Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 07:55
Static task
static1
Behavioral task
behavioral1
Sample
fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe
-
Size
185KB
-
MD5
fbd6db946429019d7020557a9e0061a7
-
SHA1
c6b586d299c139fe1e8ae58bb4167aef79c72d2b
-
SHA256
a049ef15af81082d52427d53bfaf45cdad2959833954b06c437fdc2f3545f3c0
-
SHA512
0035327a7736bf703098f3cfe8e6d7194f5d47464ba43aa9a6551a65c58c5fbdd3a43ad91ec38f5247d1eb8bf80fcb837ddf02e0462519b1620da4b9ff897025
-
SSDEEP
3072:Xgbr6MsRktSjArkKoBrGLBMIjjKVBRV1FgxK8f1IpkMKy82/92V7B9KhLXQ7EgeO:Ax3ScjuGeIjjQRVToK8f1Ipk3y82/U7W
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2768-2-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2820-5-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2820-7-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2768-15-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2108-84-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2768-141-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral1/memory/2768-176-0x0000000000400000-0x0000000000445000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2768 wrote to memory of 2820 2768 fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe 30 PID 2768 wrote to memory of 2820 2768 fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe 30 PID 2768 wrote to memory of 2820 2768 fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe 30 PID 2768 wrote to memory of 2820 2768 fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe 30 PID 2768 wrote to memory of 2108 2768 fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe 32 PID 2768 wrote to memory of 2108 2768 fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe 32 PID 2768 wrote to memory of 2108 2768 fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe 32 PID 2768 wrote to memory of 2108 2768 fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\fbd6db946429019d7020557a9e0061a7_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:2108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51b98503ad4ea138e6a5f4368f4be57ae
SHA140007c6e017d28a65f1f68c72d0e5bfc7aa2f9ca
SHA256c76e11f7f0b1a2db646f2185979d043a78ead13bc8572a03b65cc538a4515196
SHA5124ff58d354fc74a817a51175097558f3d167b26462a742bc093c1da7e9d87db9b62f295988300fffc70cf6760c19e21ed3766b6a02f63f52bc9d08da803744fdb
-
Filesize
600B
MD556bb8656b03b1ed50e03f276c2dd0e38
SHA1265158d5b9f7ba525abcf5cf2c68bc9528b00dfe
SHA256493d57ec76e20d182f874292a50a0e0ad3116fcaf12d8f608a13bc549bfbcbe6
SHA5126d823843554e934f01598c5d3179b0b698892f4d4c057e4047ea7f3c7fa0da62b3044f4f3d27400a4832c04afffbd5374b334edc4981e9c97e648bd316b15087
-
Filesize
996B
MD559316cbfdd3a8e5a8f99ad388ead3fec
SHA15dee09cbfb2d64cd655131a76dff07bef347c83b
SHA2566112fc66a2b1d2f852d492db77d0ea8b4e3cdc83d6d21af5909456fec48c8ab4
SHA51257aa2872b609996794ede07050c7baef76d2a6ca286eeebcd950403efba21b950f03b856992c2a5cf86c9486d148033911bed7fbabd7c318a9d4fb5473937f34