Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/09/2024, 15:59 UTC

General

  • Target

    de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe

  • Size

    842KB

  • MD5

    de7711ff0df1b36bd31f32f15843905b

  • SHA1

    abd7c78b184f42525f0d7b53ba829e8f81bd2134

  • SHA256

    25d0c4ef21f49c4794220886919feebccbe942bffc1c36b8430b9b005693ce42

  • SHA512

    fa154ea9e1bad8e71434dc4ccef5182fd5eb93880e7fb10ca95da8399edcfcccc52d47cb78c17a0514bf15ca667865030519cf7c3be85b0494e6f9b83bc95428

  • SSDEEP

    12288:JuC9eHN8vWHXsYIugb+94LlvTyFLPkZqVQV3309b+Z2x2G4Q4UFfHak3sD8H7:QCQH2TYqtBTfZqVQBY2Gv4UFfHH328b

Malware Config

Signatures

  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
        PID:2624
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        2⤵
        • Drops startup file
        • Accesses Microsoft Outlook profiles
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:2500
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Wi-Fi Discovery
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2536
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:2972
          • C:\Windows\SysWOW64\findstr.exe
            findstr All
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1664
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C tasklist /FO TABLE > "C:\Users\Admin\AppData\Local\Temp\396d02e5e395f0e65d014577dd84a371\43165e9e92447b3045fdbdffe549ec75\processes.txt"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /FO TABLE
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2476
      • C:\Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:2392

    Network

    • flag-us
      DNS
      ip-api.com
      MSBuild.exe
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com/xml/
      MSBuild.exe
      Remote address:
      208.95.112.1:80
      Request
      GET /xml/ HTTP/1.1
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Fri, 13 Sep 2024 15:59:54 GMT
      Content-Type: application/xml; charset=utf-8
      Content-Length: 471
      Access-Control-Allow-Origin: *
      X-Ttl: 60
      X-Rl: 44
    • 208.95.112.1:80
      http://ip-api.com/xml/
      http
      MSBuild.exe
      340 B
      819 B
      6
      4

      HTTP Request

      GET http://ip-api.com/xml/

      HTTP Response

      200
    • 8.8.8.8:53
      ip-api.com
      dns
      MSBuild.exe
      56 B
      72 B
      1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML

      Filesize

      582KB

      MD5

      a4733f5a4b05315b159f6b05d8c3af43

      SHA1

      f3607f55ec7bdce89345f03142de78df59f2b020

      SHA256

      dc8680421e17b13adbfc409ac15df55971d45d13e01cfe8719eb2776df0658ec

      SHA512

      d6a521e976adfc02e7ea4c199f781fc144491974f42b09a5a0ab19159166e62fb756807f3378559ac43a4122b79e25dff130f3787c4e24a17da3f98b529c2be4

    • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

      Filesize

      153B

      MD5

      f2db28fe29c24c06bbfb5892d85636dd

      SHA1

      9e3441dcd2dd187f9c62d60148e4d5d7b00262ee

      SHA256

      5e556fa7a5c99be5ba57178d041d39a61932cef928805f6cad0481005dc2970f

      SHA512

      7d9d8ae649559d50f19bed02efbd669b571faa07b1dcd6b6551563f2dd22bb8a1f6d66f7926f3f3c2134c50051c4e92345f9c3a3f2d33310df6ebaecf457cede

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

      Filesize

      12KB

      MD5

      f59f14f6f2b7a84a9006686179c1477b

      SHA1

      3abae0dc0dc0cd6eae5e679b92ac7941f91eaa32

      SHA256

      4984709791505724c57985a0339df119d51dea1828c7021b2b0c90a2bd56d614

      SHA512

      7c2deb782bdd113f063447bd1886bb60b1efb5c2dd473b3e5425f1e8c62b53f92ffb6c69898f531f8ae04d1f3c553575665e490955bc5d5b3837f66c9d72dfd7

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

      Filesize

      8KB

      MD5

      a1af9bc1f76d9dbf67738a9171ee5550

      SHA1

      2c5f1c957735e09efeaf3248682a97fd0ea1a938

      SHA256

      2c90ca9f3960bf7933a3707cb36780e3021cd27e82ed2b0c0fa0f788e0c4992f

      SHA512

      1b7b2fcd11a5406e0d67cdc4c00e274cd4484dd3581b5f8c71621c019a9038779c9e5d4db065df2accc76c100d8ecb672b10f5cd4df54ced60e92adbba0d8873

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

      Filesize

      11KB

      MD5

      a1212aef370fea988b29ced6086b84df

      SHA1

      9b677ba39cae901253f0a22be3fec6a43c42904e

      SHA256

      5131298c0f515e7fe7ef85d962af77545eb30183031f2f48018e3f5c6fa2a183

      SHA512

      17f3ceea9bc9d281fde662571552fa72f57a91707c5bd88c0c833b6827901089e580b3f05a8a9b6094a82eeeee753b9afbb81ec5cdaa8054a7cd320c70319973

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

      Filesize

      109KB

      MD5

      66514031f376ecb8fedae94d526ddb29

      SHA1

      42a939eebda32c583e22e37bf3ef76dd84ff8cba

      SHA256

      3060604eef9eaae0c14582eed2c804fa61680449336aa62c30cdb52c89d18d72

      SHA512

      1fbfe9fd8c98d6657516a55b91ae654c2e80cc5924822d54d5666cef8f3416f83039549bd449f6082d7afcd32acd0ebfbeb112bacd29a139a670feb317006317

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

      Filesize

      172KB

      MD5

      22fb889e74bc0343a9ecb3bfbfc67ed7

      SHA1

      d260885894e9bf3a273690a1934dbd962a6f10ab

      SHA256

      2294f8bc023211ea11ea17b0d92068dcc7e704a4ae054c6a14c7b71d4908bcbd

      SHA512

      f2b3791c76a5811b24d7c19855d6ac7d0c243df0f98c2b144a05c3af85890d026d4d54aaaf57c4c91d0827695bb9b6bb5987d3d9b3e3d9aba503693f12966622

    • C:\Users\Admin\AppData\Local\Temp\396d02e5e395f0e65d014577dd84a371\43165e9e92447b3045fdbdffe549ec75\processes.txt

      Filesize

      3KB

      MD5

      b1748c26fe54046b0751ea660b2f83cb

      SHA1

      82f0eda5b637ae42e712d65cf06fe95efd1292f2

      SHA256

      a2881ebe4562fab6c8f80700a611c47528fc2286f6af8a8523e9ef9f5875bc77

      SHA512

      e173da1b886657d4d5aa029015f912761886d33738bbb07687cb3361c489ddd6694fbbcc2b3c7ed45a33bf7f95f084ece21a76d265184a3c85bcf4799b25c293

    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dt6wk0rq.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite

      Filesize

      48KB

      MD5

      1f3e951a60e7fd09c8aeb02bd519fc62

      SHA1

      8bdaf1ada75122938406a7e94b8c80b368042359

      SHA256

      b8f9ca821d9f544f6beb7c24bb3dd96b0a40c20657578f451db850c320bcc975

      SHA512

      b11fdaeaa8b82b03690b17b31a3b7b401a59c4f6f1e8659f54ad3dd4e7628ce3d40d66dcc9ceb774b6732907ca0356cca34a778c539cfea526e9e3971c74a046

    • C:\Users\Admin\Desktop\RECOVERY INSTRUCTIONS 4 .txt

      Filesize

      250B

      MD5

      c3dc5952b6f46d997f8c6c29a01fe227

      SHA1

      d4ae6d0be31788744c456ab07253ca316c28e92c

      SHA256

      77fb1bb1ab4a441cc3fedbb015e64b84a136a380119b0687ed8de0bdb9548173

      SHA512

      1b43248fe03488a70e4aed8cd0334eba26874ff0b9dcdb50fc6fba32b830eb6bf53f8ba5548350af806980748b6da12a85f59a1e0cac399173e10870c2b5927e

    • \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\chrome updaters.exe

      Filesize

      842KB

      MD5

      fd66a4c8ccd02ce1ae5540b52ff16da9

      SHA1

      5aed2a82aeb1d2d8067ed9d9002e334052af603b

      SHA256

      c8800fea1cde3085df76be37a6ac312b64fc25dcd9ea5b4d2c4b1a176baa1fa8

      SHA512

      544d084c75a37d5623a5736d3e0a17027836441f9e5ea77fe21397f65df44755e0ea54097b850014562948029fa1a885aeac7fdff79ff8e6901ff298843fe6f2

    • \Users\Admin\AppData\Roaming\Microsoft\ctfmom.exe

      Filesize

      238KB

      MD5

      21f6685dd6b90f73bf9586acbc41f408

      SHA1

      33fcfb9cb7c7e698c1c7da27174ded1e00cfdf0a

      SHA256

      6b50dffc03fa2eb27a7cfb43c0e9fc31c95411e2193a564eb6b6578e28155839

      SHA512

      2f39b9ed3a9a5d55d4172ad6681e9506d38d06b6e04bb80861c41cdc07c3ce692c533adf820f3a2024bcbdb8ded7f7db4e99c92e3ebd125468dfa6ccc2eb23f1

    • memory/2500-28-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-11-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-43-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-41-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-40-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-38-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-45-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

    • memory/2500-35-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-34-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-32-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-12-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-27-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-26-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-25-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-24-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-22-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-17-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-15-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-7-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-29-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

    • memory/2500-71-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

    • memory/2500-30-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-9-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/2500-218-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

    • memory/2500-44-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

    • memory/2724-65-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

    • memory/2724-54-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

    • memory/2724-52-0x000000007481E000-0x000000007481F000-memory.dmp

      Filesize

      4KB

    • memory/2724-0-0x000000007481E000-0x000000007481F000-memory.dmp

      Filesize

      4KB

    • memory/2724-4-0x0000000004C50000-0x0000000004D3C000-memory.dmp

      Filesize

      944KB

    • memory/2724-3-0x0000000074810000-0x0000000074EFE000-memory.dmp

      Filesize

      6.9MB

    • memory/2724-2-0x00000000004B0000-0x00000000004C4000-memory.dmp

      Filesize

      80KB

    • memory/2724-1-0x00000000012C0000-0x0000000001398000-memory.dmp

      Filesize

      864KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.