Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
17/03/2025, 13:45
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe
-
Size
120KB
-
MD5
7e4130e8bad56cf0a0b6d4e4f51f41d7
-
SHA1
1042bf5802d126fcd1e227f896f72eb4ee7e06f8
-
SHA256
185fcd0ddf477ce30895530e926b599509452bddcfa7d1525a81b0e569c6e14b
-
SHA512
3a571ec8424d041a7b0288f5a94b838e18e052014a6ff9ce4e4237c4a522d3806f7d647d00a1376a27514e39a99d461f008d54bc53633eb21950f32080cc8196
-
SSDEEP
3072:dKDAfCDSmJDd1DKaAaSqE6uzlJdwuK0uuHdT2YvAR+nz:dRc1DKkO6uzbecf3nz
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 2 IoCs
resource yara_rule behavioral1/memory/2724-33-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer behavioral1/memory/2724-44-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer -
Isrstealer family
-
Executes dropped EXE 3 IoCs
pid Process 2448 keygen.exe 292 xxxxx.exe 2724 xxxxx.exe -
Loads dropped DLL 14 IoCs
pid Process 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 2448 keygen.exe 2448 keygen.exe 2448 keygen.exe 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 292 xxxxx.exe 292 xxxxx.exe 292 xxxxx.exe 292 xxxxx.exe 2724 xxxxx.exe 2724 xxxxx.exe 2724 xxxxx.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 292 set thread context of 2724 292 xxxxx.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxx.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2724 xxxxx.exe 2724 xxxxx.exe 2724 xxxxx.exe 2724 xxxxx.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 292 xxxxx.exe 2724 xxxxx.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2448 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 30 PID 3016 wrote to memory of 2448 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 30 PID 3016 wrote to memory of 2448 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 30 PID 3016 wrote to memory of 2448 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 30 PID 3016 wrote to memory of 2448 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 30 PID 3016 wrote to memory of 2448 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 30 PID 3016 wrote to memory of 2448 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 30 PID 3016 wrote to memory of 292 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 31 PID 3016 wrote to memory of 292 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 31 PID 3016 wrote to memory of 292 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 31 PID 3016 wrote to memory of 292 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 31 PID 3016 wrote to memory of 292 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 31 PID 3016 wrote to memory of 292 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 31 PID 3016 wrote to memory of 292 3016 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 31 PID 292 wrote to memory of 2724 292 xxxxx.exe 32 PID 292 wrote to memory of 2724 292 xxxxx.exe 32 PID 292 wrote to memory of 2724 292 xxxxx.exe 32 PID 292 wrote to memory of 2724 292 xxxxx.exe 32 PID 292 wrote to memory of 2724 292 xxxxx.exe 32 PID 292 wrote to memory of 2724 292 xxxxx.exe 32 PID 292 wrote to memory of 2724 292 xxxxx.exe 32 PID 292 wrote to memory of 2724 292 xxxxx.exe 32 PID 292 wrote to memory of 2724 292 xxxxx.exe 32 PID 292 wrote to memory of 2724 292 xxxxx.exe 32 PID 292 wrote to memory of 2724 292 xxxxx.exe 32 PID 292 wrote to memory of 2724 292 xxxxx.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\keygen.exe"C:\Users\Admin\AppData\Local\Temp\keygen.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2448
-
-
C:\Users\Admin\AppData\Local\Temp\xxxxx.exe"C:\Users\Admin\AppData\Local\Temp\xxxxx.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Users\Admin\AppData\Local\Temp\xxxxx.exe"C:\Users\Admin\AppData\Local\Temp\xxxxx.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2724
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD5207391f80d174bd03605c4004c63db48
SHA164e9978f35b5dfcbbd7e9e603b433b5a8f62c84e
SHA256b61ba63750044cd63b8956a9a68630452699d01c28b9b4227d02c0b33077cf0c
SHA5120f62722280802a94ed31a6655f26b8341a262c70222828101c543eb37e52e1494aa3432612f4fe81eb30e8d2e0fa6373c0cda6c602f01180dcb6243c416bf674
-
Filesize
16KB
MD58a4390d407dff132c0a3ce7f470c8ce0
SHA17015aa43f5557896ce3b669633caa7415d49b024
SHA256b2e1b4d52669c8b2babdbdc15009796625a63734f1563aac51039bcca705af4a
SHA512549ec0d7a69daf0b28a786244e33b276e9cb1d48df376f246f006f835d868fdb3c23a4a6455d3756b181396c94323ad440e038509c24bf2975e7e2ba5bf797f9