Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    104s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/03/2025, 13:01

General

  • Target

    JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe

  • Size

    2.8MB

  • MD5

    7e2819ee5d4b6c85a23623599d6296d1

  • SHA1

    44cd2d86ba52202b11b171570237f6007019005f

  • SHA256

    037a0339ca4b98fd007be379ec2c373581844440cfde32365a42551b0d38fb0d

  • SHA512

    53c893ab4bb386a87c6f84f8643105797a3b03b22bdbcd05cb13e8166d890d0e56d57eb5ad6290c8b8df4aa81845a77aa9b58d799041b3f17955eeee04398b3e

  • SSDEEP

    49152:sXi8Z3dnHh9GVXYWmr7IKDvYq3j/DW2VBaB0:

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 4 IoCs
  • Isrstealer family
  • Detected Nirsoft tools 2 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Users\Admin\AppData\Local\Temp\fsSetup136s.exe
      "C:\Users\Admin\AppData\Local\Temp\fsSetup136s.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsSetup136s.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsSetup136s.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4572
    • C:\Users\Admin\AppData\Local\Temp\dll3.exe
      "C:\Users\Admin\AppData\Local\Temp\dll3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4660
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\bACPbTgy5j.ini"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4540
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\bAsP3p4dHo.ini"
          4⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:2536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsSetup136s.exe

    Filesize

    1.7MB

    MD5

    179972cf4d030dcef96ab54f19e33fd1

    SHA1

    7fd0e9a351dd84e6cd0b35ff265e73659e7e2621

    SHA256

    1421dd4cde79403511f33731bd488ef1f8ffb82e7f10f99fa77f1eae12c23df3

    SHA512

    6ed3cfef47e2517b0e5ca2210c16df2b9d4d2d660896b58461dccae52b97417df7b9067a3f4ac2497bd1680b130d1f7c3721f011ba06ba709f754473f148c395

  • C:\Users\Admin\AppData\Local\Temp\bACPbTgy5j.ini

    Filesize

    5B

    MD5

    d1ea279fb5559c020a1b4137dc4de237

    SHA1

    db6f8988af46b56216a6f0daf95ab8c9bdb57400

    SHA256

    fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

    SHA512

    720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

  • C:\Users\Admin\AppData\Local\Temp\dll3.exe

    Filesize

    311KB

    MD5

    acffd660aabd9b783ceeaa5fa8592708

    SHA1

    84df5ff0eef89f3aae125c6b9c4477358ae978a5

    SHA256

    9af536e7f0bf8abc46ad8f15e1988e5d2b25e230cf2480cc86918a46dc638aa9

    SHA512

    8ee30afa0ac3c5bc741354deafb30bed61cb1ae9748c6e7b21be8a3d51912cddd405b3c5727a2c792c9a45692051e9ebd5df306192246389493470317ba10f31

  • C:\Users\Admin\AppData\Local\Temp\fsSetup136s.exe

    Filesize

    1.8MB

    MD5

    1c22db154885c5f27659aa405437d547

    SHA1

    0c44c939e479fd9d680e753f541b301f81de41d9

    SHA256

    2b0d6ce75d59779372d5ade39dfacba563d78f068081a6fb399455060d47befa

    SHA512

    91988977a3736bae5df38194deb320ea55e4aa4453297f3634c66cd60010a30ff7d8bfa811d549e8554f30beeb069417a32b9a81722629b0d8828eda000c83e2

  • C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\InstallOptions.dll

    Filesize

    15KB

    MD5

    8ea4a187f656fdc65f1cc256d3bf7ce3

    SHA1

    5d0789933890708986e1f8d23ac6b5d7a8ef61e4

    SHA256

    97591a15ccb7cc007820584f237e919db7a4e9383e9fcb8c16d79cfb95f7ca3c

    SHA512

    d47b592a5fd40f7ed158a7a91944f6464fb04fdbca796c13b29f518d43205382b75503d8702fc14c1dad47abacba34ef47371dfaa2443f6b61a1f9cf106064b8

  • C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\LangDLL.dll

    Filesize

    5KB

    MD5

    e0423e0ff58a8c622b2ad11873337d03

    SHA1

    05d5f1c5b2091b8f654bfd8b63cf0681ae0ee8cf

    SHA256

    fbb5410516fd54982a0047ba69d555857d4df74f7df73fbf903e2e0c8c09e12a

    SHA512

    cae1520d290a4a7f26df2442ee4be66e2b24eb180b46b48fc55ddfe1d57e3d16acdf1290a7a235896a127135d2f0b1bee128d76dea1f39baafedc0794f4a1b73

  • C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\ShortcutAsk.ini

    Filesize

    436B

    MD5

    b8a4c5e1709cfee4f7447d9966b6be8c

    SHA1

    5b50d94b44d3587aff9f8fe4caca561a988e3782

    SHA256

    191346888e5536eeea10c4239c3e6fcfa643cdd2294cb75215c7e8d0df334af5

    SHA512

    048237802ea448bf59ac8c334eed96ab8f85efb22b05d9fef14b9f53110da96aec829eb13e5b7f167c5b902c99ea7c9df669214c09fb525e6bc040772e74e9fa

  • C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\ioSpecial.ini

    Filesize

    1KB

    MD5

    ebc7395a58b541a0cec76fdb0ee4f542

    SHA1

    172c75957a66feca9c8d663a00d1491a01e488e2

    SHA256

    b0dbb70428b31e7d030ebd1215af1ff6082e1c4120aafdffe66b4b4999b52171

    SHA512

    49444f14a89e03ea373756b4d830b480242ec3c6892402c2ff97ca585d6ca6a383adb7a9724b94cd8ca666d5986798cdb5716d90ecb77464d6c75612cdc3cca1

  • C:\Users\Admin\AppData\Local\Temp\nseAAD7.tmp\nsProcess.dll

    Filesize

    4KB

    MD5

    f0438a894f3a7e01a4aae8d1b5dd0289

    SHA1

    b058e3fcfb7b550041da16bf10d8837024c38bf6

    SHA256

    30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

    SHA512

    f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

  • memory/2536-144-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2536-148-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2536-145-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2536-143-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2848-2-0x0000000074F60000-0x0000000075511000-memory.dmp

    Filesize

    5.7MB

  • memory/2848-1-0x0000000074F60000-0x0000000075511000-memory.dmp

    Filesize

    5.7MB

  • memory/2848-0-0x0000000074F62000-0x0000000074F63000-memory.dmp

    Filesize

    4KB

  • memory/2848-20-0x0000000074F60000-0x0000000075511000-memory.dmp

    Filesize

    5.7MB

  • memory/3048-22-0x0000000074F60000-0x0000000075511000-memory.dmp

    Filesize

    5.7MB

  • memory/3048-44-0x0000000074F60000-0x0000000075511000-memory.dmp

    Filesize

    5.7MB

  • memory/3048-21-0x0000000074F60000-0x0000000075511000-memory.dmp

    Filesize

    5.7MB

  • memory/4540-46-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/4540-47-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/4540-51-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/4540-49-0x0000000000460000-0x0000000000529000-memory.dmp

    Filesize

    804KB

  • memory/4540-45-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/4660-141-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/4660-41-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/4660-39-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/4660-149-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB