Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10/10/2024, 17:25

General

  • Target

    3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    3113c057abc2bc8815ade3e4b58299c1

  • SHA1

    42cffb1729d57b6da72a97042105d1ae53d5fd7f

  • SHA256

    84e16e5329c9d815487aa7816343e8ce69a79f32cb5a9e91cf72be634445a4a3

  • SHA512

    ff7cd55707c8b25a886e1bb374d231a60fef58e670c5880a525bdba10fe6bfc0e492542048a5b64688d7095cae2e6b2adec7882a4512e1e0096e844568b9a19b

  • SSDEEP

    24576:frJKUK/juqkncxnfS//2oYP+ENxuIW/Rjl/lVlP64htKQtsVELVDiicYQRebMyHz:f1Kb/juqgcxfSE+HIuRjl/lVlP64htKB

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:340
    • C:\Users\Admin\AppData\Local\Temp\crpD470.exe
      /S /notray
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:868
    • C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
      -home -home2 -hie -hff -hgc -spff -et -channel 162341
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Suspicious behavior: EnumeratesProcesses
      PID:2264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

    Filesize

    331KB

    MD5

    a3e93460c26e27a69594dc44eb58e678

    SHA1

    a615a8a12aa4e01c2197f4f0d78605a75979a048

    SHA256

    3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6

    SHA512

    39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

  • \Users\Admin\AppData\Local\Temp\crpD470.exe

    Filesize

    806KB

    MD5

    661cf9c90eb099fb7b6a394dd8cde2e4

    SHA1

    3704e119ea16a3c336f63dc808176a22fbb8582a

    SHA256

    1570e0efe0cb98623913d942cf40f2eb5b10458f49842097125c6d6d8604cd07

    SHA512

    13c26a514c2022a10b42566a527ef98adaaa9932ffd07612ccdeb371888c037be3b429c956ecb7705699a2b6e3463758735332c9e26ea5f4493a91f30dfb4761