Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
104s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2025, 13:01
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe
-
Size
2.8MB
-
MD5
7e2819ee5d4b6c85a23623599d6296d1
-
SHA1
44cd2d86ba52202b11b171570237f6007019005f
-
SHA256
037a0339ca4b98fd007be379ec2c373581844440cfde32365a42551b0d38fb0d
-
SHA512
53c893ab4bb386a87c6f84f8643105797a3b03b22bdbcd05cb13e8166d890d0e56d57eb5ad6290c8b8df4aa81845a77aa9b58d799041b3f17955eeee04398b3e
-
SSDEEP
49152:sXi8Z3dnHh9GVXYWmr7IKDvYq3j/DW2VBaB0:
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 4 IoCs
resource yara_rule behavioral2/memory/4660-39-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral2/memory/4660-41-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral2/memory/4660-141-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer behavioral2/memory/4660-149-0x0000000000400000-0x0000000000442000-memory.dmp family_isrstealer -
Isrstealer family
-
Detected Nirsoft tools 2 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/2536-145-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral2/memory/2536-148-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/2536-145-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral2/memory/2536-148-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation fsSetup136s.exe -
Executes dropped EXE 3 IoCs
pid Process 2736 fsSetup136s.exe 3048 dll3.exe 4572 fsSetup136s.exe -
Loads dropped DLL 3 IoCs
pid Process 4572 fsSetup136s.exe 4572 fsSetup136s.exe 4572 fsSetup136s.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3048 set thread context of 4660 3048 dll3.exe 91 PID 4660 set thread context of 4540 4660 vbc.exe 92 PID 4660 set thread context of 2536 4660 vbc.exe 93 -
resource yara_rule behavioral2/memory/4540-45-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4540-51-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4540-47-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/4540-46-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/2536-143-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2536-144-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2536-145-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/2536-148-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsSetup136s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsSetup136s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dll3.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4572 fsSetup136s.exe 4572 fsSetup136s.exe 4572 fsSetup136s.exe 4572 fsSetup136s.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4572 fsSetup136s.exe 4660 vbc.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2736 2848 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 87 PID 2848 wrote to memory of 2736 2848 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 87 PID 2848 wrote to memory of 2736 2848 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 87 PID 2848 wrote to memory of 3048 2848 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 88 PID 2848 wrote to memory of 3048 2848 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 88 PID 2848 wrote to memory of 3048 2848 JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe 88 PID 2736 wrote to memory of 4572 2736 fsSetup136s.exe 89 PID 2736 wrote to memory of 4572 2736 fsSetup136s.exe 89 PID 2736 wrote to memory of 4572 2736 fsSetup136s.exe 89 PID 3048 wrote to memory of 4660 3048 dll3.exe 91 PID 3048 wrote to memory of 4660 3048 dll3.exe 91 PID 3048 wrote to memory of 4660 3048 dll3.exe 91 PID 3048 wrote to memory of 4660 3048 dll3.exe 91 PID 3048 wrote to memory of 4660 3048 dll3.exe 91 PID 3048 wrote to memory of 4660 3048 dll3.exe 91 PID 3048 wrote to memory of 4660 3048 dll3.exe 91 PID 3048 wrote to memory of 4660 3048 dll3.exe 91 PID 4660 wrote to memory of 4540 4660 vbc.exe 92 PID 4660 wrote to memory of 4540 4660 vbc.exe 92 PID 4660 wrote to memory of 4540 4660 vbc.exe 92 PID 4660 wrote to memory of 4540 4660 vbc.exe 92 PID 4660 wrote to memory of 4540 4660 vbc.exe 92 PID 4660 wrote to memory of 4540 4660 vbc.exe 92 PID 4660 wrote to memory of 4540 4660 vbc.exe 92 PID 4660 wrote to memory of 4540 4660 vbc.exe 92 PID 4660 wrote to memory of 2536 4660 vbc.exe 93 PID 4660 wrote to memory of 2536 4660 vbc.exe 93 PID 4660 wrote to memory of 2536 4660 vbc.exe 93 PID 4660 wrote to memory of 2536 4660 vbc.exe 93 PID 4660 wrote to memory of 2536 4660 vbc.exe 93 PID 4660 wrote to memory of 2536 4660 vbc.exe 93 PID 4660 wrote to memory of 2536 4660 vbc.exe 93 PID 4660 wrote to memory of 2536 4660 vbc.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e2819ee5d4b6c85a23623599d6296d1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\fsSetup136s.exe"C:\Users\Admin\AppData\Local\Temp\fsSetup136s.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsSetup136s.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\fsSetup136s.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4572
-
-
-
C:\Users\Admin\AppData\Local\Temp\dll3.exe"C:\Users\Admin\AppData\Local\Temp\dll3.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe/scomma "C:\Users\Admin\AppData\Local\Temp\bACPbTgy5j.ini"4⤵
- System Location Discovery: System Language Discovery
PID:4540
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe/scomma "C:\Users\Admin\AppData\Local\Temp\bAsP3p4dHo.ini"4⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2536
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5179972cf4d030dcef96ab54f19e33fd1
SHA17fd0e9a351dd84e6cd0b35ff265e73659e7e2621
SHA2561421dd4cde79403511f33731bd488ef1f8ffb82e7f10f99fa77f1eae12c23df3
SHA5126ed3cfef47e2517b0e5ca2210c16df2b9d4d2d660896b58461dccae52b97417df7b9067a3f4ac2497bd1680b130d1f7c3721f011ba06ba709f754473f148c395
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
311KB
MD5acffd660aabd9b783ceeaa5fa8592708
SHA184df5ff0eef89f3aae125c6b9c4477358ae978a5
SHA2569af536e7f0bf8abc46ad8f15e1988e5d2b25e230cf2480cc86918a46dc638aa9
SHA5128ee30afa0ac3c5bc741354deafb30bed61cb1ae9748c6e7b21be8a3d51912cddd405b3c5727a2c792c9a45692051e9ebd5df306192246389493470317ba10f31
-
Filesize
1.8MB
MD51c22db154885c5f27659aa405437d547
SHA10c44c939e479fd9d680e753f541b301f81de41d9
SHA2562b0d6ce75d59779372d5ade39dfacba563d78f068081a6fb399455060d47befa
SHA51291988977a3736bae5df38194deb320ea55e4aa4453297f3634c66cd60010a30ff7d8bfa811d549e8554f30beeb069417a32b9a81722629b0d8828eda000c83e2
-
Filesize
15KB
MD58ea4a187f656fdc65f1cc256d3bf7ce3
SHA15d0789933890708986e1f8d23ac6b5d7a8ef61e4
SHA25697591a15ccb7cc007820584f237e919db7a4e9383e9fcb8c16d79cfb95f7ca3c
SHA512d47b592a5fd40f7ed158a7a91944f6464fb04fdbca796c13b29f518d43205382b75503d8702fc14c1dad47abacba34ef47371dfaa2443f6b61a1f9cf106064b8
-
Filesize
5KB
MD5e0423e0ff58a8c622b2ad11873337d03
SHA105d5f1c5b2091b8f654bfd8b63cf0681ae0ee8cf
SHA256fbb5410516fd54982a0047ba69d555857d4df74f7df73fbf903e2e0c8c09e12a
SHA512cae1520d290a4a7f26df2442ee4be66e2b24eb180b46b48fc55ddfe1d57e3d16acdf1290a7a235896a127135d2f0b1bee128d76dea1f39baafedc0794f4a1b73
-
Filesize
436B
MD5b8a4c5e1709cfee4f7447d9966b6be8c
SHA15b50d94b44d3587aff9f8fe4caca561a988e3782
SHA256191346888e5536eeea10c4239c3e6fcfa643cdd2294cb75215c7e8d0df334af5
SHA512048237802ea448bf59ac8c334eed96ab8f85efb22b05d9fef14b9f53110da96aec829eb13e5b7f167c5b902c99ea7c9df669214c09fb525e6bc040772e74e9fa
-
Filesize
1KB
MD5ebc7395a58b541a0cec76fdb0ee4f542
SHA1172c75957a66feca9c8d663a00d1491a01e488e2
SHA256b0dbb70428b31e7d030ebd1215af1ff6082e1c4120aafdffe66b4b4999b52171
SHA51249444f14a89e03ea373756b4d830b480242ec3c6892402c2ff97ca585d6ca6a383adb7a9724b94cd8ca666d5986798cdb5716d90ecb77464d6c75612cdc3cca1
-
Filesize
4KB
MD5f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7