Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/03/2025, 13:45

General

  • Target

    JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe

  • Size

    120KB

  • MD5

    7e4130e8bad56cf0a0b6d4e4f51f41d7

  • SHA1

    1042bf5802d126fcd1e227f896f72eb4ee7e06f8

  • SHA256

    185fcd0ddf477ce30895530e926b599509452bddcfa7d1525a81b0e569c6e14b

  • SHA512

    3a571ec8424d041a7b0288f5a94b838e18e052014a6ff9ce4e4237c4a522d3806f7d647d00a1376a27514e39a99d461f008d54bc53633eb21950f32080cc8196

  • SSDEEP

    3072:dKDAfCDSmJDd1DKaAaSqE6uzlJdwuK0uuHdT2YvAR+nz:dRc1DKkO6uzbecf3nz

Malware Config

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

  • ISR Stealer payload 3 IoCs
  • Isrstealer family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5280
    • C:\Users\Admin\AppData\Local\Temp\keygen.exe
      "C:\Users\Admin\AppData\Local\Temp\keygen.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4368
    • C:\Users\Admin\AppData\Local\Temp\xxxxx.exe
      "C:\Users\Admin\AppData\Local\Temp\xxxxx.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Users\Admin\AppData\Local\Temp\xxxxx.exe
        "C:\Users\Admin\AppData\Local\Temp\xxxxx.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\keygen.exe

    Filesize

    16KB

    MD5

    8a4390d407dff132c0a3ce7f470c8ce0

    SHA1

    7015aa43f5557896ce3b669633caa7415d49b024

    SHA256

    b2e1b4d52669c8b2babdbdc15009796625a63734f1563aac51039bcca705af4a

    SHA512

    549ec0d7a69daf0b28a786244e33b276e9cb1d48df376f246f006f835d868fdb3c23a4a6455d3756b181396c94323ad440e038509c24bf2975e7e2ba5bf797f9

  • C:\Users\Admin\AppData\Local\Temp\xxxxx.exe

    Filesize

    148KB

    MD5

    207391f80d174bd03605c4004c63db48

    SHA1

    64e9978f35b5dfcbbd7e9e603b433b5a8f62c84e

    SHA256

    b61ba63750044cd63b8956a9a68630452699d01c28b9b4227d02c0b33077cf0c

    SHA512

    0f62722280802a94ed31a6655f26b8341a262c70222828101c543eb37e52e1494aa3432612f4fe81eb30e8d2e0fa6373c0cda6c602f01180dcb6243c416bf674

  • memory/3320-22-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/3320-25-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/3320-30-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/4368-10-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/4368-31-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB