Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/02/2025, 07:06
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe
-
Size
1.5MB
-
MD5
325beb263217def7c4bd2bf3236e2f16
-
SHA1
c4f532eac3791f39952b3097a812b018237cad85
-
SHA256
4939e272199eac93aeb81e063c368dcd228b59cbe82522e893b1d47badaf421e
-
SHA512
a1a2347fe964c2884b4b9ddd560248550c12857e77f0d485aa0da900922d682770f6b505258f8a51d8cd2769b4bbf4f5eb2a225fbd9862ee08bffa1364972874
-
SSDEEP
24576:uHYxbvHwDr6Y/Hicgp/lUBuW6iefshRdrEAbm4z:u4xcD/6h0BuydYAm4z
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x0008000000018683-36.dat family_isrstealer -
Isrstealer family
-
Detected Nirsoft tools 2 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/1640-60-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/1640-61-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1640-60-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/1640-61-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Executes dropped EXE 5 IoCs
pid Process 2568 keygen.exe 1944 sermini.exe 2888 Server.exe 2796 Server.exe 1640 Server.exe -
Loads dropped DLL 4 IoCs
pid Process 2196 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe 2196 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe 2196 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe 2196 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Server.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2888 set thread context of 2796 2888 Server.exe 33 PID 2888 set thread context of 1640 2888 Server.exe 36 -
resource yara_rule behavioral1/memory/2796-44-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2796-43-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2796-42-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2796-40-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2796-47-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1640-57-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1640-60-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1640-59-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1640-61-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2568 keygen.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2196 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2888 Server.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2196 wrote to memory of 1944 2196 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe 30 PID 2196 wrote to memory of 1944 2196 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe 30 PID 2196 wrote to memory of 1944 2196 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe 30 PID 2196 wrote to memory of 1944 2196 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe 30 PID 2196 wrote to memory of 2568 2196 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe 31 PID 2196 wrote to memory of 2568 2196 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe 31 PID 2196 wrote to memory of 2568 2196 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe 31 PID 2196 wrote to memory of 2568 2196 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe 31 PID 1944 wrote to memory of 2888 1944 sermini.exe 32 PID 1944 wrote to memory of 2888 1944 sermini.exe 32 PID 1944 wrote to memory of 2888 1944 sermini.exe 32 PID 1944 wrote to memory of 2888 1944 sermini.exe 32 PID 2888 wrote to memory of 2796 2888 Server.exe 33 PID 2888 wrote to memory of 2796 2888 Server.exe 33 PID 2888 wrote to memory of 2796 2888 Server.exe 33 PID 2888 wrote to memory of 2796 2888 Server.exe 33 PID 2888 wrote to memory of 2796 2888 Server.exe 33 PID 2888 wrote to memory of 2796 2888 Server.exe 33 PID 2888 wrote to memory of 2796 2888 Server.exe 33 PID 2888 wrote to memory of 2796 2888 Server.exe 33 PID 2888 wrote to memory of 2796 2888 Server.exe 33 PID 2888 wrote to memory of 1640 2888 Server.exe 36 PID 2888 wrote to memory of 1640 2888 Server.exe 36 PID 2888 wrote to memory of 1640 2888 Server.exe 36 PID 2888 wrote to memory of 1640 2888 Server.exe 36 PID 2888 wrote to memory of 1640 2888 Server.exe 36 PID 2888 wrote to memory of 1640 2888 Server.exe 36 PID 2888 wrote to memory of 1640 2888 Server.exe 36 PID 2888 wrote to memory of 1640 2888 Server.exe 36 PID 2888 wrote to memory of 1640 2888 Server.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\sermini.exe"C:\Users\Admin\AppData\Local\Temp\sermini.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Roaming\Server.exe/scomma "C:\Users\Admin\AppData\Local\Temp\DaDaIdRwQx.ini"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796
-
-
C:\Users\Admin\AppData\Roaming\Server.exe/scomma "C:\Users\Admin\AppData\Local\Temp\oNfloAEekj.ini"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1640
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\keygen.exe"C:\Users\Admin\AppData\Local\Temp\keygen.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
136KB
MD5257b6fe60f7372701bc91dc83b2609a5
SHA1417a75c5288dc120e4b887f0cddd14b6c27336a5
SHA256e94be473fa9e08d386a08bba11f219e4ab730c112ca916d572726c26750f6b53
SHA5120f465f4cebcee649b0ed2a864138d5d75242e828fb2c5cda0c2cc64f6d622bca3d4243d4ebcfc79ed677caa9e1f0062112bb9a59d7df550420fd3c12e5e81201
-
Filesize
260KB
MD5339e91d3f17423499c0f387b45c8b460
SHA17bc91865d6a1477d2a7461d2e9347e77e17107ed
SHA25603ec9e4d5f402f7d7397652e68530ca6a390c0c396a8677e2b3416af66bcf526
SHA5122cd0fea98d45f85e8358c51bc49b78bf9fe448231c0ac9c56bf4accb2a0ea8f21e8434065b082125972e95b48c931acc2938ddaac7f0b5f151623536bd44066b
-
Filesize
1.2MB
MD545d775dc475cd0fe65d96e57beb58acd
SHA193491ac5bb503a1022e2004e0b5ff0434f9bcea1
SHA2567797c2591a0051b65422b5919ecf9764b0e8f601cea40fe1afa21985d8216a0e
SHA5123394c1e0612c3514afd711c0ddb8098b61c54494177d8df757e0cb6b2ff12ed058151d16bfc3d6913d9624b268e64114f914d4003db99f69357f5696e26cb621