Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 23:47 UTC

General

  • Target

    eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe

  • Size

    172KB

  • MD5

    eeac2ca0c2d43b8d369bfb99ebbdcb1f

  • SHA1

    38660626a70591184c933608d43bfd748ac4572b

  • SHA256

    096faaf0379fc7d817c6e731c3842e54f041d0e6ce3c459d7ca74ddc3d5473a9

  • SHA512

    a0e3814030d33e1a5955b699a1a591d1551be85b481c6be7bc62270c6dc0cda02231bad196864a0356941096e31e9110f1b5a7c9bcd9e25987d5198e7cd533b2

  • SSDEEP

    3072:T1dlKwgj23+Oz05YoNozt8zShYL2ZU5KrXN0peAer4:T1dlZro5ytSdI2e54

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eeac2ca0c2d43b8d369bfb99ebbdcb1f_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Extracted\prueba.exe
      "C:\Extracted\prueba.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Extracted\prueba.exe
        C:\Extracted\prueba.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2760
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:2716

Network

  • flag-us
    DNS
    smtp.gmail.com
    prueba.exe
    Remote address:
    8.8.8.8:53
    Request
    smtp.gmail.com
    IN A
    Response
    smtp.gmail.com
    IN A
    74.125.71.108
  • 74.125.71.108:465
    smtp.gmail.com
    tls, smtp
    prueba.exe
    1.0kB
    5.3kB
    12
    12
  • 8.8.8.8:53
    smtp.gmail.com
    dns
    prueba.exe
    60 B
    76 B
    1
    1

    DNS Request

    smtp.gmail.com

    DNS Response

    74.125.71.108

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Extracted\w1b6ex.jpg

    Filesize

    39KB

    MD5

    570587dda5ac693576038ebcfc9fe445

    SHA1

    54d71574ebbf94b627ce8f062aef69ee6182af48

    SHA256

    ab944d9d3f3679c707066a41d2ecef85566d633f013e5a20a75db0a5a04ff313

    SHA512

    d0373f82d9912c4aed3ee61d30d349cc3f3de177601465e74971ebce208562c375f9842bf285d1c4e34485bc49cb9ad9406bf9a5c8da6c51a3e36a7e1d689d7d

  • C:\Users\Admin\AppData\Local\Temp\sfx.ini

    Filesize

    209B

    MD5

    a94416caf61e810fd075794b418a854e

    SHA1

    b09d6a0307319269872f6e782936991ba68cad4a

    SHA256

    d72bdd35d86a51729b3be8c3b93a69c5d8c4e946d3355ea0c969d69b7e8c4344

    SHA512

    9d00400d604b607af50a4997283a0ab5b188da0d3207e16c036a938ece0f0cceeba598a2fb6043fd08d2f3690486a410a955f4b115bb95f837dced6b6e7082f5

  • \Extracted\prueba.exe

    Filesize

    112KB

    MD5

    c7a67b2ed74ba1c83fc52f1ed8e9a7b5

    SHA1

    9d541c22112432e1a4812a2fe4a98bdb40f134ce

    SHA256

    aa9417b882c3e1e2fdc4b8a5ffdca83a1f6f4aebf47143b0e411705db79f5084

    SHA512

    581eab981f5d526c1105a0c6d67c064bb5b512d207f66672c194703a29c97e905bb9ef792432aa2d96b1bc0517b64be4da93b149b4890b4dbefb480bbd308db7

  • memory/1644-36-0x0000000003A50000-0x0000000003A52000-memory.dmp

    Filesize

    8KB

  • memory/2716-37-0x00000000001A0000-0x00000000001A2000-memory.dmp

    Filesize

    8KB

  • memory/2760-30-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2760-39-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.