Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2025, 13:45
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe
-
Size
120KB
-
MD5
7e4130e8bad56cf0a0b6d4e4f51f41d7
-
SHA1
1042bf5802d126fcd1e227f896f72eb4ee7e06f8
-
SHA256
185fcd0ddf477ce30895530e926b599509452bddcfa7d1525a81b0e569c6e14b
-
SHA512
3a571ec8424d041a7b0288f5a94b838e18e052014a6ff9ce4e4237c4a522d3806f7d647d00a1376a27514e39a99d461f008d54bc53633eb21950f32080cc8196
-
SSDEEP
3072:dKDAfCDSmJDd1DKaAaSqE6uzlJdwuK0uuHdT2YvAR+nz:dRc1DKkO6uzbecf3nz
Malware Config
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 3 IoCs
resource yara_rule behavioral2/memory/3320-22-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer behavioral2/memory/3320-25-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer behavioral2/memory/3320-30-0x0000000000400000-0x0000000000414000-memory.dmp family_isrstealer -
Isrstealer family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe -
Executes dropped EXE 3 IoCs
pid Process 4368 keygen.exe 1916 xxxxx.exe 3320 xxxxx.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1916 set thread context of 3320 1916 xxxxx.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxx.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3320 xxxxx.exe 3320 xxxxx.exe 3320 xxxxx.exe 3320 xxxxx.exe 3320 xxxxx.exe 3320 xxxxx.exe 3320 xxxxx.exe 3320 xxxxx.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1916 xxxxx.exe 3320 xxxxx.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 5280 wrote to memory of 4368 5280 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 88 PID 5280 wrote to memory of 4368 5280 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 88 PID 5280 wrote to memory of 4368 5280 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 88 PID 5280 wrote to memory of 1916 5280 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 89 PID 5280 wrote to memory of 1916 5280 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 89 PID 5280 wrote to memory of 1916 5280 JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe 89 PID 1916 wrote to memory of 3320 1916 xxxxx.exe 90 PID 1916 wrote to memory of 3320 1916 xxxxx.exe 90 PID 1916 wrote to memory of 3320 1916 xxxxx.exe 90 PID 1916 wrote to memory of 3320 1916 xxxxx.exe 90 PID 1916 wrote to memory of 3320 1916 xxxxx.exe 90 PID 1916 wrote to memory of 3320 1916 xxxxx.exe 90 PID 1916 wrote to memory of 3320 1916 xxxxx.exe 90 PID 1916 wrote to memory of 3320 1916 xxxxx.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e4130e8bad56cf0a0b6d4e4f51f41d7.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5280 -
C:\Users\Admin\AppData\Local\Temp\keygen.exe"C:\Users\Admin\AppData\Local\Temp\keygen.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4368
-
-
C:\Users\Admin\AppData\Local\Temp\xxxxx.exe"C:\Users\Admin\AppData\Local\Temp\xxxxx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\xxxxx.exe"C:\Users\Admin\AppData\Local\Temp\xxxxx.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3320
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD58a4390d407dff132c0a3ce7f470c8ce0
SHA17015aa43f5557896ce3b669633caa7415d49b024
SHA256b2e1b4d52669c8b2babdbdc15009796625a63734f1563aac51039bcca705af4a
SHA512549ec0d7a69daf0b28a786244e33b276e9cb1d48df376f246f006f835d868fdb3c23a4a6455d3756b181396c94323ad440e038509c24bf2975e7e2ba5bf797f9
-
Filesize
148KB
MD5207391f80d174bd03605c4004c63db48
SHA164e9978f35b5dfcbbd7e9e603b433b5a8f62c84e
SHA256b61ba63750044cd63b8956a9a68630452699d01c28b9b4227d02c0b33077cf0c
SHA5120f62722280802a94ed31a6655f26b8341a262c70222828101c543eb37e52e1494aa3432612f4fe81eb30e8d2e0fa6373c0cda6c602f01180dcb6243c416bf674