Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2024, 22:19
Static task
static1
Behavioral task
behavioral1
Sample
7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
7639eda1dbb366bc84e290cc589e1fb3
-
SHA1
25316e15b4be6b24ffc937f1af97a064014d9363
-
SHA256
6abf303ed71a7d1117ffc94e34ebbef57ab296584c1a801b8023a9e3bf0f91d4
-
SHA512
80622e4cd378c343a80bd21a647b2ffd60486b0207e62a6669a8b35ca102121646b63bcc0736356f12645d44dda05ec8e7b2924de3174f8f3f1e0d28b7cd660c
-
SSDEEP
24576:0WsOo+uTPMNjfN4bhDKN8Zvyuda7Shpm44zdD:0WsHrIhfNmgmh8Sho44zB
Malware Config
Extracted
formbook
4.1
t052
droogskateboards.com
royalspowersolution.com
lifebestmoves.com
rimpasac.com
crndhwv.icu
younggunrecords.com
rtdentalstaffing.com
2ktea.com
aiheim.com
cyberledger360.com
chrgo.com
1-alnafrica.com
reignbowssparkle.com
theexecutivestudio.com
stevebana.xyz
adenisikmerkezi.com
ralfboehm.com
chiyuedianzi.com
mjgqw.com
isiswilkinson.com
bolsasytapers.com
oanchun.club
xn--vcsr9nd2hesf.com
sebastian-linares.info
themiddlemore.com
youllsucceedonline.com
rustomjee.institute
7923599.com
msnbcrise.com
negotiablekite.com
qamishlo.net
heatwavesolutions.com
codebend.com
3muxue.com
clicklike.asia
digitalitalynews.com
cheapfreeruntrainers.com
goldexreturns.com
jqyba.com
banffjaspernow.com
cuttingedgegimmick.com
leswamp.com
uvaube.com
ourvideoindalastexas.com
wellcare-gs.com
nh96520.com
leviathanusa.com
weihnachtsmann-cux-umgebung.com
defenseinvestigation.com
ozgeerdoganyilmaz.com
ocd-diesel.com
munchui.com
finanteo.net
aimuseums.com
anneikaellc.com
yebhi.xyz
ohmygoood.xyz
vz329.com
zkitu.online
tlczj.com
ankikrit.com
catscratchco.com
citestaccnt1597752059.com
rapurp.club
liracosmeticsau.com
Signatures
-
Formbook family
-
Formbook payload 1 IoCs
resource yara_rule behavioral2/memory/3452-14-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2044 set thread context of 3452 2044 7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe 102 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2044 7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe 3452 7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe 3452 7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2044 7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2044 wrote to memory of 3452 2044 7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe 102 PID 2044 wrote to memory of 3452 2044 7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe 102 PID 2044 wrote to memory of 3452 2044 7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe 102 PID 2044 wrote to memory of 3452 2044 7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe 102 PID 2044 wrote to memory of 3452 2044 7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe 102 PID 2044 wrote to memory of 3452 2044 7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7639eda1dbb366bc84e290cc589e1fb3_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3452
-