Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/01/2025, 12:48
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_63c40028125acefa332aaa57ae8938eb.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_63c40028125acefa332aaa57ae8938eb.exe
-
Size
1.2MB
-
MD5
63c40028125acefa332aaa57ae8938eb
-
SHA1
9c889a7d6703b17937e4f7e471251387d5fe6d53
-
SHA256
ed49e852356fc64effbbe3e2d4cc8ea5b9d79b77fa08133b942e3ef3403b34ff
-
SHA512
b6f038eaae9aa423eac90a2d6f80545c345a2e13dc7c15d76fe03d117830969c34897be9c7288d93d642bee76f51a0c1ccd0e6e09bbbf55543ceea7fcef507ea
-
SSDEEP
24576:deeuI73ROoGgF9Wu6lqlJ39o16PFViLxmaJ9spcGHcd3fV2ZpGw1bB:dpuI73T59Pwk9xPDcNGIPV2Hr1
Malware Config
Signatures
-
Vidar family
-
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/2088-3-0x000000001C050000-0x000000001C12C000-memory.dmp family_vidar behavioral1/files/0x0007000000012116-8.dat family_vidar -
Executes dropped EXE 1 IoCs
pid Process 2300 build.exe -
Loads dropped DLL 4 IoCs
pid Process 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe 2800 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2800 2300 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2088 wrote to memory of 2300 2088 JaffaCakes118_63c40028125acefa332aaa57ae8938eb.exe 30 PID 2088 wrote to memory of 2300 2088 JaffaCakes118_63c40028125acefa332aaa57ae8938eb.exe 30 PID 2088 wrote to memory of 2300 2088 JaffaCakes118_63c40028125acefa332aaa57ae8938eb.exe 30 PID 2088 wrote to memory of 2300 2088 JaffaCakes118_63c40028125acefa332aaa57ae8938eb.exe 30 PID 2300 wrote to memory of 2800 2300 build.exe 32 PID 2300 wrote to memory of 2800 2300 build.exe 32 PID 2300 wrote to memory of 2800 2300 build.exe 32 PID 2300 wrote to memory of 2800 2300 build.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63c40028125acefa332aaa57ae8938eb.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63c40028125acefa332aaa57ae8938eb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 12923⤵
- Loads dropped DLL
- Program crash
PID:2800
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
848KB
MD5eafba1017e94765780d8a5b182d4c325
SHA17968d32aa44d2c66dc670841d86ef8dba376128f
SHA2560d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3
SHA51231ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa