Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    01/01/2025, 12:23

General

  • Target

    JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe

  • Size

    457KB

  • MD5

    54ef2f2acdf62dfb40fc32aab1f46307

  • SHA1

    3f3640685b7af5b52a13d49cfd1cf5364114e317

  • SHA256

    f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d

  • SHA512

    3ee12f2d99ce1ce272f99b7e190694f52aaf68bb2267f53efb6073d79100a3d127ad841bd9324d675af527e06bb9c56218ff1e91dfb644af1d21042cf049ff03

  • SSDEEP

    6144:MqTi59VJdaD70ylbBTpVg8DPmgQhSdj/4KngWIq6jRk+j:MGin670yTTpVg8CgcSKKngWIjX

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

h37

Decoy

misfitsbarandgrill.com

pijpsletjes.com

practiman.com

trailersgeek.online

greathappiness.faith

solderisland.com

kk5299.com

nani21.com

sharpactinvest.com

meteocockpit.com

provisionswpgroup.com

theplaze.net

westaustralian.ninja

freetrafficupgradingall.win

paraisocalafate.com

nelps.com

buywatch.win

sgfmim.site

mexicotradicional.com

moving411.biz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54ef2f2acdf62dfb40fc32aab1f46307.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2784
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2588
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1312
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3040
    • C:\Windows\SysWOW64\NAPSTAT.EXE
      "C:\Windows\SysWOW64\NAPSTAT.EXE"
      2⤵
        PID:1248

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\app.exe

      Filesize

      457KB

      MD5

      54ef2f2acdf62dfb40fc32aab1f46307

      SHA1

      3f3640685b7af5b52a13d49cfd1cf5364114e317

      SHA256

      f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d

      SHA512

      3ee12f2d99ce1ce272f99b7e190694f52aaf68bb2267f53efb6073d79100a3d127ad841bd9324d675af527e06bb9c56218ff1e91dfb644af1d21042cf049ff03

    • memory/1212-18-0x0000000004610000-0x00000000046DB000-memory.dmp

      Filesize

      812KB

    • memory/1212-15-0x0000000003180000-0x0000000003280000-memory.dmp

      Filesize

      1024KB

    • memory/1864-19-0x00000000005D0000-0x00000000005D6000-memory.dmp

      Filesize

      24KB

    • memory/2248-8-0x00000000744F0000-0x0000000074BDE000-memory.dmp

      Filesize

      6.9MB

    • memory/2248-5-0x00000000744F0000-0x0000000074BDE000-memory.dmp

      Filesize

      6.9MB

    • memory/2248-0-0x00000000744FE000-0x00000000744FF000-memory.dmp

      Filesize

      4KB

    • memory/2248-4-0x00000000744FE000-0x00000000744FF000-memory.dmp

      Filesize

      4KB

    • memory/2248-3-0x0000000000930000-0x0000000000950000-memory.dmp

      Filesize

      128KB

    • memory/2248-2-0x00000000744F0000-0x0000000074BDE000-memory.dmp

      Filesize

      6.9MB

    • memory/2248-1-0x0000000000310000-0x0000000000388000-memory.dmp

      Filesize

      480KB

    • memory/2580-11-0x0000000001270000-0x00000000012E8000-memory.dmp

      Filesize

      480KB

    • memory/3040-12-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/3040-16-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/3040-17-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB