Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    96s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/02/2025, 14:14

General

  • Target

    JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe

  • Size

    916KB

  • MD5

    132b351734a4dfd5912e57bcf26ca39e

  • SHA1

    916ea0c0258d3e95a5a59f1b18cfa4be482d45b4

  • SHA256

    23a71584bcd4228b7f6e93e5538a8cb88291d2a14a819c74bb4f247b0410e6e8

  • SHA512

    fbf4c2a2068984e342576ac46a31cac4ceecd0c5c47b53a2b1700073afef031fcbed5dc1a472b98ff4e65e3d21d48639d8960c4b601ed602ef714d3c3bc26b4e

  • SSDEEP

    24576:x94GN7fiIEAeLHJx0X7SgtR6lYo6aNj3q6Z5Os05jEZtYIViR710aHc4T:x94GN7fiIEAeLHJx0Xugt0xNj355lYjH

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 4 IoCs
  • Isrstealer family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_132b351734a4dfd5912e57bcf26ca39e.exe"
    1⤵
    • Checks computer location settings
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Users\Admin\AppData\Local\Temp\LOL.exe
      "C:\Users\Admin\AppData\Local\Temp\LOL.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2912
    • C:\Users\Admin\AppData\Local\Temp\lN3d3.exe
      "C:\Users\Admin\AppData\Local\Temp\lN3d3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Users\Admin\AppData\Local\Temp\lN3d3.exe
        "C:\Users\Admin\AppData\Local\Temp\lN3d3.exe"
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4748
        • C:\Users\Admin\AppData\Local\Temp\lN3d3.exe
          "C:\Users\Admin\AppData\Local\Temp\lN3d3.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:3636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\LOL.exe

    Filesize

    584KB

    MD5

    faeba776a31577433922a73082aaa37b

    SHA1

    a7b0030ddb9b3ae2c7175025d4818f9b2a751144

    SHA256

    9ea32a5cc6884ca0f02074fc2033f41c32bfeee0ab3609a40dbb3ec29cae4c4f

    SHA512

    2162e2e01842b999214f5a507361655e9e01fc793352be19c3d0d726697e2a028bd632774ecfb1ef39d362c9e78bc732477af64c174fbf24f16120de59483d29

  • C:\Users\Admin\AppData\Local\Temp\lN3d3.exe

    Filesize

    288KB

    MD5

    4ab7fcaea07e5e3ab8bc803b12d6c693

    SHA1

    933ae2233891e0d924a15ad185fa0c5f8aad39ad

    SHA256

    bd483739ee09e9e7869c8041fc636bd0ceac73b2ed105bf44a6e2ae9fb66c178

    SHA512

    dcbfd1a01cb0b2e5c1cc20973621897576da009662018fe22ebe64d76de7295d04731dc71d830f01038c9a25f5cdf9ea31f85b7910a0ce2765aba83b5d76bd8d

  • memory/3636-34-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/3636-39-0x00007FFFE7A10000-0x00007FFFE7C05000-memory.dmp

    Filesize

    2.0MB

  • memory/3636-37-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/3636-44-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/3636-45-0x00007FFFE7A10000-0x00007FFFE7C05000-memory.dmp

    Filesize

    2.0MB

  • memory/3636-48-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/4748-28-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/4748-31-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/4748-38-0x00007FFFE7A10000-0x00007FFFE7C05000-memory.dmp

    Filesize

    2.0MB

  • memory/4748-40-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB