Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/09/2024, 01:46
Static task
static1
Behavioral task
behavioral1
Sample
d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Sibuia.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Sibuia.dll
Resource
win10v2004-20240802-en
General
-
Target
d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe
-
Size
4.2MB
-
MD5
d0d341d2d2f0f61a4c403b88085e3576
-
SHA1
bf8c04ebd83d850cfafce00c49b0ea2646acedee
-
SHA256
cef1d3f10fdb50df41e0dcb5c77e45c4587adb76747259ce893ceabb863d9994
-
SHA512
b35c7ccd2d7df90efe8457cfcfb8a13353216bb83c9900cdf64916e2956f0852d0272216679b10cd669db44db15c5fef0a6427bf3a2752cb585626144b0df95c
-
SSDEEP
49152:zOdVHtDhAcN9W4L0bXIOyyB85hOTm8z3th24azqaNBJkLy0vq3dsJ8zYNawVG9aE:CXNucUnyJ09h24azvFYyeU7kREDBZ
Malware Config
Extracted
cryptbot
bibinene03.top
moraass05.top
Signatures
-
CryptBot payload 15 IoCs
resource yara_rule behavioral1/memory/2284-255-0x0000000001290000-0x00000000017D2000-memory.dmp family_cryptbot behavioral1/memory/2284-256-0x0000000001290000-0x00000000017D2000-memory.dmp family_cryptbot behavioral1/memory/2284-258-0x0000000001290000-0x00000000017D2000-memory.dmp family_cryptbot behavioral1/memory/2284-260-0x0000000001290000-0x00000000017D2000-memory.dmp family_cryptbot behavioral1/memory/2284-263-0x0000000001290000-0x00000000017D2000-memory.dmp family_cryptbot behavioral1/memory/2284-265-0x0000000001290000-0x00000000017D2000-memory.dmp family_cryptbot behavioral1/memory/2284-267-0x0000000001290000-0x00000000017D2000-memory.dmp family_cryptbot behavioral1/memory/2284-269-0x0000000001290000-0x00000000017D2000-memory.dmp family_cryptbot behavioral1/memory/2284-272-0x0000000001290000-0x00000000017D2000-memory.dmp family_cryptbot behavioral1/memory/2284-274-0x0000000001290000-0x00000000017D2000-memory.dmp family_cryptbot behavioral1/memory/2284-276-0x0000000001290000-0x00000000017D2000-memory.dmp family_cryptbot behavioral1/memory/2284-279-0x0000000001290000-0x00000000017D2000-memory.dmp family_cryptbot behavioral1/memory/2284-281-0x0000000001290000-0x00000000017D2000-memory.dmp family_cryptbot behavioral1/memory/2284-283-0x0000000001290000-0x00000000017D2000-memory.dmp family_cryptbot behavioral1/memory/2284-285-0x0000000001290000-0x00000000017D2000-memory.dmp family_cryptbot -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5.exe -
Executes dropped EXE 1 IoCs
pid Process 2284 5.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine 5.exe -
Loads dropped DLL 7 IoCs
pid Process 2696 d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe 2696 d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe 2696 d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe 2696 d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe 2284 5.exe 2284 5.exe 2284 5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2284 5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2284 5.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2284 5.exe 2284 5.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2284 2696 d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe 30 PID 2696 wrote to memory of 2284 2696 d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe 30 PID 2696 wrote to memory of 2284 2696 d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe 30 PID 2696 wrote to memory of 2284 2696 d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe 30 PID 2696 wrote to memory of 2284 2696 d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe 30 PID 2696 wrote to memory of 2284 2696 d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe 30 PID 2696 wrote to memory of 2284 2696 d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\sib9BF3.tmp\0\5.exe"C:\Users\Admin\AppData\Local\Temp\sib9BF3.tmp\0\5.exe" /s2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2284
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD5eafeccc1518c42eaedb554c6caf5d357
SHA1b80133b8e3b7265a2c692508c2718ef614f52626
SHA256bfacd373f32b7b23aedba31ba3a5a28eb32f741024b68d4ecc7dd024a32876ff
SHA51233af3d29b2b0c1df2db82ac94d72e49a822777013a4f289436ee1c303fb021c837677202e3ced0442e1df8fefecad390bb0f100837116f99ecc9014985be2a61
-
Filesize
660B
MD54c9fd3cf9dc208939cd8e87fbcbed540
SHA15493ade276be772227d751c04f5d48fbf98b876c
SHA256646c6fbfb93bb006cd8ea1d22a0d14a5aac0ca92e0b3cec023f8a21b33ca1ac5
SHA512c36af62aab8a475632dc2610f66839e23a565d876c8e5e580b37e28c9b6205b32e3745e5df6c5e8ecac46d960b2678aa0259e49bc5b0c2d1ba0d40eb0672bd22
-
Filesize
1KB
MD5d0a3430a6abbdff5980d2482cf71d4ba
SHA1928fc2fa1123ddbb80ff608076bffe36ea1356e1
SHA2568b1058fe9621c5789d53d0f7f8ef5432b615426f678ff4d69eea97ede494fe52
SHA512046573edb17b4e72cf03cec520a1fa0931bec45d894f330cd1bc3c2a5354d16b63f73d634eda563e412edd2670b4e1b56a9791ed86caa4cf76dec10146cf3ea6
-
Filesize
8KB
MD54e8c303fd5fd227c7ac38a7be8fd18d5
SHA147af922c6c0b10b0777a54f14969d615cb2d6d99
SHA256430ccb43b40c085b31aed137f000f90675e152f62b153a6b688dbb7bdd1ac305
SHA512d82a4e7fc64e586294785f766e8bd5df8d354da1a9f08923a8d782f66148ddd0a81e83d119185e3398d3ee89adbd7bcedb6a3a2a3f4a70a044909a416880d95a
-
Filesize
51KB
MD546a7607aad8533e71cde83d520f98604
SHA1538333941f11c6e702d8b70b15354a9371e33558
SHA2564cbbf633b57f1e5e4aba5aad447946bb44f98be3fa5713aba8b2e3a8411edc8c
SHA512f64c27c88497042faeb726c322effceeeba2841b549330a3ace484d7a8bfe86886e0fc04f7c59c0844188dcab7c7bcb09bf5c3af07570d4423b98122ea34acbf
-
Filesize
682B
MD58179fe5508ce092cbec05217185e490b
SHA1d9abeb4b703cec8f49c0e2b4dd7c9e8386cdd728
SHA256a98cabaf677f9c092d20bda1a2ba25ed3a4260ae4ee0bd5f3bfc0bb3eda6e974
SHA5120c92428e1ead291f41922a111cc5162e610e929e8c24ebed481be6d4e944f8ac12d3282ea9ddf5798ebacebb118f21acc080dcd18382a43ceae4522701b680d5
-
Filesize
1KB
MD54631f8ce00eb05a9c51521c30a5fa87a
SHA1d2fc7a6fad0eab4741a5047e37b1aa3ebf96ffec
SHA256f9c03425fe96fae95b5be4a8b8b8a457c2818af47f3c7c7ac7bed24fdd388821
SHA512794073f31de51741a95eb900307a30909e6e1ccb5c1562e192b9bbd4ec1d18bf2b7d68ad3d4a6e4533ba1873cb25f327a2339b639d6f754a7833152a5341e0cb
-
Filesize
8KB
MD5e90c52d7bf83beec4921e5c3edec0c4b
SHA131ca3c74fcaf90bb4cc27dccdde705f64e830b99
SHA2568a03f5375d49cfcbd6e00df451eb04b401461c28d2a28f7a88594dcf597b0bd4
SHA512548edcf006fd011220f74677e3ad798a958ed516125a7369e267272c2eb07878b32607e22e7c740bd9a5032efe10450d3da0bfa1bcc692b6471b744066a56a3a
-
Filesize
524KB
MD56a3c3c97e92a5949f88311e80268bbb5
SHA148c11e3f694b468479bc2c978749d27b5d03faa2
SHA2567938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9
SHA5126141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693
-
Filesize
2.3MB
MD508caa80b61ee95e610a26d52820e3efd
SHA12dd92ecd34ada8962201929310e278346264b6b0
SHA2568d5eb7cd6f951771498f4b92d148d6e1401631765996be53d9fd773589bcf2a0
SHA51265dbc03fcb2762465f8e4448220915e85257a4d370cb14382c45e719cfa3cc2913bc0580b28d69f0ad380e5cf3a9afbcac207d59f3253e5ec6124b2495f69bdc
-
Filesize
51KB
MD55ea6d2ffeb1be3fc0571961d0c4c2b5f
SHA1902dfe9ae735c83fb0cb46b3e110bbf2aa80209e
SHA256508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222
SHA512e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585