Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/09/2024, 17:17
Static task
static1
Behavioral task
behavioral1
Sample
d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe
-
Size
165KB
-
MD5
d4df64204d626ac2b93c95809b6a6812
-
SHA1
110b0bcb0ee9d19dcef8527ebc79ee1a86a356cd
-
SHA256
c95d187058c220ca764ccaacfe5519bc8e52b52f67a49735cb5f9df88473dbe9
-
SHA512
e03a9afbfa3933006cc9c5cff77571550f5d4c0d0c9bd3f7c5fe4472c5817dee5b82aacc86d5907e7d69071a90d82a62c86e31b64b4ef049448f2becdd0de5f1
-
SSDEEP
3072:W0UIFat2RYIKlYeOvW/FPgxt69odYzMBRjQgnzYYXN6oT1AkZBuBLh:ausWKlWO/FYldYz8jQo6oT1xah
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2668-2-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2664-8-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2664-12-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2668-14-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2004-71-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2004-72-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2668-73-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2668-178-0x0000000000400000-0x0000000000445000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2664 2668 d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2664 2668 d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2664 2668 d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2664 2668 d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe 30 PID 2668 wrote to memory of 2004 2668 d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe 32 PID 2668 wrote to memory of 2004 2668 d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe 32 PID 2668 wrote to memory of 2004 2668 d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe 32 PID 2668 wrote to memory of 2004 2668 d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\d4df64204d626ac2b93c95809b6a6812_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:2004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b0114303c6937542afc3d8f26310cc56
SHA1771e3158195e9773789f3f240efc1a89410efea9
SHA2561d29cfc646348bbd31ceca11dd9ffb7a381e14a9e0c80076a89829678fd546e7
SHA5124acf3953ec1ec600bfbd0c708476a1b6e1001ed66f7f4f62897abf4399412fc0de52b60e7e9c1bf2a931bed80d3ccfc63963d12fe81a090e98fcd57b17323d60
-
Filesize
600B
MD5f3efba84e8b8d6ee13ef056d308c4efd
SHA109b582e75fc137197abf092a388311584f984ca3
SHA2565c166267e21ec8b364d52eeb8cccc5e26a14a2446016e8e5461eb66e5ec8fc39
SHA51207bfc19372e8fdfff853b46b230e8912b0316a26d5df428f7738926d9ade3cfccb9a1b432efe0901575426188623625dbbfac7a0066613e9541d9a027ecf769f
-
Filesize
996B
MD527881061bae17471c268d81f265728ad
SHA191fe891bb5c4b7206cef01f35a3ffd6b8e1fb4f1
SHA25664be00daeb257ddedfdae39a0988c798164e79b5eeddb5eddc1ac0e943c17310
SHA512900c7d34049756461f15d97b9b993075f5810764fec9b3f8bb6de5f8305eb4dfeeedf7af87f55c599d88873e240bf48192228fd1afb22d04ed364df2df2fd487