Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/01/2025, 07:36
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe
-
Size
1.6MB
-
MD5
2977a60c2152fd24dc5aac6e88de8049
-
SHA1
8715bb5732eed4ec20eed1dd31d731197763e4fb
-
SHA256
460ab58bc9a6f47d54403e74511e24f2e499081fb3af6ba9b92ddc337cc8feaa
-
SHA512
fc47fe700c0e4ae8d72be6f2925889c74e504ae60915007c3753311f08067f88bc08e15591cfd535948a52c25d208cd605c20d29b9ec16dde7d45242da5611b3
-
SSDEEP
24576:2sR3lMiam9l7rdJczfYx3wH7JnrqKsscuq7N9CgexI9SQ//ZKpvcvoXXK8FzAMif:2sh1fazfi3Khrc37zV0nK8FzAp+nW
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x00080000000164ab-20.dat family_isrstealer -
Isrstealer family
-
Executes dropped EXE 5 IoCs
pid Process 3016 Server.exe 2456 LOL.exe 2728 718i.exe 2600 718i.exe 2868 718i.exe -
Loads dropped DLL 8 IoCs
pid Process 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 2728 718i.exe 2600 718i.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe File opened for modification \??\PhysicalDrive0 718i.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2100 set thread context of 2988 2100 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 31 PID 2728 set thread context of 2600 2728 718i.exe 36 PID 2600 set thread context of 2868 2600 718i.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 718i.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 718i.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 718i.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LOL.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3016 Server.exe 3016 Server.exe 3016 Server.exe 3016 Server.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2100 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 3016 Server.exe 2456 LOL.exe 2728 718i.exe 2600 718i.exe 2868 718i.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2988 2100 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 31 PID 2100 wrote to memory of 2988 2100 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 31 PID 2100 wrote to memory of 2988 2100 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 31 PID 2100 wrote to memory of 2988 2100 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 31 PID 2100 wrote to memory of 2988 2100 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 31 PID 2100 wrote to memory of 2988 2100 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 31 PID 2100 wrote to memory of 2988 2100 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 31 PID 2100 wrote to memory of 2988 2100 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 31 PID 2100 wrote to memory of 2988 2100 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 31 PID 2988 wrote to memory of 3016 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 32 PID 2988 wrote to memory of 3016 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 32 PID 2988 wrote to memory of 3016 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 32 PID 2988 wrote to memory of 3016 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 32 PID 2988 wrote to memory of 2456 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 33 PID 2988 wrote to memory of 2456 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 33 PID 2988 wrote to memory of 2456 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 33 PID 2988 wrote to memory of 2456 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 33 PID 2988 wrote to memory of 2728 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 34 PID 2988 wrote to memory of 2728 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 34 PID 2988 wrote to memory of 2728 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 34 PID 2988 wrote to memory of 2728 2988 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 34 PID 2728 wrote to memory of 2600 2728 718i.exe 36 PID 2728 wrote to memory of 2600 2728 718i.exe 36 PID 2728 wrote to memory of 2600 2728 718i.exe 36 PID 2728 wrote to memory of 2600 2728 718i.exe 36 PID 2728 wrote to memory of 2600 2728 718i.exe 36 PID 2728 wrote to memory of 2600 2728 718i.exe 36 PID 2728 wrote to memory of 2600 2728 718i.exe 36 PID 2728 wrote to memory of 2600 2728 718i.exe 36 PID 2728 wrote to memory of 2600 2728 718i.exe 36 PID 2600 wrote to memory of 2868 2600 718i.exe 37 PID 2600 wrote to memory of 2868 2600 718i.exe 37 PID 2600 wrote to memory of 2868 2600 718i.exe 37 PID 2600 wrote to memory of 2868 2600 718i.exe 37 PID 2600 wrote to memory of 2868 2600 718i.exe 37 PID 2600 wrote to memory of 2868 2600 718i.exe 37 PID 2600 wrote to memory of 2868 2600 718i.exe 37 PID 2600 wrote to memory of 2868 2600 718i.exe 37 PID 2600 wrote to memory of 2868 2600 718i.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe"2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3016
-
-
C:\Users\Admin\AppData\Local\Temp\LOL.exe"C:\Users\Admin\AppData\Local\Temp\LOL.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2456
-
-
C:\Users\Admin\AppData\Local\Temp\718i.exe"C:\Users\Admin\AppData\Local\Temp\718i.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\718i.exe"C:\Users\Admin\AppData\Local\Temp\718i.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\718i.exe"C:\Users\Admin\AppData\Local\Temp\718i.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2868
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
748KB
MD54ad5c92226d68166345f7c93029e9804
SHA1f75e9d3b9008471738b50dd25bdbb2ac1852ea9f
SHA2562ce05c615ec9e68e4b0ea851a6e13a607ce388a1a50e2b204309fbfec9caee17
SHA5122558b48c4dc557f0561b331b6f9881c48d3d9873d464a8eaf24fff55b8f21ce5d9c466b83cbdd1e23e601908dbabfe524d054bf73d709621bd8df300b36b271b
-
Filesize
584KB
MD5faeba776a31577433922a73082aaa37b
SHA1a7b0030ddb9b3ae2c7175025d4818f9b2a751144
SHA2569ea32a5cc6884ca0f02074fc2033f41c32bfeee0ab3609a40dbb3ec29cae4c4f
SHA5122162e2e01842b999214f5a507361655e9e01fc793352be19c3d0d726697e2a028bd632774ecfb1ef39d362c9e78bc732477af64c174fbf24f16120de59483d29
-
Filesize
76KB
MD51c8edc14b76f5b9783e4f62bef8293d9
SHA1a990ea76e858bcdbfbaeb3c6c607a1d2b37c46d9
SHA256253f790773a69e4ddfa003332a96161bbadc2880bcf574c99e9f4e77a3db15d1
SHA512c00b55b018d4a75fb744bc1a5b942632300a2e73501481a0b6a34d84e4ecf0eea9a3f9c941dabfdbe709733f79e1a7af015866bd09686be5fbf5a85d708d8dc0