Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/10/2024, 03:57

General

  • Target

    2a6b79d2d8c78d9a6d5f63d203746153_JaffaCakes118.exe

  • Size

    218KB

  • MD5

    2a6b79d2d8c78d9a6d5f63d203746153

  • SHA1

    86ee77ac3d94e1a7808aa0aea553fa8ec81ae4e6

  • SHA256

    63362870ddc6f6f06a3f59415006ac48975cca308c4b285a63851dcbb8b295c4

  • SHA512

    cd1ee1c432016c5070ce57d4264738617d9e2a43b606991434fa5b9ebf479a1031b26a452e14cdfbf05b4d15a9574164c42ea8cf88fc6717fef7f867b99dc246

  • SSDEEP

    6144:A/6zy3sq8j1/EKd4ReLZkouP5F6wUEzErL6xPh:0hsq8j9d4sOouRAVE0L

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a6b79d2d8c78d9a6d5f63d203746153_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2a6b79d2d8c78d9a6d5f63d203746153_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Users\Admin\AppData\Local\Temp\jf_cf_telepat (1)ñòèëëåð.exe
      "C:\Users\Admin\AppData\Local\Temp\jf_cf_telepat (1)ñòèëëåð.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.crazyfrost.com/
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2496
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:209927 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b574b1d1ae4da877f4caf0742b338748

    SHA1

    42187834fd2c2c60297045ceaa87283c9a18f1c4

    SHA256

    78335e078662e35b9c558d1c5efe9e753be0a77f5040d0e7f74625c3d71aab8f

    SHA512

    bb55a443190b4edd753d2f649caddb402f1486843da00269555fc41257db647f81a5b1d388a38bb96c61e008e7b4ab329836b0370344987283648b22c554a5e5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c1c9f9222e08ae9c642554618f4e7033

    SHA1

    8a82b83e5cf14c9602f59e78de15c3dd8e422dbd

    SHA256

    bdfa1aa50fc4318b9d8d1c537acb26b46b1291b33ebd0960f7d05bc6e32fde79

    SHA512

    a974a2489e8be74d2675089000d29027cc9259f649a13757831e12dcf80f620bcbcfcbc94bf2353e2af31a764d3b26f9e2ccab035f1ed684c47b449a34771906

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7509d2f0032072aeb8982922d887bbb7

    SHA1

    afb828461e47f56cc247e09104f71234e7dc2ac4

    SHA256

    1794df36adac34694499399f5f9671e962371e06222066715c76743462d16550

    SHA512

    6b88a2123dc8735ab23ec27576dd5b6bd1e46b3befc6b8634b55f1fe5cd5b75895f4d8865c701de8204f0124b6dfd7848d8d9680f7ba81f0b6372b5997cddd38

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    678aaed69eb72cb1779b3fb2976d2dfb

    SHA1

    4b2de84f6dfe859b5b957526342c4ad265708fa6

    SHA256

    f371438b111ed35c458f53aa5c4c157988b6082d279722bfa20a3424ba4bf0ce

    SHA512

    44191a133b34f608c63deab1654399be053c0724f9e7acff1b5e244a24669399f94a94c589697aa7c93b22162d0c43bf466abb8720ecdfc4786f3cb499c14e51

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    719260f2ac52a42516f1faf366a2683a

    SHA1

    979e31e3ef5489d9dbb536983781b83c6400d8c3

    SHA256

    f1049c6712eac8a85b9cd32bc14043930e0c938a6c3f24bbac32b5fb6e3d6098

    SHA512

    b338ff7ae61bc7afe1594a90921d2cacf8036936839c091d23b71bb8e019f271f70d790250a2d8b2b37e4c5076a821b57f1500de69965dde76cca02f9b324c44

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0b0e022d4497a9c4552ab121f521785e

    SHA1

    f92c6c27c225c1bfd095bfa28ffe3bc1cc72fe2c

    SHA256

    94854df6e432b915601a14cae3bc7362128cc54d3463ba2531bcad8d1a09a1ac

    SHA512

    4a2d3e713f19462ede8628de2663f5a0dfe8c0fb811ae8bb4d3437b2a033be331c1e6f5ac09c8dd5e735f2f362569ed84f03b22d2f5b7a7726be24faf0583610

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    87809c7df74e9c41560b7139bbce2e1a

    SHA1

    8c83d14103468635525ce1a1b7f05daffbc1538a

    SHA256

    e58028c3e317de2580a720343c5c9d7bc616e56e5d992455277fee61d18f8f44

    SHA512

    1cc9a212f38384cbbfd01e80f0cbe6aaf13a6851d4032670443c38dc9998f1b843482e4f3a2ddae866ed6bb3d01c36a2342e1a9051146507befc5ce5608aeba9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    57be018286410d3c720ba35299333789

    SHA1

    ffaf7bacf55410fb19b4180b10903e9c36a820e3

    SHA256

    022a3d0670240de5a6f149b4e96083161a912021ff622718e24ffe48ef7f0472

    SHA512

    9a366504d430d51fbe2ae57be1cf35cbaf839a40645af5a0e33397c64fbafc308ac14937db3989a504418cf98f7595777615d862ec817c2913a2d54fc9a50259

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    da8727bd04cea678608b893d84de999f

    SHA1

    bf09d191f2e3e4f0b78e13fd2fc7f1d46b32dc7f

    SHA256

    27f0295566ff44e21a43234589ed0fd4450db9d6200c00f14a911d43cb67f829

    SHA512

    5601fc5bfd0c29e938fefd6b3a5d9683452fc5d3eebc644f782910498b0cf99a9010f08a9c6f7187f00115684cb7ccd39d51be491984c644577e23fd18f8c6e0

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\01LB6K3J\main[1].css

    Filesize

    7KB

    MD5

    ff26f59e28a5fe6ea4ab23586415696b

    SHA1

    4182675484d175e363cd34b43041b7b1af93d0cd

    SHA256

    d30b4ea6f68456672f5abb35e9dcf7d54226372b66e9d60a7ee26b7a52568e74

    SHA512

    92c58eef6d1f885806450acd2927c57ebea2e8762c98b0826192555674bd4478e42add192834285d5934c0a76db8eac5eee1a65dc34b6f69246fad6c91a5fba4

  • C:\Users\Admin\AppData\Local\Temp\Cab3E0B.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\NO_PWDS_report_09-10-2024_12-58-26-7F6C76BD-IAAB.bin

    Filesize

    1KB

    MD5

    08838877bec43d7c539d15ea11db4892

    SHA1

    95c6c8ff03518198ec231ed9b5b522295b8cbde6

    SHA256

    fa001a0a6dd178c80e4793214f51184a5636373498cdac9516f23bfbd35a4f6c

    SHA512

    753eb545bf572444f26f76e4a5e1b5878869e3cdabc20d963ab3c766cf42dc8d7efb60b0da26d2070014462ecb124909c1e25412936ab5026dace08ea4a37abc

  • C:\Users\Admin\AppData\Local\Temp\Tar3E6C.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\jf_cf_telepat (1)ñòèëëåð.exe

    Filesize

    211KB

    MD5

    a8fb94afc3a93ef7d911c4b7713c31c5

    SHA1

    cbd8570408ad96a462ea8697a7b2c28e4d206082

    SHA256

    214fa9a7ab481c12edc2ed18a196a6ef0ca1ca11d17186afc3a7ea69cf7a4298

    SHA512

    10fc7e4f20c984301090b35547b397c9a04c9ab664e894ff1ba56d64597433cae25f82b5215d2c4888c0bbd7ef8b0bb510f42e881b7fc45cb49c3c8433a2da32

  • memory/1868-19-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

  • memory/1868-0-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

  • memory/1868-6-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

  • memory/1868-1-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

  • memory/2924-34-0x0000000074370000-0x000000007491B000-memory.dmp

    Filesize

    5.7MB

  • memory/2924-24-0x0000000074370000-0x000000007491B000-memory.dmp

    Filesize

    5.7MB

  • memory/2924-23-0x0000000074370000-0x000000007491B000-memory.dmp

    Filesize

    5.7MB

  • memory/2924-22-0x0000000074371000-0x0000000074372000-memory.dmp

    Filesize

    4KB

  • memory/2924-43-0x0000000074370000-0x000000007491B000-memory.dmp

    Filesize

    5.7MB