Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
13/09/2024, 15:59
General
-
Target
de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe
-
Size
842KB
-
MD5
de7711ff0df1b36bd31f32f15843905b
-
SHA1
abd7c78b184f42525f0d7b53ba829e8f81bd2134
-
SHA256
25d0c4ef21f49c4794220886919feebccbe942bffc1c36b8430b9b005693ce42
-
SHA512
fa154ea9e1bad8e71434dc4ccef5182fd5eb93880e7fb10ca95da8399edcfcccc52d47cb78c17a0514bf15ca667865030519cf7c3be85b0494e6f9b83bc95428
-
SSDEEP
12288:JuC9eHN8vWHXsYIugb+94LlvTyFLPkZqVQV3309b+Z2x2G4Q4UFfHak3sD8H7:QCQH2TYqtBTfZqVQBY2Gv4UFfHH328b
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 3 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\de7711ff0df1b36bd31f32f15843905b_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Drops startup file
- Accesses Microsoft Outlook profiles
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C tasklist /FO TABLE > "C:\Users\Admin\AppData\Local\Temp\396d02e5e395f0e65d014577dd84a371\607a05a845764c72acf3b85209205c7f\processes.txt"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /FO TABLE4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5f2db28fe29c24c06bbfb5892d85636dd
SHA19e3441dcd2dd187f9c62d60148e4d5d7b00262ee
SHA2565e556fa7a5c99be5ba57178d041d39a61932cef928805f6cad0481005dc2970f
SHA5127d9d8ae649559d50f19bed02efbd669b571faa07b1dcd6b6551563f2dd22bb8a1f6d66f7926f3f3c2134c50051c4e92345f9c3a3f2d33310df6ebaecf457cede
-
Filesize
190B
MD5edef65b330a458a84411762fb6dc8f42
SHA10afecf65f5452f960248dec454281f53d7338901
SHA256da4763c1fc49420cb2a33f23db102d88ead05d2a02589d64df55fc207613cf30
SHA512dfb858c3e908bdf876cda2d297e2c065cea8d0e9f4c72da981f361624765a16c6d84618a94eeff39a2fad00acbb549cfe15745d17dbb4c57fee4e8918aad424c
-
Filesize
190B
MD53f1d2324b4d8891c803573d4aab8b7b7
SHA179f9562ba2a7ce7b78f201df1ce013cad8abeacd
SHA256adbb784627a1a4f9c712b18d02110e2dfbea2d238fcf67e0b9017bbeea18c4f9
SHA5125e9aa29fda20b5a65eac0fe31ada05abb9e47f54fb90eb2dc66a0db5b2148a5bb1638fea14ba41805754c361db37b2b0c01c8d1eeb19fb280ee95e7d2213e3c3
-
Filesize
4.1MB
MD55f8fe92079d880aa92f3da290fd723cd
SHA18d01b0403bf4e4dc74987358067cccb59c059ba8
SHA2568ec23211bd91223d269f75a293f8681223f74d0d6e60990781e2046b6995607e
SHA512b9325e1e9b52200d33056ff1fc4f34f5d418bf678a2518838290be6d31c546cbc8811480333491b436dceea85efd7ccf14e22bf72f505bb981c5004d8c48cae4
-
Filesize
42B
MD58dadca70b0a578cfd42838100c8abea3
SHA19a521838687cc02a94d8cf4cc0a2c9c851270dd7
SHA256312d315e2cd7d353d46d270e912e9aefc2ecb29adc862e3e7bcea8790b975598
SHA51257d46fcf426db33802ba53497b51a65215a8bdb103696b712cffe505631fde7aab55fc0305dfa70290746d4a45195a4ab81064776e1db1d303bdc79d3a5c42f6
-
Filesize
1014KB
MD5684718dc90c600666ede5797c56146c9
SHA11139082e0e03daaef681337b218ad2b71530fc91
SHA256c3b5ddc01201e352976af0a9c0a774e65e69a9eb3c5379d6518263cd83f545d6
SHA512a9fd38b9a9b8446cef292ad5cc730eddd2ae1d1d630bc39faf658e997f3bbe03bd32fd5a096a3a9141ab3c46931e86d6c7652475370ff50f0d724d86f727f553
-
Filesize
7KB
MD5863d29eed17bce5eb5ea8c674770066f
SHA1dc0d471d9296a83b820854a1619bab5caa3dbc9a
SHA256add2d8ddc5c716206692f722eeb4e872bed0082a1d3e1645d15d410a3b4ed138
SHA5123c5cbcbf1de18b460b72fa4de75e2bb490b4e15eab2fb6ef23f71e7bf7f93eef56cbbd77930829169bf37246d6a9b497ce6b097ffe033a2fde1c911ae044e2b8
-
Filesize
48KB
MD53dd2582ee188344052723e1cfcbbbe42
SHA1178006675f46c4abf29435da2582c6dc5490c5af
SHA256bc6797126d89ffc1addb70f2e740407706ff6cd9a520d29f4dd66f1dbf1a457b
SHA512242b38d5d9b57e4ff425a92ca43eb093a8ea1f9a2bd15ef20d2c61192bcd6686b986cb10c9ac43a8d1e6f23163ca8ee866e83ec9db4672d21201e9819705c45c
-
Filesize
250B
MD5c3dc5952b6f46d997f8c6c29a01fe227
SHA1d4ae6d0be31788744c456ab07253ca316c28e92c
SHA25677fb1bb1ab4a441cc3fedbb015e64b84a136a380119b0687ed8de0bdb9548173
SHA5121b43248fe03488a70e4aed8cd0334eba26874ff0b9dcdb50fc6fba32b830eb6bf53f8ba5548350af806980748b6da12a85f59a1e0cac399173e10870c2b5927e
-
Filesize
238KB
MD588ad8851be6a5f63447da085cfa7366d
SHA115a27d4af1aebbb1a0296fa75f968a788460ea30
SHA256131ebb3a563e1d875781ad6db475770aab1bf53467d23eb6c0bbca346e52a3c5
SHA512e61e35e4b1485be406e423aad63ba00f39088ec9bf3f60ee249ab1bc5cb9fedb003398d03433ca73144096c9f61b62b723313e57fee4cecd2888ba62b752ff05
-
Filesize
842KB
MD5fd66a4c8ccd02ce1ae5540b52ff16da9
SHA15aed2a82aeb1d2d8067ed9d9002e334052af603b
SHA256c8800fea1cde3085df76be37a6ac312b64fc25dcd9ea5b4d2c4b1a176baa1fa8
SHA512544d084c75a37d5623a5736d3e0a17027836441f9e5ea77fe21397f65df44755e0ea54097b850014562948029fa1a885aeac7fdff79ff8e6901ff298843fe6f2
-
Filesize
944KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
80KB
-
Filesize
624KB
-
Filesize
864KB
-
Filesize
7.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
256KB
-
Filesize
7.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
