Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2025, 07:06
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe
-
Size
1.5MB
-
MD5
325beb263217def7c4bd2bf3236e2f16
-
SHA1
c4f532eac3791f39952b3097a812b018237cad85
-
SHA256
4939e272199eac93aeb81e063c368dcd228b59cbe82522e893b1d47badaf421e
-
SHA512
a1a2347fe964c2884b4b9ddd560248550c12857e77f0d485aa0da900922d682770f6b505258f8a51d8cd2769b4bbf4f5eb2a225fbd9862ee08bffa1364972874
-
SSDEEP
24576:uHYxbvHwDr6Y/Hicgp/lUBuW6iefshRdrEAbm4z:u4xcD/6h0BuydYAm4z
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 1 IoCs
resource yara_rule behavioral2/files/0x0004000000022774-43.dat family_isrstealer -
Isrstealer family
-
Detected Nirsoft tools 2 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/628-72-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/628-73-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/628-72-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral2/memory/628-73-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation sermini.exe Key value queried \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe -
Executes dropped EXE 5 IoCs
pid Process 3848 sermini.exe 2108 keygen.exe 4040 Server.exe 2308 Server.exe 628 Server.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Server.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4040 set thread context of 2308 4040 Server.exe 95 PID 4040 set thread context of 628 4040 Server.exe 103 -
resource yara_rule behavioral2/memory/2308-57-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/2308-62-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/2308-56-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/2308-55-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/2308-53-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/628-72-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/628-71-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/628-69-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/628-73-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2108 keygen.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1356 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe Token: 33 5020 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5020 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4040 Server.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1356 wrote to memory of 3848 1356 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe 91 PID 1356 wrote to memory of 3848 1356 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe 91 PID 1356 wrote to memory of 2108 1356 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe 92 PID 1356 wrote to memory of 2108 1356 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe 92 PID 1356 wrote to memory of 2108 1356 JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe 92 PID 3848 wrote to memory of 4040 3848 sermini.exe 94 PID 3848 wrote to memory of 4040 3848 sermini.exe 94 PID 3848 wrote to memory of 4040 3848 sermini.exe 94 PID 4040 wrote to memory of 2308 4040 Server.exe 95 PID 4040 wrote to memory of 2308 4040 Server.exe 95 PID 4040 wrote to memory of 2308 4040 Server.exe 95 PID 4040 wrote to memory of 2308 4040 Server.exe 95 PID 4040 wrote to memory of 2308 4040 Server.exe 95 PID 4040 wrote to memory of 2308 4040 Server.exe 95 PID 4040 wrote to memory of 2308 4040 Server.exe 95 PID 4040 wrote to memory of 2308 4040 Server.exe 95 PID 4040 wrote to memory of 628 4040 Server.exe 103 PID 4040 wrote to memory of 628 4040 Server.exe 103 PID 4040 wrote to memory of 628 4040 Server.exe 103 PID 4040 wrote to memory of 628 4040 Server.exe 103 PID 4040 wrote to memory of 628 4040 Server.exe 103 PID 4040 wrote to memory of 628 4040 Server.exe 103 PID 4040 wrote to memory of 628 4040 Server.exe 103 PID 4040 wrote to memory of 628 4040 Server.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_325beb263217def7c4bd2bf3236e2f16.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\sermini.exe"C:\Users\Admin\AppData\Local\Temp\sermini.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Roaming\Server.exe/scomma "C:\Users\Admin\AppData\Local\Temp\YepJRFPamx.ini"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2308
-
-
C:\Users\Admin\AppData\Roaming\Server.exe/scomma "C:\Users\Admin\AppData\Local\Temp\mQhEdtQsZi.ini"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:628
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\keygen.exe"C:\Users\Admin\AppData\Local\Temp\keygen.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2108
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x504 0x5181⤵
- Suspicious use of AdjustPrivilegeToken
PID:5020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
136KB
MD5257b6fe60f7372701bc91dc83b2609a5
SHA1417a75c5288dc120e4b887f0cddd14b6c27336a5
SHA256e94be473fa9e08d386a08bba11f219e4ab730c112ca916d572726c26750f6b53
SHA5120f465f4cebcee649b0ed2a864138d5d75242e828fb2c5cda0c2cc64f6d622bca3d4243d4ebcfc79ed677caa9e1f0062112bb9a59d7df550420fd3c12e5e81201
-
Filesize
1.2MB
MD545d775dc475cd0fe65d96e57beb58acd
SHA193491ac5bb503a1022e2004e0b5ff0434f9bcea1
SHA2567797c2591a0051b65422b5919ecf9764b0e8f601cea40fe1afa21985d8216a0e
SHA5123394c1e0612c3514afd711c0ddb8098b61c54494177d8df757e0cb6b2ff12ed058151d16bfc3d6913d9624b268e64114f914d4003db99f69357f5696e26cb621
-
Filesize
260KB
MD5339e91d3f17423499c0f387b45c8b460
SHA17bc91865d6a1477d2a7461d2e9347e77e17107ed
SHA25603ec9e4d5f402f7d7397652e68530ca6a390c0c396a8677e2b3416af66bcf526
SHA5122cd0fea98d45f85e8358c51bc49b78bf9fe448231c0ac9c56bf4accb2a0ea8f21e8434065b082125972e95b48c931acc2938ddaac7f0b5f151623536bd44066b