Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/01/2025, 07:36

General

  • Target

    JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe

  • Size

    1.6MB

  • MD5

    2977a60c2152fd24dc5aac6e88de8049

  • SHA1

    8715bb5732eed4ec20eed1dd31d731197763e4fb

  • SHA256

    460ab58bc9a6f47d54403e74511e24f2e499081fb3af6ba9b92ddc337cc8feaa

  • SHA512

    fc47fe700c0e4ae8d72be6f2925889c74e504ae60915007c3753311f08067f88bc08e15591cfd535948a52c25d208cd605c20d29b9ec16dde7d45242da5611b3

  • SSDEEP

    24576:2sR3lMiam9l7rdJczfYx3wH7JnrqKsscuq7N9CgexI9SQ//ZKpvcvoXXK8FzAMif:2sh1fazfi3Khrc37zV0nK8FzAp+nW

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 1 IoCs
  • Isrstealer family
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe"
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3016
      • C:\Users\Admin\AppData\Local\Temp\LOL.exe
        "C:\Users\Admin\AppData\Local\Temp\LOL.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2456
      • C:\Users\Admin\AppData\Local\Temp\718i.exe
        "C:\Users\Admin\AppData\Local\Temp\718i.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Users\Admin\AppData\Local\Temp\718i.exe
          "C:\Users\Admin\AppData\Local\Temp\718i.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2600
          • C:\Users\Admin\AppData\Local\Temp\718i.exe
            "C:\Users\Admin\AppData\Local\Temp\718i.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\718i.exe

    Filesize

    748KB

    MD5

    4ad5c92226d68166345f7c93029e9804

    SHA1

    f75e9d3b9008471738b50dd25bdbb2ac1852ea9f

    SHA256

    2ce05c615ec9e68e4b0ea851a6e13a607ce388a1a50e2b204309fbfec9caee17

    SHA512

    2558b48c4dc557f0561b331b6f9881c48d3d9873d464a8eaf24fff55b8f21ce5d9c466b83cbdd1e23e601908dbabfe524d054bf73d709621bd8df300b36b271b

  • \Users\Admin\AppData\Local\Temp\LOL.exe

    Filesize

    584KB

    MD5

    faeba776a31577433922a73082aaa37b

    SHA1

    a7b0030ddb9b3ae2c7175025d4818f9b2a751144

    SHA256

    9ea32a5cc6884ca0f02074fc2033f41c32bfeee0ab3609a40dbb3ec29cae4c4f

    SHA512

    2162e2e01842b999214f5a507361655e9e01fc793352be19c3d0d726697e2a028bd632774ecfb1ef39d362c9e78bc732477af64c174fbf24f16120de59483d29

  • \Users\Admin\AppData\Local\Temp\Server.exe

    Filesize

    76KB

    MD5

    1c8edc14b76f5b9783e4f62bef8293d9

    SHA1

    a990ea76e858bcdbfbaeb3c6c607a1d2b37c46d9

    SHA256

    253f790773a69e4ddfa003332a96161bbadc2880bcf574c99e9f4e77a3db15d1

    SHA512

    c00b55b018d4a75fb744bc1a5b942632300a2e73501481a0b6a34d84e4ecf0eea9a3f9c941dabfdbe709733f79e1a7af015866bd09686be5fbf5a85d708d8dc0

  • memory/2600-82-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

  • memory/2600-55-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

  • memory/2600-57-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

  • memory/2600-59-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

  • memory/2600-64-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

  • memory/2600-66-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

  • memory/2868-81-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

  • memory/2868-79-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

  • memory/2868-74-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

  • memory/2868-72-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

  • memory/2868-70-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

  • memory/2868-86-0x0000000000400000-0x0000000000492000-memory.dmp

    Filesize

    584KB

  • memory/2988-51-0x0000000000400000-0x000000000056C000-memory.dmp

    Filesize

    1.4MB

  • memory/2988-12-0x0000000000400000-0x000000000056C000-memory.dmp

    Filesize

    1.4MB

  • memory/2988-15-0x0000000000400000-0x000000000056C000-memory.dmp

    Filesize

    1.4MB

  • memory/2988-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2988-4-0x0000000000400000-0x000000000056C000-memory.dmp

    Filesize

    1.4MB

  • memory/2988-2-0x0000000000400000-0x000000000056C000-memory.dmp

    Filesize

    1.4MB

  • memory/2988-6-0x0000000000400000-0x000000000056C000-memory.dmp

    Filesize

    1.4MB