Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118

  • Size

    2.0MB

  • Sample

    240502-aahawsba2z

  • MD5

    0cecd325ae1650c55eef63053bcd8f91

  • SHA1

    a60668f3d2a3791ba0337a08265817b8ff9d18e6

  • SHA256

    2f78d296062361388f9c8b858d9c077cb0662c6d4fe38cb63d5e0dbcc804fdc0

  • SHA512

    7b54b3bd43ee3b4026476ca1c826fcdc01454c58f4c9c8e1f187b6f84ebcd918902e43a9be132f65aa60356e8185654e49061ce034a41eb69758e4834a2cf4e6

  • SSDEEP

    49152:cfby8aoRw1kkVMOj4Dd0lVaMK0CZNI4jfvkX71K:wbyKkVMfDClVpKHY7Y

Malware Config

Targets

    • Target

      0cecd325ae1650c55eef63053bcd8f91_JaffaCakes118

    • Size

      2.0MB

    • MD5

      0cecd325ae1650c55eef63053bcd8f91

    • SHA1

      a60668f3d2a3791ba0337a08265817b8ff9d18e6

    • SHA256

      2f78d296062361388f9c8b858d9c077cb0662c6d4fe38cb63d5e0dbcc804fdc0

    • SHA512

      7b54b3bd43ee3b4026476ca1c826fcdc01454c58f4c9c8e1f187b6f84ebcd918902e43a9be132f65aa60356e8185654e49061ce034a41eb69758e4834a2cf4e6

    • SSDEEP

      49152:cfby8aoRw1kkVMOj4Dd0lVaMK0CZNI4jfvkX71K:wbyKkVMfDClVpKHY7Y

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks