Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

3daf9e6ae8...18.exe

windows7-x64

7

3daf9e6ae8...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/10/2024, 04:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe

  • Size

    41KB

  • MD5

    3daf9e6ae81363247c5f955329c41d5b

  • SHA1

    7d0d61155a59d3122f191eba20eeff836424523d

  • SHA256

    38e5fd8f4bb3ed7d8ff33f91d9c467670083b5f03c12293f2c5f46a04d0127e2

  • SHA512

    1751a07f32581c85c5bcefa61198a41cb8d9138282403ab87606b936efe27430038a0f2039d7b3f2a41e4eb9ab9f113e9d3c0e679e0dae225cb60b3b11381556

  • SSDEEP

    768:4QGiv2CKlMTFlhJDIVwqXlyOraLmMhJ3iR5Np9KtwkS7Cm94COfsziPg:3VvlKlCFWVnXlyOGD3i/L9OpS79vYsz9

Score
7/10
credential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3daf9e6ae81363247c5f955329c41d5b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Users\Admin\AppData\Local\Temp\Stell.exe
      "C:\Users\Admin\AppData\Local\Temp\Stell.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:2364
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\prohy.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Opens file in notepad (likely ransom note)
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NO_PWDS_report_13-10-2024_04-06-09-6E6B75BA-HHON.bin
    Filesize

    1KB

    MD5

    c4873fa9b5f1f5c2c39ecefdb76224bb

    SHA1

    41e7b9954c8b440322cdc13961900a0f75ea602d

    SHA256

    7a40733f6eff475c0bd4a69dcef89abc376452f4b59184aed51269a5025b96e1

    SHA512

    dcfa2abda48019e596030134f279d649d450ee6199aa7eb18071be30d28daab1849e3f4d4dcb0cf9d65cf36fb22eaef493ea2b25df7359df1d03b03fdff5cc9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\prohy.txt
    Filesize

    18KB

    MD5

    9b184272fa8eecb5c99fc1805ac7529e

    SHA1

    f9a21718765f6f842049513a8779dc738917f8af

    SHA256

    796db843fcb613b8a6307307ad3456e451de984cd64c14f038eb0552a3342cc1

    SHA512

    77fb8972d85dfd8d96793086f6405426834901853cd0d934f890b3e9473c30d2057fdfa94703e289b35ef83097081b73308676ae419fd517aacac2c36fee53c5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Stell.exe
    Filesize

    22KB

    MD5

    ae0f7196eb6ca11f59fdf63c6bcfd488

    SHA1

    8308a06843f003d65ad608767f0278e8b4019d41

    SHA256

    01255c3a07b62f23832c1635d1f6e822d7b85ba34f32fbaa0e0c90c06b25fd12

    SHA512

    c27f8ec49eb252097394164e6469e96030c87f4d41a3233f19704d85ac60253cbdbd3e2ae4afd317de76d30163f9f65503d65c0adb431c540397961d54dc3e05

    Download Submit

  • memory/2364-10-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2364-16-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2364-23-0x0000000000400000-0x0000000000455000-memory.dmp

    Filesize

    340KB

    Download

  • memory/2872-5-0x0000000002400000-0x0000000002455000-memory.dmp

    Filesize

    340KB

    Download