Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/01/2025, 05:25
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe
-
Size
813KB
-
MD5
10f79865e6d977fa0d9f5d4a12ac7fac
-
SHA1
c05d245928e4c06f1591187d595786ffcb57584a
-
SHA256
e6cb9330e6bbd16bdd58aac76070200e17389a45c4aead703d4ab970038ff8a2
-
SHA512
5ba202c0fcf9dbffd0dbf3a1310978469c55a764876eddc2d02e66f01e707890de510a73595d43cf1f6b7c7769b4e2a756abe75d48f805aae34d78d8709b500c
-
SSDEEP
12288:0swHXdkqRSFdMkuvMNptn0UOxgT2KoxyJ/4cg73t76T1kruzG3+plaqJFTP7ye06:LwHNzovaxxg6KIGfg1O1OmG3klaqvy0
Malware Config
Extracted
formbook
4.1
snr6
jjglassmi1.com
vpsseattle.com
drfllc.top
staycoolonline.com
eptlove.com
solusimatasehat.site
ionrarecharlestonproperties.com
b3eflucg.xyz
tvchosun-usa.com
mmahzxwzsadqlshop.life
gospelimport.com
demoapps.website
jackburst54.com
99rocket.education
ccbwithbri.com
trapperairsoft.com
useroadly.com
ralphlaurenonline-nl.com
loanmaster4u.com
champ-beauty-tomigaoka-nail.com
theripemillennial.com
123intan.net
typopendant.com
coruscant.holdings
bio-intelligenz-therapie.com
reprv.com
directreport.net
phinespe.xyz
xuvedae.site
idilikproperties.info
wakigaggenin.com
mal2tech.com
nftwhaler.xyz
gxhnjssx.com
ozba.xyz
lecupcake.net
lucid.quest
kaleoslawncare.com
tiew.store
texcommercialpainting.com
2152351.com
likewize-xl.com
dacooligans.com
manuelmartinezs.com
beancusp.com
barbershopvalleyvillage.com
southwickfunerals.com
briellebaeslay.info
rebeccarye.com
unitedstateswelders.com
saudiarabiavegan.com
testcarona.com
serverapsd.com
crickx.email
hdszbj.com
bennettmountainoutfitter.com
leileilei1999.xyz
baroquefolke.com
francinegeorges.com
horpces.online
resolutionfix.com
mike-schultz.xyz
sohutobankueahomupezinkv.xyz
flowerseedqueen.com
reynbetgirisi.com
Signatures
-
Formbook family
-
Formbook payload 1 IoCs
resource yara_rule behavioral1/memory/2268-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2336 set thread context of 2268 2336 JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2336 JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe 2336 JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe 2336 JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe 2268 JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2336 JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2268 2336 JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe 31 PID 2336 wrote to memory of 2268 2336 JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe 31 PID 2336 wrote to memory of 2268 2336 JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe 31 PID 2336 wrote to memory of 2268 2336 JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe 31 PID 2336 wrote to memory of 2268 2336 JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe 31 PID 2336 wrote to memory of 2268 2336 JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe 31 PID 2336 wrote to memory of 2268 2336 JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2268
-