Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/02/2025, 16:17
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe
-
Size
1.6MB
-
MD5
13c8388330ef35426067eb1126dc9e50
-
SHA1
93b517738e76404e5d30345e21a20e90845f929e
-
SHA256
2c110832981d01f0214ea91cc248e8110f1272d0eec82f416b9d5c1382ab330e
-
SHA512
e13fce18c37ad6274667d37e01cd64fd8c6b9f972708ff0534c5856e198750a5efbb7fec2091e14551cf9bd8220745eb0a8f692119cd347a11f86eca57bb79ee
-
SSDEEP
49152:rvZebB0XQPgYKSCyHaPLNkkQNd7tNTAAr:jsbBJKSPHaDqkQN5DTAa
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 3 IoCs
resource yara_rule behavioral1/memory/43948-85670-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer behavioral1/memory/43948-85667-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer behavioral1/memory/43948-85681-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer -
Isrstealer family
-
Executes dropped EXE 3 IoCs
pid Process 2804 WirelessMon.exe 2728 lol.exe 43948 lol.exe -
Loads dropped DLL 12 IoCs
pid Process 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 2804 WirelessMon.exe 2804 WirelessMon.exe 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 2728 lol.exe 2728 lol.exe 2728 lol.exe 2728 lol.exe 43948 lol.exe 43948 lol.exe 43948 lol.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2728 set thread context of 43948 2728 lol.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WirelessMon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 43948 lol.exe 43948 lol.exe 43948 lol.exe 43948 lol.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2728 lol.exe 43948 lol.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2804 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 30 PID 2684 wrote to memory of 2804 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 30 PID 2684 wrote to memory of 2804 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 30 PID 2684 wrote to memory of 2804 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 30 PID 2684 wrote to memory of 2804 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 30 PID 2684 wrote to memory of 2804 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 30 PID 2684 wrote to memory of 2804 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 30 PID 2684 wrote to memory of 2728 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 31 PID 2684 wrote to memory of 2728 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 31 PID 2684 wrote to memory of 2728 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 31 PID 2684 wrote to memory of 2728 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 31 PID 2684 wrote to memory of 2728 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 31 PID 2684 wrote to memory of 2728 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 31 PID 2684 wrote to memory of 2728 2684 JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe 31 PID 2728 wrote to memory of 43948 2728 lol.exe 33 PID 2728 wrote to memory of 43948 2728 lol.exe 33 PID 2728 wrote to memory of 43948 2728 lol.exe 33 PID 2728 wrote to memory of 43948 2728 lol.exe 33 PID 2728 wrote to memory of 43948 2728 lol.exe 33 PID 2728 wrote to memory of 43948 2728 lol.exe 33 PID 2728 wrote to memory of 43948 2728 lol.exe 33 PID 2728 wrote to memory of 43948 2728 lol.exe 33 PID 2728 wrote to memory of 43948 2728 lol.exe 33 PID 2728 wrote to memory of 43948 2728 lol.exe 33 PID 2728 wrote to memory of 43948 2728 lol.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\WirelessMon.exe"C:\Users\Admin\AppData\Local\Temp\WirelessMon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2804
-
-
C:\Users\Admin\AppData\Local\Temp\lol.exe"C:\Users\Admin\AppData\Local\Temp\lol.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\lol.exe"C:\Users\Admin\AppData\Local\Temp\lol.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:43948
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD5852a30b13c55f91c03c7d95affc352d2
SHA1a08cd26605043931bec9359f2db4f4e1f757500d
SHA256dbc90191fb29b76de336b49f822fff8d5c68717a497bee5212302a2ae0ffe7e1
SHA512f62ba038c91fde4096c9126a1ff763b610245deedc1d7f2589fcbdfbd99d8565d78f37248721464040f1ca795d2aea8f2ca0575e50b4fc45629b2dda803169b2
-
Filesize
223KB
MD581a53142e4c2449072cf3fe30da5125e
SHA18bb7d8412cdabca78cf35d3f884988a83f51b03d
SHA256915ea44cfc6fe8417648d29ec180300f9e413c3d44e5afcf10627ebf42e77c19
SHA51218d7d7d4556bda3f1cc63956873635882a164dfe47cc425585b398616041ac6f703af3b4599599e0d5dd4ef034b975b30e99700621e79acac5abb8dfb7514e0c