Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/01/2025, 07:36
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe
-
Size
1.2MB
-
MD5
638f0a2333f81bb929cfc47b16e4057d
-
SHA1
5f8d13e6d5647c6380a6e9670d3279cca8de5eae
-
SHA256
ae042d2e4e5d411e544f4bf00a5c8499f7c224f442f854feb4e61f705b562b02
-
SHA512
fafbd9aa10c2f26ffabce7fedb70f6f4929d9d017233b015cf9df9ef472cf752f42bda0cf7aebf22291cffafc9315ad6fcf730f6760b1d3c55b6cce9e080f8e5
-
SSDEEP
24576:1qXdDeWY6yHlb05btx6O4W0uAp7UGpV83NfmNbP2:1QdCJ0M5nTDj2
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 2 IoCs
resource yara_rule behavioral1/memory/3036-19-0x0000000000400000-0x0000000000432000-memory.dmp family_isrstealer behavioral1/memory/3036-33-0x0000000000400000-0x0000000000432000-memory.dmp family_isrstealer -
Isrstealer family
-
Executes dropped EXE 2 IoCs
pid Process 2672 3YX11.exe 2708 3YX11e.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2708 set thread context of 3036 2708 3YX11e.exe 32 PID 3036 set thread context of 2544 3036 vbc.exe 33 -
resource yara_rule behavioral1/memory/2544-26-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2544-25-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2544-24-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2544-23-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2544-32-0x0000000000400000-0x0000000000453000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3YX11e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3036 vbc.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2788 wrote to memory of 2672 2788 JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe 30 PID 2788 wrote to memory of 2672 2788 JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe 30 PID 2788 wrote to memory of 2672 2788 JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe 30 PID 2788 wrote to memory of 2708 2788 JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe 31 PID 2788 wrote to memory of 2708 2788 JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe 31 PID 2788 wrote to memory of 2708 2788 JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe 31 PID 2788 wrote to memory of 2708 2788 JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe 31 PID 2708 wrote to memory of 3036 2708 3YX11e.exe 32 PID 2708 wrote to memory of 3036 2708 3YX11e.exe 32 PID 2708 wrote to memory of 3036 2708 3YX11e.exe 32 PID 2708 wrote to memory of 3036 2708 3YX11e.exe 32 PID 2708 wrote to memory of 3036 2708 3YX11e.exe 32 PID 2708 wrote to memory of 3036 2708 3YX11e.exe 32 PID 2708 wrote to memory of 3036 2708 3YX11e.exe 32 PID 2708 wrote to memory of 3036 2708 3YX11e.exe 32 PID 2708 wrote to memory of 3036 2708 3YX11e.exe 32 PID 3036 wrote to memory of 2544 3036 vbc.exe 33 PID 3036 wrote to memory of 2544 3036 vbc.exe 33 PID 3036 wrote to memory of 2544 3036 vbc.exe 33 PID 3036 wrote to memory of 2544 3036 vbc.exe 33 PID 3036 wrote to memory of 2544 3036 vbc.exe 33 PID 3036 wrote to memory of 2544 3036 vbc.exe 33 PID 3036 wrote to memory of 2544 3036 vbc.exe 33 PID 3036 wrote to memory of 2544 3036 vbc.exe 33 PID 3036 wrote to memory of 2544 3036 vbc.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_638f0a2333f81bb929cfc47b16e4057d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\3YX11.exeC:\Users\Admin\AppData\Local\Temp\3YX11.exe2⤵
- Executes dropped EXE
PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\3YX11e.exeC:\Users\Admin\AppData\Local\Temp\3YX11e.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe/scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini"4⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
171KB
MD5b639641d48989d0f655c5331d3bbd6ab
SHA123c814de11091b34304e3982efc5d0e5a9ab00c8
SHA25609c027f0eb268ece684d416c2ac715f96502400fb003ddecec86f11718862a06
SHA51205ffbe523ac54f48471ff0131a2cf11be67a11bc4b6c201b7b52f2fac1b19ed75ee12626d53a28e20f364f7003d0ee95586aed60a8a0a1d6f16951ec422f27f9
-
Filesize
544KB
MD5047eb567d1450e7c0dc4225280062f92
SHA11d91f788269eb3560efe85e923720c5b150f89e5
SHA256b0367f47cf1177e8122dabc5fc85adc4cb03268f7f29176bd15747211ef31b5c
SHA5120da335c4d3402da4e61cfbf6d009fd55179a8b2bb473ce862ffc53080069a5a193557e098cdb22ab0c8292a57f92b7fba57cc6f8f47eb491c4b322229765fbbf