Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

eeac2ca0c2...18.exe

windows7-x64

10

eeac2ca0c2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 23:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe

  • Size

    172KB

  • MD5

    eeac2ca0c2d43b8d369bfb99ebbdcb1f

  • SHA1

    38660626a70591184c933608d43bfd748ac4572b

  • SHA256

    096faaf0379fc7d817c6e731c3842e54f041d0e6ce3c459d7ca74ddc3d5473a9

  • SHA512

    a0e3814030d33e1a5955b699a1a591d1551be85b481c6be7bc62270c6dc0cda02231bad196864a0356941096e31e9110f1b5a7c9bcd9e25987d5198e7cd533b2

  • SSDEEP

    3072:T1dlKwgj23+Oz05YoNozt8zShYL2ZU5KrXN0peAer4:T1dlZro5ytSdI2e54

Score
10/10
isrstealerdiscoveryspywarestealertrojan

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Extracted\prueba.exe
      "C:\Extracted\prueba.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Extracted\prueba.exe
        C:\Extracted\prueba.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2760
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:2716

Network

  • flag-us
    DNS
    smtp.gmail.com
    prueba.exe
    Remote address:
    8.8.8.8:53
    Request
    smtp.gmail.com
    IN A
    Response
    smtp.gmail.com
    IN A
    74.125.71.108
  • 74.125.71.108:465
    smtp.gmail.com
    tls, smtp
    prueba.exe
    1.0kB
     5.3kB
     12
    12
  • 8.8.8.8:53
    smtp.gmail.com
    dns
    prueba.exe
    60 B
     76 B
     1
    1

    DNS Request

    smtp.gmail.com

    DNS Response

    74.125.71.108

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Extracted\w1b6ex.jpg
    Filesize

    39KB

    MD5

    570587dda5ac693576038ebcfc9fe445

    SHA1

    54d71574ebbf94b627ce8f062aef69ee6182af48

    SHA256

    ab944d9d3f3679c707066a41d2ecef85566d633f013e5a20a75db0a5a04ff313

    SHA512

    d0373f82d9912c4aed3ee61d30d349cc3f3de177601465e74971ebce208562c375f9842bf285d1c4e34485bc49cb9ad9406bf9a5c8da6c51a3e36a7e1d689d7d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sfx.ini
    Filesize

    209B

    MD5

    a94416caf61e810fd075794b418a854e

    SHA1

    b09d6a0307319269872f6e782936991ba68cad4a

    SHA256

    d72bdd35d86a51729b3be8c3b93a69c5d8c4e946d3355ea0c969d69b7e8c4344

    SHA512

    9d00400d604b607af50a4997283a0ab5b188da0d3207e16c036a938ece0f0cceeba598a2fb6043fd08d2f3690486a410a955f4b115bb95f837dced6b6e7082f5

    Download Submit

  • \Extracted\prueba.exe
    Filesize

    112KB

    MD5

    c7a67b2ed74ba1c83fc52f1ed8e9a7b5

    SHA1

    9d541c22112432e1a4812a2fe4a98bdb40f134ce

    SHA256

    aa9417b882c3e1e2fdc4b8a5ffdca83a1f6f4aebf47143b0e411705db79f5084

    SHA512

    581eab981f5d526c1105a0c6d67c064bb5b512d207f66672c194703a29c97e905bb9ef792432aa2d96b1bc0517b64be4da93b149b4890b4dbefb480bbd308db7

    Download Submit

  • memory/1644-36-0x0000000003A50000-0x0000000003A52000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2716-37-0x00000000001A0000-0x00000000001A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2760-30-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2760-39-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.