Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    17/03/2025, 13:01

General

  • Target

    JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe

  • Size

    2.8MB

  • MD5

    7e2819ee5d4b6c85a23623599d6296d1

  • SHA1

    44cd2d86ba52202b11b171570237f6007019005f

  • SHA256

    037a0339ca4b98fd007be379ec2c373581844440cfde32365a42551b0d38fb0d

  • SHA512

    53c893ab4bb386a87c6f84f8643105797a3b03b22bdbcd05cb13e8166d890d0e56d57eb5ad6290c8b8df4aa81845a77aa9b58d799041b3f17955eeee04398b3e

  • SSDEEP

    49152:sXi8Z3dnHh9GVXYWmr7IKDvYq3j/DW2VBaB0:

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 4 IoCs
  • Isrstealer family
  • Detected Nirsoft tools 2 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 16 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Users\Admin\AppData\Local\Temp\fsSetup136s.exe
      "C:\Users\Admin\AppData\Local\Temp\fsSetup136s.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsSetup136s.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsSetup136s.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2896
    • C:\Users\Admin\AppData\Local\Temp\dll3.exe
      "C:\Users\Admin\AppData\Local\Temp\dll3.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1928
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\RG4FehwRxD.ini"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:536
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\obOSFLLNJj.ini"
          4⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:2420

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RG4FehwRxD.ini

    Filesize

    5B

    MD5

    d1ea279fb5559c020a1b4137dc4de237

    SHA1

    db6f8988af46b56216a6f0daf95ab8c9bdb57400

    SHA256

    fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

    SHA512

    720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

  • C:\Users\Admin\AppData\Local\Temp\nsyD2F9.tmp\ShortcutAsk.ini

    Filesize

    449B

    MD5

    3778a879f81c1ea564bf788df05a1440

    SHA1

    570a1bd1b66a1c2689eab5f0e9143c2da532e30c

    SHA256

    6637155b192dd47a574e17df216338cad28ef81e513076d19354bfabf22909df

    SHA512

    ff40627f2709ac793c30d4b0f940e4ab3f77c114d1f174a008cb5106a458c428f47786280a9361442573b184a02618aa41daa5c8196ae677f2bdb7cd0430e265

  • C:\Users\Admin\AppData\Local\Temp\nsyD2F9.tmp\ioSpecial.ini

    Filesize

    1KB

    MD5

    40ec128b2690808c387b1ba94def63f5

    SHA1

    55220fb399164417b9910792d958463bc1ccd049

    SHA256

    f6ace0fa52d5aea30eb15337bb94108377338cdcc08bedf944b69aac1785aeb0

    SHA512

    b7c0f7eed49df58b0b2bcdfa8e4a5d26a71f3a3a8d873a5188586acde55540f0667328b20e7daea033c145e1c5cad390edd2722d0831b5da99d278a9b5b10c4a

  • \Users\Admin\AppData\Local\Temp\RarSFX0\fsSetup136s.exe

    Filesize

    1.7MB

    MD5

    179972cf4d030dcef96ab54f19e33fd1

    SHA1

    7fd0e9a351dd84e6cd0b35ff265e73659e7e2621

    SHA256

    1421dd4cde79403511f33731bd488ef1f8ffb82e7f10f99fa77f1eae12c23df3

    SHA512

    6ed3cfef47e2517b0e5ca2210c16df2b9d4d2d660896b58461dccae52b97417df7b9067a3f4ac2497bd1680b130d1f7c3721f011ba06ba709f754473f148c395

  • \Users\Admin\AppData\Local\Temp\dll3.exe

    Filesize

    311KB

    MD5

    acffd660aabd9b783ceeaa5fa8592708

    SHA1

    84df5ff0eef89f3aae125c6b9c4477358ae978a5

    SHA256

    9af536e7f0bf8abc46ad8f15e1988e5d2b25e230cf2480cc86918a46dc638aa9

    SHA512

    8ee30afa0ac3c5bc741354deafb30bed61cb1ae9748c6e7b21be8a3d51912cddd405b3c5727a2c792c9a45692051e9ebd5df306192246389493470317ba10f31

  • \Users\Admin\AppData\Local\Temp\fsSetup136s.exe

    Filesize

    1.8MB

    MD5

    1c22db154885c5f27659aa405437d547

    SHA1

    0c44c939e479fd9d680e753f541b301f81de41d9

    SHA256

    2b0d6ce75d59779372d5ade39dfacba563d78f068081a6fb399455060d47befa

    SHA512

    91988977a3736bae5df38194deb320ea55e4aa4453297f3634c66cd60010a30ff7d8bfa811d549e8554f30beeb069417a32b9a81722629b0d8828eda000c83e2

  • \Users\Admin\AppData\Local\Temp\nsyD2F9.tmp\InstallOptions.dll

    Filesize

    15KB

    MD5

    8ea4a187f656fdc65f1cc256d3bf7ce3

    SHA1

    5d0789933890708986e1f8d23ac6b5d7a8ef61e4

    SHA256

    97591a15ccb7cc007820584f237e919db7a4e9383e9fcb8c16d79cfb95f7ca3c

    SHA512

    d47b592a5fd40f7ed158a7a91944f6464fb04fdbca796c13b29f518d43205382b75503d8702fc14c1dad47abacba34ef47371dfaa2443f6b61a1f9cf106064b8

  • \Users\Admin\AppData\Local\Temp\nsyD2F9.tmp\LangDLL.dll

    Filesize

    5KB

    MD5

    e0423e0ff58a8c622b2ad11873337d03

    SHA1

    05d5f1c5b2091b8f654bfd8b63cf0681ae0ee8cf

    SHA256

    fbb5410516fd54982a0047ba69d555857d4df74f7df73fbf903e2e0c8c09e12a

    SHA512

    cae1520d290a4a7f26df2442ee4be66e2b24eb180b46b48fc55ddfe1d57e3d16acdf1290a7a235896a127135d2f0b1bee128d76dea1f39baafedc0794f4a1b73

  • \Users\Admin\AppData\Local\Temp\nsyD2F9.tmp\nsProcess.dll

    Filesize

    4KB

    MD5

    f0438a894f3a7e01a4aae8d1b5dd0289

    SHA1

    b058e3fcfb7b550041da16bf10d8837024c38bf6

    SHA256

    30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

    SHA512

    f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

  • memory/536-146-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/536-143-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/536-144-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/536-145-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/536-150-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/1484-0-0x0000000074872000-0x0000000074874000-memory.dmp

    Filesize

    8KB

  • memory/1928-138-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1928-139-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1928-132-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1928-136-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1928-134-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1928-152-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1928-161-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2420-156-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2420-155-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2420-159-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2420-154-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2420-153-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB