Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d4444398dcb1366ac99eb1074031d5db_JaffaCakes118

  • Size

    535KB

  • Sample

    240405-p5y98acf8x

  • MD5

    d4444398dcb1366ac99eb1074031d5db

  • SHA1

    abc8ce0f06f0d726b99e85818b29df163161725d

  • SHA256

    6127a09a636fac38861b7d547f31797ba41aaf9eccd825a580a27bdddd6c01d9

  • SHA512

    d53d544044407256768ced8b11e7e1eb795e133d206ab4d8b3d7eb95a673eff282f3e4360f0ac32132ff3743eff18854f4ce53288fa0a3df22c8634001075e4d

  • SSDEEP

    12288:ytniOAIi9Acns/kRq5bYmP5pQwvVJjQ0Jjck+ZLSpiooSOxpPZ4ZR6OpCVACHaGK:ytnXnd2REEMJDpQU7ttG07v

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      d4444398dcb1366ac99eb1074031d5db_JaffaCakes118

    • Size

      535KB

    • MD5

      d4444398dcb1366ac99eb1074031d5db

    • SHA1

      abc8ce0f06f0d726b99e85818b29df163161725d

    • SHA256

      6127a09a636fac38861b7d547f31797ba41aaf9eccd825a580a27bdddd6c01d9

    • SHA512

      d53d544044407256768ced8b11e7e1eb795e133d206ab4d8b3d7eb95a673eff282f3e4360f0ac32132ff3743eff18854f4ce53288fa0a3df22c8634001075e4d

    • SSDEEP

      12288:ytniOAIi9Acns/kRq5bYmP5pQwvVJjQ0Jjck+ZLSpiooSOxpPZ4ZR6OpCVACHaGK:ytnXnd2REEMJDpQU7ttG07v

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks