users\Admin\AppData\Local\658660f852ab1ab1e9f02a012c4008bc\Admin@PVMNUDVD_en-US\System\ProductKey.txt
Filesize29B
MD571eb5479298c7afc6d126fa04d2a9bde
SHA1a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA5127c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd
-
Filesize
5B
MD55490e7d6b0202e0f649d6fba5bf770ec
SHA15edeab5a7e37aa2172d3a36f6f2c2a25df161a00
SHA25657d2cd7249eba078c190be21dc59f410a1fb8dc7abf3474f5ebd5f1fe54acfe4
SHA512a244ad505c8dec998666b194ed52566c4214e8e02b2a20dd102e13c7890c0313c751e2452ae00817d439216284329e62fea57adf88353540db433edab3f5d3a6
-
Filesize
293KB
MD57a2d5deab61f043394a510f4e2c0866f
SHA1ca16110c9cf6522cd7bea32895fd0f697442849b
SHA25675db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69
SHA512b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0
-
Filesize
448KB
MD56d1c62ec1c2ef722f49b2d8dd4a4df16
SHA11bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA25600da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2
-
Filesize
275B
MD5103ca6ddb75a7bc8570a152aca70b161
SHA1b678b71bb2ffaec8653272793854a681bd0d12a2
SHA25613d0e86254d8c34d10d7823802af47b2df2348ba5c5cd10907429da6d5046804
SHA512af66c2e2dad7ea860982bfbcd2755853f998d34407ce2b9f077c11d97b854ec71b05a13e6e13ed13060bac2841a6c844b6273670ae10bbfdfc715c79b43b5d33