Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 12:10
Static task
static1
Behavioral task
behavioral1
Sample
134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe
-
Size
945KB
-
MD5
134f2436ffdafc5060550130551ee6e3
-
SHA1
06470ee7c7ed198ff1303afddcb62fd87388a387
-
SHA256
866dcef893fc6286b9ddf923d71ed3a469cbed25e788d0e11a015019a19601c4
-
SHA512
1b90a95c95d728c0fb864a724a1375a3d1711cc51ce40fd47c18212cfd215f1721d63e693bfb69b323db80512fd2b88d4e409c7d016942e99ee67f7cf201ccbc
-
SSDEEP
24576:tzYXUlBNkEp0QHSJ0vN9QOw1tecWWf4y4:ykHNkESQHSJ6zzwqFWfx4
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2452 h1deippla.exe 2424 Setup.exe 1176 hideippla.exe 2680 is-2FUKR.tmp -
Loads dropped DLL 15 IoCs
pid Process 2324 134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe 2452 h1deippla.exe 2452 h1deippla.exe 2452 h1deippla.exe 2452 h1deippla.exe 2424 Setup.exe 2424 Setup.exe 2424 Setup.exe 2452 h1deippla.exe 1176 hideippla.exe 1176 hideippla.exe 1176 hideippla.exe 1176 hideippla.exe 2680 is-2FUKR.tmp 2680 is-2FUKR.tmp -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hideippla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language is-2FUKR.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language h1deippla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2424 Setup.exe 2424 Setup.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 2324 134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe Token: SeBackupPrivilege 2324 134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe Token: SeDebugPrivilege 2424 Setup.exe Token: SeRestorePrivilege 2452 h1deippla.exe Token: SeBackupPrivilege 2452 h1deippla.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2452 2324 134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe 31 PID 2324 wrote to memory of 2452 2324 134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe 31 PID 2324 wrote to memory of 2452 2324 134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe 31 PID 2324 wrote to memory of 2452 2324 134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe 31 PID 2324 wrote to memory of 2452 2324 134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe 31 PID 2324 wrote to memory of 2452 2324 134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe 31 PID 2324 wrote to memory of 2452 2324 134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe 31 PID 2452 wrote to memory of 2424 2452 h1deippla.exe 32 PID 2452 wrote to memory of 2424 2452 h1deippla.exe 32 PID 2452 wrote to memory of 2424 2452 h1deippla.exe 32 PID 2452 wrote to memory of 2424 2452 h1deippla.exe 32 PID 2452 wrote to memory of 2424 2452 h1deippla.exe 32 PID 2452 wrote to memory of 2424 2452 h1deippla.exe 32 PID 2452 wrote to memory of 2424 2452 h1deippla.exe 32 PID 2452 wrote to memory of 1176 2452 h1deippla.exe 33 PID 2452 wrote to memory of 1176 2452 h1deippla.exe 33 PID 2452 wrote to memory of 1176 2452 h1deippla.exe 33 PID 2452 wrote to memory of 1176 2452 h1deippla.exe 33 PID 2452 wrote to memory of 1176 2452 h1deippla.exe 33 PID 2452 wrote to memory of 1176 2452 h1deippla.exe 33 PID 2452 wrote to memory of 1176 2452 h1deippla.exe 33 PID 1176 wrote to memory of 2680 1176 hideippla.exe 34 PID 1176 wrote to memory of 2680 1176 hideippla.exe 34 PID 1176 wrote to memory of 2680 1176 hideippla.exe 34 PID 1176 wrote to memory of 2680 1176 hideippla.exe 34 PID 1176 wrote to memory of 2680 1176 hideippla.exe 34 PID 1176 wrote to memory of 2680 1176 hideippla.exe 34 PID 1176 wrote to memory of 2680 1176 hideippla.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\134f2436ffdafc5060550130551ee6e3_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\Temp\h1deippla.exe"C:\Windows\Temp\h1deippla.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\Temp\Setup.exe"C:\Windows\Temp\Setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\Temp\hideippla.exe"C:\Windows\Temp\hideippla.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\is-AQ6PU.tmp\is-2FUKR.tmp"C:\Users\Admin\AppData\Local\Temp\is-AQ6PU.tmp\is-2FUKR.tmp" /SL4 $7014E "C:\Windows\Temp\hideippla.exe" 533110 522244⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2680
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD53962b24c82cd7fd5d5ad08111bd7bf44
SHA1dd11858aca12b6ca6fadfe3c17a034a8a7f787a1
SHA2564087f1e8ba7f28e3d4ed533a6658f3a9869f4b8a12a0767ce46e078ecb89d0b5
SHA51263e70f979531e3256e6919b9a07807904f4688de8cdb8c302e832c5bdccf39fe5e4cdb7bc66af2afce06cb1a192ee56812aaf10b8c5dbd0dc20a0d0a4d36b1a7
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
647KB
MD5b683339ce008e97a0243a0f83bca1e09
SHA1a8a4c078225ec9d94912762bda3a745d83dbe8f4
SHA2565c6b8a1ab73cd03140040a3093e0d8466c666cd3fe17e8660dbc1a30d0b6f925
SHA512c39b2501f5887c363633c94b04d58396a0d285ff65963ed513e99ff2dd7f36da323904278c6a64b9f1f637aaeed17e3d9d40540baa9805369cc664a32c62c780
-
Filesize
893KB
MD5d677c2cb791d2c4f5d19a2a66f1b2779
SHA1abea4f8d80abca53c06eea001ee1f49f033fb3cf
SHA256fac3212ae04c7235d59d78ab25fe86cd18576da1c63deef755de11aed60ebab5
SHA512062647293867a627ba1a3a0eaf042d743615f00bf33a5553c2b383afbeceb6a9f141ae54bb321ec0c3761982965b89a11fb7620a0bd6d9b5676ecb76cbe3ae4e
-
Filesize
794KB
MD54f75f1c2be26ef5529b177ef126e9285
SHA16d8de01edb7d0a80038ac37ccbf48fd436c50584
SHA2562683919d50bf213910af6fa7b5ade24f7b66a166220822e37e42256155389f34
SHA5126e3691b48b001adf367563bb0725b3d650300abe0fbf2bfd1434203a4e7100d1d0591c4647d3e9aec20d33cec6b097a8c81bdbdefc0a4af355c56cc34bbb2eb6