Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/01/2025, 07:36

General

  • Target

    JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe

  • Size

    1.2MB

  • MD5

    638f0a2333f81bb929cfc47b16e4057d

  • SHA1

    5f8d13e6d5647c6380a6e9670d3279cca8de5eae

  • SHA256

    ae042d2e4e5d411e544f4bf00a5c8499f7c224f442f854feb4e61f705b562b02

  • SHA512

    fafbd9aa10c2f26ffabce7fedb70f6f4929d9d017233b015cf9df9ef472cf752f42bda0cf7aebf22291cffafc9315ad6fcf730f6760b1d3c55b6cce9e080f8e5

  • SSDEEP

    24576:1qXdDeWY6yHlb05btx6O4W0uAp7UGpV83NfmNbP2:1QdCJ0M5nTDj2

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 2 IoCs
  • Isrstealer family
  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Users\Admin\AppData\Local\Temp\3YX11.exe
      C:\Users\Admin\AppData\Local\Temp\3YX11.exe
      2⤵
      • Executes dropped EXE
      PID:2672
    • C:\Users\Admin\AppData\Local\Temp\3YX11e.exe
      C:\Users\Admin\AppData\Local\Temp\3YX11e.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3YX11.exe

    Filesize

    171KB

    MD5

    b639641d48989d0f655c5331d3bbd6ab

    SHA1

    23c814de11091b34304e3982efc5d0e5a9ab00c8

    SHA256

    09c027f0eb268ece684d416c2ac715f96502400fb003ddecec86f11718862a06

    SHA512

    05ffbe523ac54f48471ff0131a2cf11be67a11bc4b6c201b7b52f2fac1b19ed75ee12626d53a28e20f364f7003d0ee95586aed60a8a0a1d6f16951ec422f27f9

  • C:\Users\Admin\AppData\Local\Temp\3YX11e.exe

    Filesize

    544KB

    MD5

    047eb567d1450e7c0dc4225280062f92

    SHA1

    1d91f788269eb3560efe85e923720c5b150f89e5

    SHA256

    b0367f47cf1177e8122dabc5fc85adc4cb03268f7f29176bd15747211ef31b5c

    SHA512

    0da335c4d3402da4e61cfbf6d009fd55179a8b2bb473ce862ffc53080069a5a193557e098cdb22ab0c8292a57f92b7fba57cc6f8f47eb491c4b322229765fbbf

  • memory/2544-25-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/2544-26-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/2544-32-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/2544-23-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/2544-24-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/2672-11-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2672-12-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2672-10-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2672-9-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2672-28-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2788-1-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2788-3-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2788-0-0x000007FEF5ECE000-0x000007FEF5ECF000-memory.dmp

    Filesize

    4KB

  • memory/2788-27-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

    Filesize

    9.6MB

  • memory/2788-2-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp

    Filesize

    9.6MB

  • memory/3036-19-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

  • memory/3036-33-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB