Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2025, 07:36
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe
-
Size
1.6MB
-
MD5
2977a60c2152fd24dc5aac6e88de8049
-
SHA1
8715bb5732eed4ec20eed1dd31d731197763e4fb
-
SHA256
460ab58bc9a6f47d54403e74511e24f2e499081fb3af6ba9b92ddc337cc8feaa
-
SHA512
fc47fe700c0e4ae8d72be6f2925889c74e504ae60915007c3753311f08067f88bc08e15591cfd535948a52c25d208cd605c20d29b9ec16dde7d45242da5611b3
-
SSDEEP
24576:2sR3lMiam9l7rdJczfYx3wH7JnrqKsscuq7N9CgexI9SQ//ZKpvcvoXXK8FzAMif:2sh1fazfi3Khrc37zV0nK8FzAp+nW
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023c94-11.dat family_isrstealer -
Isrstealer family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe -
Executes dropped EXE 5 IoCs
pid Process 5036 Server.exe 3016 LOL.exe 64 718i.exe 3932 718i.exe 4860 718i.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe File opened for modification \??\PhysicalDrive0 718i.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 404 set thread context of 4080 404 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 82 PID 64 set thread context of 3932 64 718i.exe 90 PID 3932 set thread context of 4860 3932 718i.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 718i.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 718i.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LOL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 718i.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 5036 Server.exe 5036 Server.exe 5036 Server.exe 5036 Server.exe 5036 Server.exe 5036 Server.exe 5036 Server.exe 5036 Server.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 404 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 4080 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 5036 Server.exe 3016 LOL.exe 64 718i.exe 3932 718i.exe 4860 718i.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 404 wrote to memory of 4080 404 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 82 PID 404 wrote to memory of 4080 404 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 82 PID 404 wrote to memory of 4080 404 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 82 PID 404 wrote to memory of 4080 404 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 82 PID 404 wrote to memory of 4080 404 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 82 PID 404 wrote to memory of 4080 404 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 82 PID 404 wrote to memory of 4080 404 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 82 PID 404 wrote to memory of 4080 404 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 82 PID 4080 wrote to memory of 5036 4080 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 83 PID 4080 wrote to memory of 5036 4080 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 83 PID 4080 wrote to memory of 5036 4080 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 83 PID 4080 wrote to memory of 3016 4080 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 84 PID 4080 wrote to memory of 3016 4080 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 84 PID 4080 wrote to memory of 3016 4080 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 84 PID 4080 wrote to memory of 64 4080 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 85 PID 4080 wrote to memory of 64 4080 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 85 PID 4080 wrote to memory of 64 4080 JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe 85 PID 64 wrote to memory of 3932 64 718i.exe 90 PID 64 wrote to memory of 3932 64 718i.exe 90 PID 64 wrote to memory of 3932 64 718i.exe 90 PID 64 wrote to memory of 3932 64 718i.exe 90 PID 64 wrote to memory of 3932 64 718i.exe 90 PID 64 wrote to memory of 3932 64 718i.exe 90 PID 64 wrote to memory of 3932 64 718i.exe 90 PID 64 wrote to memory of 3932 64 718i.exe 90 PID 3932 wrote to memory of 4860 3932 718i.exe 91 PID 3932 wrote to memory of 4860 3932 718i.exe 91 PID 3932 wrote to memory of 4860 3932 718i.exe 91 PID 3932 wrote to memory of 4860 3932 718i.exe 91 PID 3932 wrote to memory of 4860 3932 718i.exe 91 PID 3932 wrote to memory of 4860 3932 718i.exe 91 PID 3932 wrote to memory of 4860 3932 718i.exe 91 PID 3932 wrote to memory of 4860 3932 718i.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2977a60c2152fd24dc5aac6e88de8049.exe"2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5036
-
-
C:\Users\Admin\AppData\Local\Temp\LOL.exe"C:\Users\Admin\AppData\Local\Temp\LOL.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3016
-
-
C:\Users\Admin\AppData\Local\Temp\718i.exe"C:\Users\Admin\AppData\Local\Temp\718i.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Users\Admin\AppData\Local\Temp\718i.exe"C:\Users\Admin\AppData\Local\Temp\718i.exe"4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\718i.exe"C:\Users\Admin\AppData\Local\Temp\718i.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4860
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
748KB
MD54ad5c92226d68166345f7c93029e9804
SHA1f75e9d3b9008471738b50dd25bdbb2ac1852ea9f
SHA2562ce05c615ec9e68e4b0ea851a6e13a607ce388a1a50e2b204309fbfec9caee17
SHA5122558b48c4dc557f0561b331b6f9881c48d3d9873d464a8eaf24fff55b8f21ce5d9c466b83cbdd1e23e601908dbabfe524d054bf73d709621bd8df300b36b271b
-
Filesize
584KB
MD5faeba776a31577433922a73082aaa37b
SHA1a7b0030ddb9b3ae2c7175025d4818f9b2a751144
SHA2569ea32a5cc6884ca0f02074fc2033f41c32bfeee0ab3609a40dbb3ec29cae4c4f
SHA5122162e2e01842b999214f5a507361655e9e01fc793352be19c3d0d726697e2a028bd632774ecfb1ef39d362c9e78bc732477af64c174fbf24f16120de59483d29
-
Filesize
76KB
MD51c8edc14b76f5b9783e4f62bef8293d9
SHA1a990ea76e858bcdbfbaeb3c6c607a1d2b37c46d9
SHA256253f790773a69e4ddfa003332a96161bbadc2880bcf574c99e9f4e77a3db15d1
SHA512c00b55b018d4a75fb744bc1a5b942632300a2e73501481a0b6a34d84e4ecf0eea9a3f9c941dabfdbe709733f79e1a7af015866bd09686be5fbf5a85d708d8dc0