Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 12:47
Static task
static1
Behavioral task
behavioral1
Sample
e036c77caf37a299b59391c0f28ab589_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e036c77caf37a299b59391c0f28ab589_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e036c77caf37a299b59391c0f28ab589_JaffaCakes118.exe
-
Size
813KB
-
MD5
e036c77caf37a299b59391c0f28ab589
-
SHA1
1ef2f99035fea6c0f271f516b3a415d2d042fd0e
-
SHA256
0fec4b706fa5f99290a0f9c2a1b7f0aebc379be13c26edd77c05075ca090d103
-
SHA512
c72332d29b30d9af077b2ea29633fff1251a8b4df7679a839bdf00cca63709a7238ab0288fd14d737703aff9278027d0a68b91cf8dc28a8f8e056e246e53de0d
-
SSDEEP
24576:IzI/6BAhRT5gYamQevvQrUvMlLthGkUyynuc4kNR:IzIdtBzPvJUNt7UySucT
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/276-3-0x0000000000400000-0x000000000063E000-memory.dmp upx behavioral1/memory/276-2-0x0000000000400000-0x000000000063E000-memory.dmp upx behavioral1/memory/276-5-0x0000000000400000-0x000000000063E000-memory.dmp upx behavioral1/memory/276-9-0x0000000000400000-0x000000000063E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IntelAgent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e036c77caf37a299b59391c0f28ab589_JaffaCakes118.exe" e036c77caf37a299b59391c0f28ab589_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e036c77caf37a299b59391c0f28ab589_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e036c77caf37a299b59391c0f28ab589_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz e036c77caf37a299b59391c0f28ab589_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 e036c77caf37a299b59391c0f28ab589_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e036c77caf37a299b59391c0f28ab589_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e036c77caf37a299b59391c0f28ab589_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:276
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1