Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 14:49
Static task
static1
Behavioral task
behavioral1
Sample
f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe
-
Size
145KB
-
MD5
f63f6b029aeace284d09a67b3a53a698
-
SHA1
befed0a008ae0b3d8cd48a91520f6ff9a03c6aaf
-
SHA256
d4db4d19b594aee5ea32d485fd85b8aedd2aef5732804308b32129a51e28f324
-
SHA512
ec64e2c2617f9bff6e9d7968927b388d5b3b356d6966c7df1a11c3b70520f6780d5ec97c600911dcc6eb3ff74b87e31caea8c5affd60a0352e2783162849e5d1
-
SSDEEP
3072:3ViATZgSL5ZllFpe7ITbsQIJzabJbHTwEs6mT9qVDkEmjxtG6f2Siv77Kxgn:liSLvDyUvZRlbHM+mhEWjxtG22SivJ
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/488-2-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2164-5-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2164-6-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2164-8-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/488-11-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2548-72-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/2548-73-0x0000000000400000-0x000000000043E000-memory.dmp upx behavioral1/memory/488-153-0x0000000000400000-0x000000000043E000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 488 wrote to memory of 2164 488 f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe 29 PID 488 wrote to memory of 2164 488 f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe 29 PID 488 wrote to memory of 2164 488 f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe 29 PID 488 wrote to memory of 2164 488 f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe 29 PID 488 wrote to memory of 2548 488 f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe 31 PID 488 wrote to memory of 2548 488 f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe 31 PID 488 wrote to memory of 2548 488 f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe 31 PID 488 wrote to memory of 2548 488 f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Users\Admin\AppData\Local\Temp\f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft2⤵
- System Location Discovery: System Language Discovery
PID:2164
-
-
C:\Users\Admin\AppData\Local\Temp\f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\f63f6b029aeace284d09a67b3a53a698_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5929474e376b43ab3c9f589d7ec9aebab
SHA147a2e388b96417ee80989b392f4d49a3fd99000c
SHA256ba9de66a0780627d7ec72be65c476a3e2c11397a1b4e2a648de9e477ff7f9fe8
SHA5124d0e3288b3b8e6b941f3a5d4dcecb99c832424f763ba23f5ec651a075a48e5e8f4c3f6fed6083f3eacb32e275ccc42d262d3bb7fe7eca05c550739a207070e38
-
Filesize
300B
MD521240f6152110900314c05a690d537b6
SHA19c4677427d796a69df9d9cc85d2a56ac135462fc
SHA256e5f41164f8db653973869f1d972988343088f0a6d90d55d6f6da96e9b024d6da
SHA5124df22dd988c00704ea17ca81cd1ff6bf8348a36d4867815fdfa37d2714df0f9d336741af8b9b7a2be258c9387729d4582eabbbbd96e96ebde6c0d8f795eeb38d
-
Filesize
696B
MD5f3aa41ed94471b08c51e202de284078a
SHA1ddcb5cca0a40b38fbd0c63cc4114a48a2a65b8a8
SHA256cb815cc7dcdeb4bea34bbb32b4d928c730745be883d2ef2cd226a878c79d44a7
SHA5122bb42d4849e0e667e4db4db99b30694a264b36f7aa46dd85c20c60ed110cef68a08c12758e3450cec583bb659c6988ab040572ec2cdeda23ebb1652266f410cd