Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

41ff378dcb...2b.exe

windows7-x64

10

41ff378dcb...2b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2295a85e7cb15f71d312123e5ee3e06a_JaffaCakes118

  • Size

    3.4MB

  • Sample

    240508-br2xasah8z

  • MD5

    2295a85e7cb15f71d312123e5ee3e06a

  • SHA1

    2fc18b17604ae9c8c8316829ca20e0b670c640d9

  • SHA256

    7149b0e9e0c9bba01dd8740d2d5d6540e70b00bb98bb461b33847aaf97b67373

  • SHA512

    5d667aa43862ebf25f202c2bc8bee14df4e7d7a5ff85c9858721bbaa08e642c393223fc7a3ebda07b86a121a21c716c0f208bac156998ab8e77e632a50750661

  • SSDEEP

    49152:AAnjm0wVHwA1zKXr/TGS82RjqHszN+DvS7Cqelhk4n9vD9zY+VLG/KRxmTZ1Wg/t:vavr0XrrVNeS7Chlh77Y+xTqTZ1WEt

Score
10/10
persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\ANIMUS_RESTORE2.txt

Ransom Note
<><><><><><><><><><><><><># animus locker #<><><><><><><><><><><><><> SORRY! Your files are encrypted. File contents are encrypted with random key. Random key is encrypted with RSA public key (2048 bit). We STRONGLY RECOMMEND you NOT to use any "decryption tools". These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. In order to get private key, write here: [email protected] ######## !ATTENTION! Attach file is 000000000.key from %appdata% to email message, without it we will not be able to decrypt your files ######## And pay 100$ on 1G5TThb5tcJ3LQbF4C4Tibgd9y7m3iYPFH wallet If someone else offers you files restoring, ask him for test decryption. Only we can successfully decrypt your files; knowing this can protect you from fraud. You will receive instructions of what to do next. <><><><><><><><><><><><><># animus locker #<><><><><><><><><><><><><>
Wallets

1G5TThb5tcJ3LQbF4C4Tibgd9y7m3iYPFH

Targets

    • Target

      41ff378dcb0c1eacc3766a868c8e0245782c7f849d6e78380c7799b7771f2e2b

    • Size

      380KB

    • MD5

      c9c4711355a76d5b6549cc89946a9b08

    • SHA1

      25159fcc503288bfd9565000b9ae24f1f1d4e5c8

    • SHA256

      41ff378dcb0c1eacc3766a868c8e0245782c7f849d6e78380c7799b7771f2e2b

    • SHA512

      5fca202356ff451b15a620b3df5b614a455c33b9ccd5bebc1c9d57714fb4e7cd4e7d61a467f7f1b3ea96a0dfa609cb295878b9583b3016539433c3ba46cc9ca1

    • SSDEEP

      6144:fsXp2SJ1JvKH2c+VW3v3AOco3L0K6lOFEGfykp2sSzbAnEHIgA/l:kZn1JvKHLMitLYNGfya2/3ASIt/l

    Score
    10/10
    persistenceransomwarespywarestealer

    • Renames multiple (1940) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Modifies Installed Components in the registry

      persistence

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks