Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
132s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26/08/2024, 07:01
Static task
static1
Behavioral task
behavioral1
Sample
c28072106a3941932130c8db2a135555_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
c28072106a3941932130c8db2a135555_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
c28072106a3941932130c8db2a135555
-
SHA1
cc2aaeafa62ea06e5b07808f15a5263e04906e53
-
SHA256
06ad6118b7be37ff6f2ec22381098bbb11ec2eddfb7c6e0f8c24449a3b1b98fc
-
SHA512
0c3083f190c8a0d82340f6a3d0f64f76eb938e93d3070cf7ccd75aa501b58040b5b26ba57e1e5a5bd5d69bff07558733f68dfc00c50473842bdda9f9f7281b56
-
SSDEEP
12288:6Zzp1NI5x7k3+rcAT8U6x+3JYU82+/IvIh/QnviN9VzdvYhvb:6Zzp1YdkoUU82+Qwh/Qn89Vx
Malware Config
Signatures
-
Taurus Stealer payload 5 IoCs
resource yara_rule behavioral2/memory/1304-4-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral2/memory/1304-6-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral2/memory/1304-5-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral2/memory/1304-8-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral2/memory/1304-10-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2164 set thread context of 1304 2164 c28072106a3941932130c8db2a135555_JaffaCakes118.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c28072106a3941932130c8db2a135555_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2124 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2164 c28072106a3941932130c8db2a135555_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2164 wrote to memory of 1304 2164 c28072106a3941932130c8db2a135555_JaffaCakes118.exe 87 PID 2164 wrote to memory of 1304 2164 c28072106a3941932130c8db2a135555_JaffaCakes118.exe 87 PID 2164 wrote to memory of 1304 2164 c28072106a3941932130c8db2a135555_JaffaCakes118.exe 87 PID 2164 wrote to memory of 1304 2164 c28072106a3941932130c8db2a135555_JaffaCakes118.exe 87 PID 2164 wrote to memory of 1304 2164 c28072106a3941932130c8db2a135555_JaffaCakes118.exe 87 PID 2164 wrote to memory of 1304 2164 c28072106a3941932130c8db2a135555_JaffaCakes118.exe 87 PID 2164 wrote to memory of 1304 2164 c28072106a3941932130c8db2a135555_JaffaCakes118.exe 87 PID 2164 wrote to memory of 1304 2164 c28072106a3941932130c8db2a135555_JaffaCakes118.exe 87 PID 2164 wrote to memory of 1304 2164 c28072106a3941932130c8db2a135555_JaffaCakes118.exe 87 PID 1304 wrote to memory of 4364 1304 AddInProcess32.exe 88 PID 1304 wrote to memory of 4364 1304 AddInProcess32.exe 88 PID 1304 wrote to memory of 4364 1304 AddInProcess32.exe 88 PID 4364 wrote to memory of 2124 4364 cmd.exe 90 PID 4364 wrote to memory of 2124 4364 cmd.exe 90 PID 4364 wrote to memory of 2124 4364 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\c28072106a3941932130c8db2a135555_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c28072106a3941932130c8db2a135555_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\timeout.exetimeout /t 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2124
-
-
-