Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

73267c2a41...18.exe

windows10-ltsc 2021-x64

10

73267c2a41...18.exe

windows11-21h2-x64

10

Resubmissions

01/11/2024, 16:44

241101-t8wqqatrdr 10

24/10/2024, 09:38

241024-lmj6ss1fra 10

Analysis

  • max time kernel
    60s
  • max time network
    65s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01/11/2024, 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe

  • Size

    691KB

  • MD5

    73267c2a412170b3f3df33616b1e1e8e

  • SHA1

    bcc8e0537ea776cf75ea83aec75130fc5ba36b43

  • SHA256

    4756e7ee03184fc1b29807d6e77c4bb85d0eaaadd064c67b0b4b3a90175229a3

  • SHA512

    3354d9f68f4e4ba5a1d88d9d1c9e8cb8f2067f7a03bf1b60d7658b9a036d642f64d35a98ae13115795e2078dff1fbf94dfed4e71c5134b6f24600366d7d6e13e

  • SSDEEP

    12288:4KmX4064w0jAQrjnY8/V1Ng6U+VAqEr4viIrvLZo4P84ldlBGPMmLbAEWBvB7:4KCR3Pzg6U+Qk97G4P84dX0Mmv5WVB

Score
10/10
44caliberdiscoveryevasionpersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • 44Caliber family
    44caliber
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • System Time Discovery 1 TTPs 1 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
      "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:704
    • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3088
      • C:\Windows\RuntimeBroker.exe
        "C:\Windows\RuntimeBroker.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Windows\RuntimeBroker.exe" "RuntimeBroker.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          • System Time Discovery
          PID:4300
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\73267c2a412170b3f3df33616b1e1e8e_JaffaCakes118.exe"
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Windows\system32\PING.EXE
        ping 1.1.1.1 -n 1 -w 100
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3140
      • C:\Windows\system32\PING.EXE
        ping 1.1.1.1 -n 1 -w 900
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

System Time Discovery

1
T1124

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\44\Process.txt
    Filesize

    1KB

    MD5

    0582f1acd034d047bda6388f658d5655

    SHA1

    39dca7089f53f6f6b2d8fe6b88c1197b1bdf53e7

    SHA256

    3f3ac63cd701f25e97e9fd61a7080bc3cf911520bd769fca45ab0247bcd47651

    SHA512

    b0ec56c4db34a4af0f843831e52fa94ae5e618a8ca9bc9d4254172433e139689ceab1e738f1b00397bf1550278126901e44b7947bbfafe02c87ecb3267d904c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RuntimeBroker.exe.log
    Filesize

    319B

    MD5

    2a0834560ed3770fc33d7a42f8229722

    SHA1

    c8c85f989e7a216211cf9e4ce90b0cc95354aa53

    SHA256

    8aa2d836004258f1a1195dc4a96215b685aed0c46a261a2860625d424e9402b6

    SHA512

    c5b64d84e57eb8cc387b5feedf7719f1f7ae21f6197169f5f73bc86deddb538b9af3c9952c94c4f69ae956e1656d11ab7441c292d2d850a4d2aaa9ec678f8e82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
    Filesize

    328KB

    MD5

    f6639aa0f7e43cf09431850b3f473238

    SHA1

    3c7740ceacf062f8d71095bb440e280fdd3372ec

    SHA256

    870859b15395ba5c50bffd2e90b230d4ebc890c9ba8f674f87862b22254ec25e

    SHA512

    1e3fb39565e8d8f7c20e750735d79b06a97d49dbdae541f0e8e4fc97cff190d12e6bca77cef7d0018fe23f8c656d024766a05655ad6d18cdadaee2ded2b75d94

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
    Filesize

    260KB

    MD5

    1acabd72a026449937fc1cd16d0b5423

    SHA1

    809ea7e21d0e3d80a6445c245daa2e018a417126

    SHA256

    81634c88831adcb3e44d92ecd2e2a4534b50cf2d7bf001a02d68faa5d9a92bc2

    SHA512

    40fcccd3b7aac5c5ff1bbfb2e491c4f8106e44f6e5c373b590ef2474469c8c25f44725c7d6310a242be7bec9aede4e02fa5196358d45ee620e4228866cbebb1d

    Download Submit

  • memory/704-67-0x0000000002670000-0x00000000026DE000-memory.dmp

    Filesize

    440KB

    Download

  • memory/704-193-0x00007FF86FE00000-0x00007FF8708C2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/704-65-0x0000000000530000-0x0000000000588000-memory.dmp

    Filesize

    352KB

    Download

  • memory/704-66-0x00007FF86FE00000-0x00007FF8708C2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1176-3-0x00007FF86FE00000-0x00007FF8708C2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1176-79-0x00007FF86FE00000-0x00007FF8708C2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1176-0-0x00007FF86FE03000-0x00007FF86FE05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1176-2-0x0000000000DB0000-0x0000000000E4C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1176-1-0x00000000004E0000-0x0000000000594000-memory.dmp

    Filesize

    720KB

    Download