Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 05:57
Static task
static1
Behavioral task
behavioral1
Sample
eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe
-
Size
172KB
-
MD5
eab65ba8de394e35c208bdbe90a29a62
-
SHA1
52e3fa0399dcfab923f72d4118ce4899d2a07970
-
SHA256
1af1a2e1edca05e85ea78b693859a479e95dccda7048ae26804933f7f69796f3
-
SHA512
5be731fb649dcd719a1bb3eed6940c35d5a2821e46952507e9f573acd9bef1bec5cfd139088cdec36ee2997ad7379b73e06f5f1647b56017a7f58f3f977c8d73
-
SSDEEP
3072:oLjGkKWcuraMMD613oynbmJFQjioJc5UtG8zY5iAy7C5r63QIphzTk44rVnFB:gjXcwmbAoQxJfzK+iSphz8P
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2572-2-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2960-6-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2960-8-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2572-15-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2600-83-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2600-84-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2572-85-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2572-176-0x0000000000400000-0x0000000000442000-memory.dmp upx behavioral1/memory/2572-207-0x0000000000400000-0x0000000000442000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2572 wrote to memory of 2960 2572 eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe 31 PID 2572 wrote to memory of 2960 2572 eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe 31 PID 2572 wrote to memory of 2960 2572 eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe 31 PID 2572 wrote to memory of 2960 2572 eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe 31 PID 2572 wrote to memory of 2600 2572 eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe 33 PID 2572 wrote to memory of 2600 2572 eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe 33 PID 2572 wrote to memory of 2600 2572 eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe 33 PID 2572 wrote to memory of 2600 2572 eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2960
-
-
C:\Users\Admin\AppData\Local\Temp\eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\eab65ba8de394e35c208bdbe90a29a62_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:2600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD540134cdd57045b0e7b5a671c50bc4c99
SHA1e854dfd05a2544794531a1c414c116babd87128c
SHA256addf00bf3c3e0e9cc3c769d33235cbea27a16ca38096c939ed0ab42bcc627c57
SHA5120caf22673ec9d19117e595f79318757ebc6e20081e7eb6752f16e7f9db6b45579003fd22d0b0afed0f040b5b93b69dedffee345fdec4085f1b4603cf22aa68f9
-
Filesize
600B
MD5d6686edc65d652624a56090447e72887
SHA15a513b2e7190244c58ab517284ef3790ffac1cfb
SHA256b594ef5a8001841c9d696cd0751738a25cac2964033de0322e4eef1f74d28786
SHA512004bdc7995de72dd29a126bd19edca1790902ac347faa243460bba1932af8125d37d89bc753232944209de2f0589e2740242a11b4a3e7c95ecd1810f452b872e
-
Filesize
996B
MD5048b8de6e8b733b06f00ba760ad18e8b
SHA1fc2b1711a6d44b711b78b62e80342020b04d7a8b
SHA256e197fdb86030b7792c7715c375cf92009aa37b4c8ca610a4dd73eeade2404117
SHA512ace1913974537cf40409fc546dc9faa727bdb94bca026c5692368b1f2c44cbdcdcc799de040f6ef5e19e2b2b627398d6b223c8747744fb99e2280399dce50a8a