Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/02/2025, 16:17

General

  • Target

    JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe

  • Size

    1.6MB

  • MD5

    13c8388330ef35426067eb1126dc9e50

  • SHA1

    93b517738e76404e5d30345e21a20e90845f929e

  • SHA256

    2c110832981d01f0214ea91cc248e8110f1272d0eec82f416b9d5c1382ab330e

  • SHA512

    e13fce18c37ad6274667d37e01cd64fd8c6b9f972708ff0534c5856e198750a5efbb7fec2091e14551cf9bd8220745eb0a8f692119cd347a11f86eca57bb79ee

  • SSDEEP

    49152:rvZebB0XQPgYKSCyHaPLNkkQNd7tNTAAr:jsbBJKSPHaDqkQN5DTAa

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 3 IoCs
  • Isrstealer family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13c8388330ef35426067eb1126dc9e50.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Users\Admin\AppData\Local\Temp\WirelessMon.exe
      "C:\Users\Admin\AppData\Local\Temp\WirelessMon.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2804
    • C:\Users\Admin\AppData\Local\Temp\lol.exe
      "C:\Users\Admin\AppData\Local\Temp\lol.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Users\Admin\AppData\Local\Temp\lol.exe
        "C:\Users\Admin\AppData\Local\Temp\lol.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:43948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\WirelessMon.exe

    Filesize

    3.9MB

    MD5

    852a30b13c55f91c03c7d95affc352d2

    SHA1

    a08cd26605043931bec9359f2db4f4e1f757500d

    SHA256

    dbc90191fb29b76de336b49f822fff8d5c68717a497bee5212302a2ae0ffe7e1

    SHA512

    f62ba038c91fde4096c9126a1ff763b610245deedc1d7f2589fcbdfbd99d8565d78f37248721464040f1ca795d2aea8f2ca0575e50b4fc45629b2dda803169b2

  • \Users\Admin\AppData\Local\Temp\lol.exe

    Filesize

    223KB

    MD5

    81a53142e4c2449072cf3fe30da5125e

    SHA1

    8bb7d8412cdabca78cf35d3f884988a83f51b03d

    SHA256

    915ea44cfc6fe8417648d29ec180300f9e413c3d44e5afcf10627ebf42e77c19

    SHA512

    18d7d7d4556bda3f1cc63956873635882a164dfe47cc425585b398616041ac6f703af3b4599599e0d5dd4ef034b975b30e99700621e79acac5abb8dfb7514e0c

  • memory/2684-9-0x0000000002F50000-0x0000000003359000-memory.dmp

    Filesize

    4.0MB

  • memory/2728-75956-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

  • memory/2804-71867-0x0000000000400000-0x0000000000809000-memory.dmp

    Filesize

    4.0MB

  • memory/2804-68945-0x0000000000D70000-0x0000000001179000-memory.dmp

    Filesize

    4.0MB

  • memory/2804-23-0x0000000000400000-0x0000000000809000-memory.dmp

    Filesize

    4.0MB

  • memory/2804-24-0x0000000000D70000-0x0000000001179000-memory.dmp

    Filesize

    4.0MB

  • memory/43948-85663-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/43948-85665-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/43948-85670-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/43948-85669-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/43948-85667-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/43948-85681-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB