Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
21/02/2025, 14:14
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe
-
Size
916KB
-
MD5
132b351734a4dfd5912e57bcf26ca39e
-
SHA1
916ea0c0258d3e95a5a59f1b18cfa4be482d45b4
-
SHA256
23a71584bcd4228b7f6e93e5538a8cb88291d2a14a819c74bb4f247b0410e6e8
-
SHA512
fbf4c2a2068984e342576ac46a31cac4ceecd0c5c47b53a2b1700073afef031fcbed5dc1a472b98ff4e65e3d21d48639d8960c4b601ed602ef714d3c3bc26b4e
-
SSDEEP
24576:x94GN7fiIEAeLHJx0X7SgtR6lYo6aNj3q6Z5Os05jEZtYIViR710aHc4T:x94GN7fiIEAeLHJx0Xugt0xNj355lYjH
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 4 IoCs
resource yara_rule behavioral2/memory/3636-34-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer behavioral2/memory/3636-37-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer behavioral2/memory/3636-44-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer behavioral2/memory/3636-48-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer -
Isrstealer family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe -
Executes dropped EXE 4 IoCs
pid Process 2912 LOL.exe 3712 lN3d3.exe 4748 lN3d3.exe 3636 lN3d3.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe File opened for modification \??\PhysicalDrive0 lN3d3.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3712 set thread context of 4748 3712 lN3d3.exe 88 PID 4748 set thread context of 3636 4748 lN3d3.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LOL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lN3d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lN3d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lN3d3.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3636 lN3d3.exe 3636 lN3d3.exe 3636 lN3d3.exe 3636 lN3d3.exe 3636 lN3d3.exe 3636 lN3d3.exe 3636 lN3d3.exe 3636 lN3d3.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2556 JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe 2912 LOL.exe 3712 lN3d3.exe 4748 lN3d3.exe 3636 lN3d3.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2912 2556 JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe 86 PID 2556 wrote to memory of 2912 2556 JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe 86 PID 2556 wrote to memory of 2912 2556 JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe 86 PID 2556 wrote to memory of 3712 2556 JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe 87 PID 2556 wrote to memory of 3712 2556 JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe 87 PID 2556 wrote to memory of 3712 2556 JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe 87 PID 3712 wrote to memory of 4748 3712 lN3d3.exe 88 PID 3712 wrote to memory of 4748 3712 lN3d3.exe 88 PID 3712 wrote to memory of 4748 3712 lN3d3.exe 88 PID 3712 wrote to memory of 4748 3712 lN3d3.exe 88 PID 3712 wrote to memory of 4748 3712 lN3d3.exe 88 PID 3712 wrote to memory of 4748 3712 lN3d3.exe 88 PID 3712 wrote to memory of 4748 3712 lN3d3.exe 88 PID 3712 wrote to memory of 4748 3712 lN3d3.exe 88 PID 4748 wrote to memory of 3636 4748 lN3d3.exe 89 PID 4748 wrote to memory of 3636 4748 lN3d3.exe 89 PID 4748 wrote to memory of 3636 4748 lN3d3.exe 89 PID 4748 wrote to memory of 3636 4748 lN3d3.exe 89 PID 4748 wrote to memory of 3636 4748 lN3d3.exe 89 PID 4748 wrote to memory of 3636 4748 lN3d3.exe 89 PID 4748 wrote to memory of 3636 4748 lN3d3.exe 89 PID 4748 wrote to memory of 3636 4748 lN3d3.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe"1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\LOL.exe"C:\Users\Admin\AppData\Local\Temp\LOL.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\lN3d3.exe"C:\Users\Admin\AppData\Local\Temp\lN3d3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\lN3d3.exe"C:\Users\Admin\AppData\Local\Temp\lN3d3.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Users\Admin\AppData\Local\Temp\lN3d3.exe"C:\Users\Admin\AppData\Local\Temp\lN3d3.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3636
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
584KB
MD5faeba776a31577433922a73082aaa37b
SHA1a7b0030ddb9b3ae2c7175025d4818f9b2a751144
SHA2569ea32a5cc6884ca0f02074fc2033f41c32bfeee0ab3609a40dbb3ec29cae4c4f
SHA5122162e2e01842b999214f5a507361655e9e01fc793352be19c3d0d726697e2a028bd632774ecfb1ef39d362c9e78bc732477af64c174fbf24f16120de59483d29
-
Filesize
288KB
MD54ab7fcaea07e5e3ab8bc803b12d6c693
SHA1933ae2233891e0d924a15ad185fa0c5f8aad39ad
SHA256bd483739ee09e9e7869c8041fc636bd0ceac73b2ed105bf44a6e2ae9fb66c178
SHA512dcbfd1a01cb0b2e5c1cc20973621897576da009662018fe22ebe64d76de7295d04731dc71d830f01038c9a25f5cdf9ea31f85b7910a0ce2765aba83b5d76bd8d