Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118
-
Size
2.0MB
-
Sample
240502-aahawsba2z
-
MD5
0cecd325ae1650c55eef63053bcd8f91
-
SHA1
a60668f3d2a3791ba0337a08265817b8ff9d18e6
-
SHA256
2f78d296062361388f9c8b858d9c077cb0662c6d4fe38cb63d5e0dbcc804fdc0
-
SHA512
7b54b3bd43ee3b4026476ca1c826fcdc01454c58f4c9c8e1f187b6f84ebcd918902e43a9be132f65aa60356e8185654e49061ce034a41eb69758e4834a2cf4e6
-
SSDEEP
49152:cfby8aoRw1kkVMOj4Dd0lVaMK0CZNI4jfvkX71K:wbyKkVMfDClVpKHY7Y
Static task
static1
Behavioral task
behavioral1
Sample
0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Malware Config
Targets
-
-
Target
0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118
-
Size
2.0MB
-
MD5
0cecd325ae1650c55eef63053bcd8f91
-
SHA1
a60668f3d2a3791ba0337a08265817b8ff9d18e6
-
SHA256
2f78d296062361388f9c8b858d9c077cb0662c6d4fe38cb63d5e0dbcc804fdc0
-
SHA512
7b54b3bd43ee3b4026476ca1c826fcdc01454c58f4c9c8e1f187b6f84ebcd918902e43a9be132f65aa60356e8185654e49061ce034a41eb69758e4834a2cf4e6
-
SSDEEP
49152:cfby8aoRw1kkVMOj4Dd0lVaMK0CZNI4jfvkX71K:wbyKkVMfDClVpKHY7Y
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-