Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/01/2025, 05:25

General

  • Target

    JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe

  • Size

    813KB

  • MD5

    10f79865e6d977fa0d9f5d4a12ac7fac

  • SHA1

    c05d245928e4c06f1591187d595786ffcb57584a

  • SHA256

    e6cb9330e6bbd16bdd58aac76070200e17389a45c4aead703d4ab970038ff8a2

  • SHA512

    5ba202c0fcf9dbffd0dbf3a1310978469c55a764876eddc2d02e66f01e707890de510a73595d43cf1f6b7c7769b4e2a756abe75d48f805aae34d78d8709b500c

  • SSDEEP

    12288:0swHXdkqRSFdMkuvMNptn0UOxgT2KoxyJ/4cg73t76T1kruzG3+plaqJFTP7ye06:LwHNzovaxxg6KIGfg1O1OmG3klaqvy0

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

snr6

Decoy

jjglassmi1.com

vpsseattle.com

drfllc.top

staycoolonline.com

eptlove.com

solusimatasehat.site

ionrarecharlestonproperties.com

b3eflucg.xyz

tvchosun-usa.com

mmahzxwzsadqlshop.life

gospelimport.com

demoapps.website

jackburst54.com

99rocket.education

ccbwithbri.com

trapperairsoft.com

useroadly.com

ralphlaurenonline-nl.com

loanmaster4u.com

champ-beauty-tomigaoka-nail.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_10f79865e6d977fa0d9f5d4a12ac7fac.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2268-14-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2268-16-0x0000000000880000-0x0000000000B83000-memory.dmp

    Filesize

    3.0MB

  • memory/2268-8-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2268-10-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2268-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2336-3-0x00000000003C0000-0x00000000003D4000-memory.dmp

    Filesize

    80KB

  • memory/2336-6-0x0000000005F40000-0x0000000005FC6000-memory.dmp

    Filesize

    536KB

  • memory/2336-7-0x0000000000720000-0x0000000000754000-memory.dmp

    Filesize

    208KB

  • memory/2336-5-0x00000000744C0000-0x0000000074BAE000-memory.dmp

    Filesize

    6.9MB

  • memory/2336-4-0x00000000744CE000-0x00000000744CF000-memory.dmp

    Filesize

    4KB

  • memory/2336-0-0x00000000744CE000-0x00000000744CF000-memory.dmp

    Filesize

    4KB

  • memory/2336-2-0x00000000744C0000-0x0000000074BAE000-memory.dmp

    Filesize

    6.9MB

  • memory/2336-15-0x00000000744C0000-0x0000000074BAE000-memory.dmp

    Filesize

    6.9MB

  • memory/2336-1-0x0000000000BC0000-0x0000000000C92000-memory.dmp

    Filesize

    840KB