Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    f11917a1cf23f82b158a40cb8590df9f_JaffaCakes118

  • Size

    143KB

  • Sample

    240415-p4ffqaeg59

  • MD5

    f11917a1cf23f82b158a40cb8590df9f

  • SHA1

    95441f11084b5e5b7daf684c5badcaf18e1698e5

  • SHA256

    9b5a2daa16f725ee53599a0d9bbcdfeff22ee3354f6e44b3ee1b83d3eb772668

  • SHA512

    77f3e4305fb41ea3dc69e5a0e0ef00426ffcdc759ce02ca95cb6a1d0562e6953417dcd85cef871303cb3953290759078397e042060b352175d1147ed39be8131

  • SSDEEP

    3072:/TNVO/QJHZcfFj4rwLQGTNO5VZLwHm7vuQTpZUyY6co:7O/QJHZweEL/NOjCHm7FZZnc

Malware Config

Targets

    • Target

      f11917a1cf23f82b158a40cb8590df9f_JaffaCakes118

    • Size

      143KB

    • MD5

      f11917a1cf23f82b158a40cb8590df9f

    • SHA1

      95441f11084b5e5b7daf684c5badcaf18e1698e5

    • SHA256

      9b5a2daa16f725ee53599a0d9bbcdfeff22ee3354f6e44b3ee1b83d3eb772668

    • SHA512

      77f3e4305fb41ea3dc69e5a0e0ef00426ffcdc759ce02ca95cb6a1d0562e6953417dcd85cef871303cb3953290759078397e042060b352175d1147ed39be8131

    • SSDEEP

      3072:/TNVO/QJHZcfFj4rwLQGTNO5VZLwHm7vuQTpZUyY6co:7O/QJHZweEL/NOjCHm7FZZnc

    • Contacts a large (15879) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Patched UPX-packed file

      Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

    • Changes its process name

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

    • Writes file to system bin folder

MITRE ATT&CK Enterprise v15

Tasks