Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 15:59

General

  • Target

    de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe

  • Size

    842KB

  • MD5

    de7711ff0df1b36bd31f32f15843905b

  • SHA1

    abd7c78b184f42525f0d7b53ba829e8f81bd2134

  • SHA256

    25d0c4ef21f49c4794220886919feebccbe942bffc1c36b8430b9b005693ce42

  • SHA512

    fa154ea9e1bad8e71434dc4ccef5182fd5eb93880e7fb10ca95da8399edcfcccc52d47cb78c17a0514bf15ca667865030519cf7c3be85b0494e6f9b83bc95428

  • SSDEEP

    12288:JuC9eHN8vWHXsYIugb+94LlvTyFLPkZqVQV3309b+Z2x2G4Q4UFfHak3sD8H7:QCQH2TYqtBTfZqVQBY2Gv4UFfHH328b

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
        PID:2624
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        2⤵
        • Drops startup file
        • Accesses Microsoft Outlook profiles
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:2500
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2536
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:2972
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1664
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C tasklist /FO TABLE > "C:\Users\Admin\AppData\Local\Temp\396d02e5e395f0e65d014577dd84a371\43165e9e92447b3045fdbdffe549ec75\processes.txt"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /FO TABLE
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2476
      • C:\Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:2392

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML

      Filesize

      582KB

      MD5

      a4733f5a4b05315b159f6b05d8c3af43

      SHA1

      f3607f55ec7bdce89345f03142de78df59f2b020

      SHA256

      dc8680421e17b13adbfc409ac15df55971d45d13e01cfe8719eb2776df0658ec

      SHA512

      d6a521e976adfc02e7ea4c199f781fc144491974f42b09a5a0ab19159166e62fb756807f3378559ac43a4122b79e25dff130f3787c4e24a17da3f98b529c2be4

    • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

      Filesize

      153B

      MD5

      f2db28fe29c24c06bbfb5892d85636dd

      SHA1

      9e3441dcd2dd187f9c62d60148e4d5d7b00262ee

      SHA256

      5e556fa7a5c99be5ba57178d041d39a61932cef928805f6cad0481005dc2970f

      SHA512

      7d9d8ae649559d50f19bed02efbd669b571faa07b1dcd6b6551563f2dd22bb8a1f6d66f7926f3f3c2134c50051c4e92345f9c3a3f2d33310df6ebaecf457cede

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

      Filesize

      12KB

      MD5

      f59f14f6f2b7a84a9006686179c1477b

      SHA1

      3abae0dc0dc0cd6eae5e679b92ac7941f91eaa32

      SHA256

      4984709791505724c57985a0339df119d51dea1828c7021b2b0c90a2bd56d614

      SHA512

      7c2deb782bdd113f063447bd1886bb60b1efb5c2dd473b3e5425f1e8c62b53f92ffb6c69898f531f8ae04d1f3c553575665e490955bc5d5b3837f66c9d72dfd7

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

      Filesize

      8KB

      MD5

      a1af9bc1f76d9dbf67738a9171ee5550

      SHA1

      2c5f1c957735e09efeaf3248682a97fd0ea1a938

      SHA256

      2c90ca9f3960bf7933a3707cb36780e3021cd27e82ed2b0c0fa0f788e0c4992f

      SHA512

      1b7b2fcd11a5406e0d67cdc4c00e274cd4484dd3581b5f8c71621c019a9038779c9e5d4db065df2accc76c100d8ecb672b10f5cd4df54ced60e92adbba0d8873

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

      Filesize

      11KB

      MD5

      a1212aef370fea988b29ced6086b84df

      SHA1

      9b677ba39cae901253f0a22be3fec6a43c42904e

      SHA256

      5131298c0f515e7fe7ef85d962af77545eb30183031f2f48018e3f5c6fa2a183

      SHA512

      17f3ceea9bc9d281fde662571552fa72f57a91707c5bd88c0c833b6827901089e580b3f05a8a9b6094a82eeeee753b9afbb81ec5cdaa8054a7cd320c70319973

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

      Filesize

      109KB

      MD5

      66514031f376ecb8fedae94d526ddb29

      SHA1

      42a939eebda32c583e22e37bf3ef76dd84ff8cba

      SHA256

      3060604eef9eaae0c14582eed2c804fa61680449336aa62c30cdb52c89d18d72

      SHA512

      1fbfe9fd8c98d6657516a55b91ae654c2e80cc5924822d54d5666cef8f3416f83039549bd449f6082d7afcd32acd0ebfbeb112bacd29a139a670feb317006317

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

      Filesize

      172KB

      MD5

      22fb889e74bc0343a9ecb3bfbfc67ed7

      SHA1

      d260885894e9bf3a273690a1934dbd962a6f10ab

      SHA256

      2294f8bc023211ea11ea17b0d92068dcc7e704a4ae054c6a14c7b71d4908bcbd

      SHA512

      f2b3791c76a5811b24d7c19855d6ac7d0c243df0f98c2b144a05c3af85890d026d4d54aaaf57c4c91d0827695bb9b6bb5987d3d9b3e3d9aba503693f12966622

    • C:\Users\Admin\AppData\Local\Temp\396d02e5e395f0e65d014577dd84a371\43165e9e92447b3045fdbdffe549ec75\processes.txt

      Filesize

      3KB

      MD5

      b1748c26fe54046b0751ea660b2f83cb

      SHA1

      82f0eda5b637ae42e712d65cf06fe95efd1292f2

      SHA256

      a2881ebe4562fab6c8f80700a611c47528fc2286f6af8a8523e9ef9f5875bc77

      SHA512

      e173da1b886657d4d5aa029015f912761886d33738bbb07687cb3361c489ddd6694fbbcc2b3c7ed45a33bf7f95f084ece21a76d265184a3c85bcf4799b25c293

    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite

      Filesize

      48KB

      MD5

      1f3e951a60e7fd09c8aeb02bd519fc62

      SHA1

      8bdaf1ada75122938406a7e94b8c80b368042359

      SHA256

      b8f9ca821d9f544f6beb7c24bb3dd96b0a40c20657578f451db850c320bcc975

      SHA512

      b11fdaeaa8b82b03690b17b31a3b7b401a59c4f6f1e8659f54ad3dd4e7628ce3d40d66dcc9ceb774b6732907ca0356cca34a778c539cfea526e9e3971c74a046

    • C:\Users\Admin\Desktop\RECOVERY INSTRUCTIONS 4 .txt

      Filesize

      250B

      MD5

      c3dc5952b6f46d997f8c6c29a01fe227

      SHA1

      d4ae6d0be31788744c456ab07253ca316c28e92c

      SHA256

      77fb1bb1ab4a441cc3fedbb015e64b84a136a380119b0687ed8de0bdb9548173

      SHA512

      1b43248fe03488a70e4aed8cd0334eba26874ff0b9dcdb50fc6fba32b830eb6bf53f8ba5548350af806980748b6da12a85f59a1e0cac399173e10870c2b5927e

    • \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\chrome updaters.exe

      Filesize

      842KB

      MD5

      fd66a4c8ccd02ce1ae5540b52ff16da9

      SHA1

      5aed2a82aeb1d2d8067ed9d9002e334052af603b

      SHA256

      c8800fea1cde3085df76be37a6ac312b64fc25dcd9ea5b4d2c4b1a176baa1fa8

      SHA512

      544d084c75a37d5623a5736d3e0a17027836441f9e5ea77fe21397f65df44755e0ea54097b850014562948029fa1a885aeac7fdff79ff8e6901ff298843fe6f2

    • \Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe

      Filesize

      238KB

      MD5

      21f6685dd6b90f73bf9586acbc41f408

      SHA1

      33fcfb9cb7c7e698c1c7da27174ded1e00cfdf0a

      SHA256

      6b50dffc03fa2eb27a7cfb43c0e9fc31c95411e2193a564eb6b6578e28155839

      SHA512

      2f39b9ed3a9a5d55d4172ad6681e9506d38d06b6e04bb80861c41cdc07c3ce692c533adf820f3a2024bcbdb8ded7f7db4e99c92e3ebd125468dfa6ccc2eb23f1

    • memory/2500-28-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-11-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-43-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-41-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-40-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-38-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-45-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

    • memory/2500-35-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-34-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-32-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-12-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-27-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-26-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-25-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-24-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-22-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-17-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-15-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-7-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-29-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

    • memory/2500-71-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

    • memory/2500-30-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-9-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-218-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

    • memory/2500-44-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

    • memory/2724-65-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

    • memory/2724-54-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

    • memory/2724-52-0x000000007481E000-0x000000007481F000-memory.dmp

      Filesize

      4KB

    • memory/2724-0-0x000000007481E000-0x000000007481F000-memory.dmp

      Filesize

      4KB

    • memory/2724-4-0x0000000004C50000-0x0000000004D3C000-memory.dmp

      Filesize

      944KB

    • memory/2724-3-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

    • memory/2724-2-0x00000000004B0000-0x00000000004C4000-memory.dmp

      Filesize

      80KB

    • memory/2724-1-0x00000000012C0000-0x0000000001398000-memory.dmp

      Filesize

      864KB