Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    37a9d80141dc56998cfc13f109a9956e_JaffaCakes118

  • Size

    6.0MB

  • Sample

    240512-ce9l2sbc2t

  • MD5

    37a9d80141dc56998cfc13f109a9956e

  • SHA1

    a1d05a4aec8a1c7cad8b50035af02eb747768f22

  • SHA256

    3f3ba14bea218faacacf00b1c4ca9215c4fe0eb779a8748e444e736414081169

  • SHA512

    8665f688017e5aed201aff39a457a6acdc4d61277d345c66a9481234aaeb804a93784a17a2182a9de44ec218d21c4a33f03519939c96a40a47673b6445186c20

  • SSDEEP

    98304:mXz+dJwx89VNpI4BIXaLkoDeuFY2hqszgtpVWm9I5pp0giCvMR+Qhmo:+K8x89VQeIXaLkIJFZDMVr8k9R7

Malware Config

Targets

    • Target

      37a9d80141dc56998cfc13f109a9956e_JaffaCakes118

    • Size

      6.0MB

    • MD5

      37a9d80141dc56998cfc13f109a9956e

    • SHA1

      a1d05a4aec8a1c7cad8b50035af02eb747768f22

    • SHA256

      3f3ba14bea218faacacf00b1c4ca9215c4fe0eb779a8748e444e736414081169

    • SHA512

      8665f688017e5aed201aff39a457a6acdc4d61277d345c66a9481234aaeb804a93784a17a2182a9de44ec218d21c4a33f03519939c96a40a47673b6445186c20

    • SSDEEP

      98304:mXz+dJwx89VNpI4BIXaLkoDeuFY2hqszgtpVWm9I5pp0giCvMR+Qhmo:+K8x89VQeIXaLkIJFZDMVr8k9R7

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • Vidar Stealer

    • Modifies Installed Components in the registry

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Accesses 2FA software files, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks