Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15/12/2024, 08:05
Static task
static1
Behavioral task
behavioral1
Sample
f311ed4e14e3fd2e6b7a654021e9fc46_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f311ed4e14e3fd2e6b7a654021e9fc46_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
f311ed4e14e3fd2e6b7a654021e9fc46_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
f311ed4e14e3fd2e6b7a654021e9fc46
-
SHA1
4f38463f0a2719701c5351df1c9e7e205764f39f
-
SHA256
f6210a60289f284600428b1cb4975eab8a326f49644667ef98d83377128615f2
-
SHA512
9c22995ada407d940d257f4d72461b40415989708fd5678c5aacdb1cef3237fac75e410971f6bc7caab6a4d9e039bddffb7e3db42302647d3fa6ea29df6b59fd
-
SSDEEP
24576:aSyLtIBYWFkfV0hfPnZBdWGktI7ie8ydTF4EWCX:WKBlNfPjd1ktOie8y1FzX
Malware Config
Signatures
-
Troldesh family
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" f311ed4e14e3fd2e6b7a654021e9fc46_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/2968-1-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2968-2-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2968-3-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2968-5-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2968-4-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2968-8-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2968-7-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2968-12-0x0000000000400000-0x0000000000607000-memory.dmp upx behavioral1/memory/2968-13-0x0000000000400000-0x0000000000607000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f311ed4e14e3fd2e6b7a654021e9fc46_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2968 f311ed4e14e3fd2e6b7a654021e9fc46_JaffaCakes118.exe 2968 f311ed4e14e3fd2e6b7a654021e9fc46_JaffaCakes118.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2968 f311ed4e14e3fd2e6b7a654021e9fc46_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f311ed4e14e3fd2e6b7a654021e9fc46_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f311ed4e14e3fd2e6b7a654021e9fc46_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2968
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1