Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
17/03/2025, 13:01
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
-
Size
2.8MB
-
MD5
7e2819ee5d4b6c85a23623599d6296d1
-
SHA1
44cd2d86ba52202b11b171570237f6007019005f
-
SHA256
037a0339ca4b98fd007be379ec2c373581844440cfde32365a42551b0d38fb0d
-
SHA512
53c893ab4bb386a87c6f84f8643105797a3b03b22bdbcd05cb13e8166d890d0e56d57eb5ad6290c8b8df4aa81845a77aa9b58d799041b3f17955eeee04398b3e
-
SSDEEP
49152:sXi8Z3dnHh9GVXYWmr7IKDvYq3j/DW2VBaB0:
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 4 IoCs
resource yara_rule behavioral1/memory/1928-136-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/1928-139-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/1928-152-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral1/memory/1928-161-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer -
Isrstealer family
-
Detected Nirsoft tools 2 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/2420-156-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/2420-159-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/2420-156-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/2420-159-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Executes dropped EXE 3 IoCs
pid Process 2532 fsSetup136s.exe 2404 dll3.exe 2896 fsSetup136s.exe -
Loads dropped DLL 16 IoCs
pid Process 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 2532 fsSetup136s.exe 2532 fsSetup136s.exe 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 2404 dll3.exe 2404 dll3.exe 2404 dll3.exe 2532 fsSetup136s.exe 2532 fsSetup136s.exe 2532 fsSetup136s.exe 2896 fsSetup136s.exe 2896 fsSetup136s.exe 2896 fsSetup136s.exe 2896 fsSetup136s.exe 2896 fsSetup136s.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2404 set thread context of 1928 2404 dll3.exe 34 PID 1928 set thread context of 536 1928 vbc.exe 35 PID 1928 set thread context of 2420 1928 vbc.exe 37 -
resource yara_rule behavioral1/memory/536-143-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/536-145-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/536-144-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/536-146-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/536-150-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/2420-153-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/2420-154-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/2420-155-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/2420-156-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/2420-159-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dll3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsSetup136s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsSetup136s.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2896 fsSetup136s.exe 2896 fsSetup136s.exe 2896 fsSetup136s.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2896 fsSetup136s.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1928 vbc.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 1484 wrote to memory of 2532 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 31 PID 1484 wrote to memory of 2532 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 31 PID 1484 wrote to memory of 2532 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 31 PID 1484 wrote to memory of 2532 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 31 PID 1484 wrote to memory of 2532 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 31 PID 1484 wrote to memory of 2532 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 31 PID 1484 wrote to memory of 2532 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 31 PID 1484 wrote to memory of 2404 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 32 PID 1484 wrote to memory of 2404 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 32 PID 1484 wrote to memory of 2404 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 32 PID 1484 wrote to memory of 2404 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 32 PID 1484 wrote to memory of 2404 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 32 PID 1484 wrote to memory of 2404 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 32 PID 1484 wrote to memory of 2404 1484 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 32 PID 2532 wrote to memory of 2896 2532 fsSetup136s.exe 33 PID 2532 wrote to memory of 2896 2532 fsSetup136s.exe 33 PID 2532 wrote to memory of 2896 2532 fsSetup136s.exe 33 PID 2532 wrote to memory of 2896 2532 fsSetup136s.exe 33 PID 2532 wrote to memory of 2896 2532 fsSetup136s.exe 33 PID 2532 wrote to memory of 2896 2532 fsSetup136s.exe 33 PID 2532 wrote to memory of 2896 2532 fsSetup136s.exe 33 PID 2404 wrote to memory of 1928 2404 dll3.exe 34 PID 2404 wrote to memory of 1928 2404 dll3.exe 34 PID 2404 wrote to memory of 1928 2404 dll3.exe 34 PID 2404 wrote to memory of 1928 2404 dll3.exe 34 PID 2404 wrote to memory of 1928 2404 dll3.exe 34 PID 2404 wrote to memory of 1928 2404 dll3.exe 34 PID 2404 wrote to memory of 1928 2404 dll3.exe 34 PID 2404 wrote to memory of 1928 2404 dll3.exe 34 PID 2404 wrote to memory of 1928 2404 dll3.exe 34 PID 2404 wrote to memory of 1928 2404 dll3.exe 34 PID 2404 wrote to memory of 1928 2404 dll3.exe 34 PID 1928 wrote to memory of 536 1928 vbc.exe 35 PID 1928 wrote to memory of 536 1928 vbc.exe 35 PID 1928 wrote to memory of 536 1928 vbc.exe 35 PID 1928 wrote to memory of 536 1928 vbc.exe 35 PID 1928 wrote to memory of 536 1928 vbc.exe 35 PID 1928 wrote to memory of 536 1928 vbc.exe 35 PID 1928 wrote to memory of 536 1928 vbc.exe 35 PID 1928 wrote to memory of 536 1928 vbc.exe 35 PID 1928 wrote to memory of 536 1928 vbc.exe 35 PID 1928 wrote to memory of 536 1928 vbc.exe 35 PID 1928 wrote to memory of 536 1928 vbc.exe 35 PID 1928 wrote to memory of 536 1928 vbc.exe 35 PID 1928 wrote to memory of 2420 1928 vbc.exe 37 PID 1928 wrote to memory of 2420 1928 vbc.exe 37 PID 1928 wrote to memory of 2420 1928 vbc.exe 37 PID 1928 wrote to memory of 2420 1928 vbc.exe 37 PID 1928 wrote to memory of 2420 1928 vbc.exe 37 PID 1928 wrote to memory of 2420 1928 vbc.exe 37 PID 1928 wrote to memory of 2420 1928 vbc.exe 37 PID 1928 wrote to memory of 2420 1928 vbc.exe 37 PID 1928 wrote to memory of 2420 1928 vbc.exe 37 PID 1928 wrote to memory of 2420 1928 vbc.exe 37 PID 1928 wrote to memory of 2420 1928 vbc.exe 37 PID 1928 wrote to memory of 2420 1928 vbc.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\fsSetup136s.exe"C:\Users\Admin\AppData\Local\Temp\fsSetup136s.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsSetup136s.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsSetup136s.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2896
-
-
-
C:\Users\Admin\AppData\Local\Temp\dll3.exe"C:\Users\Admin\AppData\Local\Temp\dll3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe/scomma "C:\Users\Admin\AppData\Local\Temp\RG4FehwRxD.ini"4⤵
- System Location Discovery: System Language Discovery
PID:536
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe/scomma "C:\Users\Admin\AppData\Local\Temp\obOSFLLNJj.ini"4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2420
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
449B
MD53778a879f81c1ea564bf788df05a1440
SHA1570a1bd1b66a1c2689eab5f0e9143c2da532e30c
SHA2566637155b192dd47a574e17df216338cad28ef81e513076d19354bfabf22909df
SHA512ff40627f2709ac793c30d4b0f940e4ab3f77c114d1f174a008cb5106a458c428f47786280a9361442573b184a02618aa41daa5c8196ae677f2bdb7cd0430e265
-
Filesize
1KB
MD540ec128b2690808c387b1ba94def63f5
SHA155220fb399164417b9910792d958463bc1ccd049
SHA256f6ace0fa52d5aea30eb15337bb94108377338cdcc08bedf944b69aac1785aeb0
SHA512b7c0f7eed49df58b0b2bcdfa8e4a5d26a71f3a3a8d873a5188586acde55540f0667328b20e7daea033c145e1c5cad390edd2722d0831b5da99d278a9b5b10c4a
-
Filesize
1.7MB
MD5179972cf4d030dcef96ab54f19e33fd1
SHA17fd0e9a351dd84e6cd0b35ff265e73659e7e2621
SHA2561421dd4cde79403511f33731bd488ef1f8ffb82e7f10f99fa77f1eae12c23df3
SHA5126ed3cfef47e2517b0e5ca2210c16df2b9d4d2d660896b58461dccae52b97417df7b9067a3f4ac2497bd1680b130d1f7c3721f011ba06ba709f754473f148c395
-
Filesize
311KB
MD5acffd660aabd9b783ceeaa5fa8592708
SHA184df5ff0eef89f3aae125c6b9c4477358ae978a5
SHA2569af536e7f0bf8abc46ad8f15e1988e5d2b25e230cf2480cc86918a46dc638aa9
SHA5128ee30afa0ac3c5bc741354deafb30bed61cb1ae9748c6e7b21be8a3d51912cddd405b3c5727a2c792c9a45692051e9ebd5df306192246389493470317ba10f31
-
Filesize
1.8MB
MD51c22db154885c5f27659aa405437d547
SHA10c44c939e479fd9d680e753f541b301f81de41d9
SHA2562b0d6ce75d59779372d5ade39dfacba563d78f068081a6fb399455060d47befa
SHA51291988977a3736bae5df38194deb320ea55e4aa4453297f3634c66cd60010a30ff7d8bfa811d549e8554f30beeb069417a32b9a81722629b0d8828eda000c83e2
-
Filesize
15KB
MD58ea4a187f656fdc65f1cc256d3bf7ce3
SHA15d0789933890708986e1f8d23ac6b5d7a8ef61e4
SHA25697591a15ccb7cc007820584f237e919db7a4e9383e9fcb8c16d79cfb95f7ca3c
SHA512d47b592a5fd40f7ed158a7a91944f6464fb04fdbca796c13b29f518d43205382b75503d8702fc14c1dad47abacba34ef47371dfaa2443f6b61a1f9cf106064b8
-
Filesize
5KB
MD5e0423e0ff58a8c622b2ad11873337d03
SHA105d5f1c5b2091b8f654bfd8b63cf0681ae0ee8cf
SHA256fbb5410516fd54982a0047ba69d555857d4df74f7df73fbf903e2e0c8c09e12a
SHA512cae1520d290a4a7f26df2442ee4be66e2b24eb180b46b48fc55ddfe1d57e3d16acdf1290a7a235896a127135d2f0b1bee128d76dea1f39baafedc0794f4a1b73
-
Filesize
4KB
MD5f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7