Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118

  • Size

    22.8MB

  • Sample

    240512-rgaytsch48

  • MD5

    3a825b92079ef3b9546ef4e0cb68375e

  • SHA1

    1dcee4ff1a66a5832a08f1823661df7e8b331314

  • SHA256

    a780198a0feede3a91b8e794d8f2404b85ecb5a93298c38e5223413e1b61acaf

  • SHA512

    cacf238128f687d30e4b937a972e238affebcd3edfabc3f5df370ff17608449dd636a793043024fb2742d6643dc4c30c9f550695ed47166ec2bbb5df67f2ddc1

  • SSDEEP

    393216:qIud91VS6d2JNBHUxVmxMvNLYtvonjyOtVhEzoZfKeALtPmxHlKeYQtB:pS7hd2axxvNLYKm6hVa0TYQb

Malware Config

Targets

    • Target

      3a825b92079ef3b9546ef4e0cb68375e_JaffaCakes118

    • Size

      22.8MB

    • MD5

      3a825b92079ef3b9546ef4e0cb68375e

    • SHA1

      1dcee4ff1a66a5832a08f1823661df7e8b331314

    • SHA256

      a780198a0feede3a91b8e794d8f2404b85ecb5a93298c38e5223413e1b61acaf

    • SHA512

      cacf238128f687d30e4b937a972e238affebcd3edfabc3f5df370ff17608449dd636a793043024fb2742d6643dc4c30c9f550695ed47166ec2bbb5df67f2ddc1

    • SSDEEP

      393216:qIud91VS6d2JNBHUxVmxMvNLYtvonjyOtVhEzoZfKeALtPmxHlKeYQtB:pS7hd2axxvNLYKm6hVa0TYQb

    • Creates new service(s)

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $PLUGINSDIR/AnimGif.dll

    • Size

      9KB

    • MD5

      11e94fedb34f46458f9dc773a91f2770

    • SHA1

      791cf30880c74df9d6f7c1e637e4fdf5fa88b38a

    • SHA256

      54ccdcb42fb3e63b7a55e8c0e7d12182a0338ea38b106b793ca048000a189ab5

    • SHA512

      57dd38bebdd7d8fbc4b3daeecabc5c2617d4f5b2f6ad2396a702f1da362bc72deacfea2dd1550b0e00269188676324e1b7dd6ed372211c8bf664af824ac8d950

    • SSDEEP

      96:kVh/i//UrWWXMAb+6aNqRjTwUWo5zFyRH0aTyZekTIVCAEHZNKNy0p:uh/Bl8AIQR/bWSMRH00yQBEH

    Score
    3/10
    • Target

      $PLUGINSDIR/CCB_DM_LCD_32_silent.exe

    • Size

      2.2MB

    • MD5

      b02ffa6f60d9892d69e00b4b01c84390

    • SHA1

      358fb4e6a7be08b026490abcd5fbbfe8bf855318

    • SHA256

      cc925736b2aba91a8190ccbe61dc27ccfdbf6f7b1ff26399a2ddcbdc6da80eea

    • SHA512

      9e005259fc81dc2e9a6139ad7b74ff36358b389de79c404c61f4c89ab00b4032ded3cbce2701948be4d9aa184f0bc5137a0939138eb75905e4e8a10d1ab60009

    • SSDEEP

      49152:ZwwfGiPKVkPZ/NaOWYiN5BQgJOoT74STVdtGaEF6RZoZeQpeobuXw:Zwi3KVylawUshQsQdRE8LSeaq

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $PLUGINSDIR/GetVersion.dll

    • Size

      9KB

    • MD5

      b4cec45a9909c10a8d387c8eb72e8d0d

    • SHA1

      609e1ff7627aa88db0adbf79897fc8c786f42be5

    • SHA256

      aea495c63eb5aef15961c03a73213ac586830ced769f489b147e8076e59eb8c8

    • SHA512

      337e84ec8b5acec83091833d70ffb4828442467d82a044ec6986547d4d55c9e39a861f3d06fd76289dad81b98f44ef7fe70f449db5baa51699464a7d95cc301a

    • SSDEEP

      96:MpH/9yVYGHuvJs7p/X6Tx+Jvpd6y6ycm6yHQXlBG4Hezi91Nhh+8Bi46AQ5VuNnZ:MZ/95yT7U4CuA1HNLBi46AQ5VuNxHi

    Score
    3/10
    • Target

      $PLUGINSDIR/KillProcDLL.dll

    • Size

      32KB

    • MD5

      83142eac84475f4ca889c73f10d9c179

    • SHA1

      dbe43c0de8ef881466bd74861b2e5b17598b5ce8

    • SHA256

      ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

    • SHA512

      1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

    • SSDEEP

      384:3rYz6grZodORNWATt4TBmlk5ooyzFh7BukAUdJoUtSOSR:3QggDWATWNCFh7BNddJoxO+

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      c17103ae9072a06da581dec998343fc1

    • SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    • SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    • SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    • SSDEEP

      192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw

    Score
    3/10
    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      7579ade7ae1747a31960a228ce02e666

    • SHA1

      8ec8571a296737e819dcf86353a43fcf8ec63351

    • SHA256

      564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

    • SHA512

      a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

    Score
    3/10
    • Target

      $PROGRAMFILES/CCBComponents/Plugins/$PROGRAMFILES/CCBComponents/Plugins/npdmccbplugin.dll

    • Size

      118KB

    • MD5

      a88d3c80e9e1f850fe30c9b97557ea69

    • SHA1

      51b0a906439dda5d92a405f1f80acaaf6bf15881

    • SHA256

      969c6dc4526a539b2ef4fe8221f9fd0a0f2bc67d6de78057687d251634bd212c

    • SHA512

      33e36cdc92646e1045f4f64bc6586f134db9bdc671ed172ada848bac49d81eebdba9a7dd918b5179f8a1399919c0d4f8f8ef326b9df3f4d7bd327dc49b540874

    • SSDEEP

      3072:WdhPxVHs3DWng4UKMH6UHxDV41/O5dyigS:WdVxqSg4QH6cBV0W5g

    Score
    3/10
    • Target

      $PROGRAMFILES/CCBComponents/Plugins/$PROGRAMFILES/CCBComponents/Plugins/npdmccbplugin.dll.$1

    • Size

      118KB

    • MD5

      a88d3c80e9e1f850fe30c9b97557ea69

    • SHA1

      51b0a906439dda5d92a405f1f80acaaf6bf15881

    • SHA256

      969c6dc4526a539b2ef4fe8221f9fd0a0f2bc67d6de78057687d251634bd212c

    • SHA512

      33e36cdc92646e1045f4f64bc6586f134db9bdc671ed172ada848bac49d81eebdba9a7dd918b5179f8a1399919c0d4f8f8ef326b9df3f4d7bd327dc49b540874

    • SSDEEP

      3072:WdhPxVHs3DWng4UKMH6UHxDV41/O5dyigS:WdVxqSg4QH6cBV0W5g

    Score
    3/10
    • Target

      $PROGRAMFILES/CCBComponents/Plugins/$PROGRAMFILES/CCBComponents/Plugins/npdmwritecert.dll

    • Size

      606KB

    • MD5

      07b6d542a6ee05324bc1ad30ba361a19

    • SHA1

      f1d790c4e380be74a0647e432156810fe1f2e46c

    • SHA256

      4ed67712581a014e6d2e893e339ab16eeb13997f9a7cf54daa1d81fdb9dc43be

    • SHA512

      a0d987045950fd58379efaca23c78ad5756d31c58870030604c7a4493fb3b91f52f3e57e7aac92d39c453e2b4a659f28044b07565e916e248e92fa52ae7f11d2

    • SSDEEP

      12288:d2/f4sedpF4u5+IimdaKRLuF/unHyYbOR:d2/w9Eu5Rimdao6F/QyYaR

    Score
    3/10
    • Target

      $PROGRAMFILES/CCBComponents/Plugins/$PROGRAMFILES/CCBComponents/Plugins/npdmwritecert.dll.$1

    • Size

      606KB

    • MD5

      07b6d542a6ee05324bc1ad30ba361a19

    • SHA1

      f1d790c4e380be74a0647e432156810fe1f2e46c

    • SHA256

      4ed67712581a014e6d2e893e339ab16eeb13997f9a7cf54daa1d81fdb9dc43be

    • SHA512

      a0d987045950fd58379efaca23c78ad5756d31c58870030604c7a4493fb3b91f52f3e57e7aac92d39c453e2b4a659f28044b07565e916e248e92fa52ae7f11d2

    • SSDEEP

      12288:d2/f4sedpF4u5+IimdaKRLuF/unHyYbOR:d2/w9Eu5Rimdao6F/QyYaR

    Score
    3/10
    • Target

      $PROGRAMFILES/CCBComponents/Plugins/CARoot/$PROGRAMFILES/CCBComponents/Plugins/CARoot/CheckP11.exe

    • Size

      45KB

    • MD5

      d9967301eb3c30324e05b2d53cea1622

    • SHA1

      d1d4f19850d81c7c7cd07e81b6bfab7c924f27af

    • SHA256

      9a925779dd06f34da1398d7d9f5209343c93e03cbcefbe0248c388af3c976c9a

    • SHA512

      22deb414b396eb311120a774d2f47756c8b3fa6d0b4d11c961172272879d8ba315355b51da9d884d65f5ba14f12fd36387fdb50f1abaadea9223394b138c54a3

    • SSDEEP

      768:z1Xb0lXlA94SUy/wgoHO0Zgv6v+x7yWlt+7/VQpjmLWMmlDbCt:z1u5fy/wtHO+gv65w+7VQpjmaDl/Ct

    Score
    1/10
    • Target

      $PROGRAMFILES/CCBComponents/Plugins/CARoot/$PROGRAMFILES/CCBComponents/Plugins/CARoot/CheckP11.exe.$1

    • Size

      45KB

    • MD5

      d9967301eb3c30324e05b2d53cea1622

    • SHA1

      d1d4f19850d81c7c7cd07e81b6bfab7c924f27af

    • SHA256

      9a925779dd06f34da1398d7d9f5209343c93e03cbcefbe0248c388af3c976c9a

    • SHA512

      22deb414b396eb311120a774d2f47756c8b3fa6d0b4d11c961172272879d8ba315355b51da9d884d65f5ba14f12fd36387fdb50f1abaadea9223394b138c54a3

    • SSDEEP

      768:z1Xb0lXlA94SUy/wgoHO0Zgv6v+x7yWlt+7/VQpjmLWMmlDbCt:z1u5fy/wtHO+gv65w+7VQpjmaDl/Ct

    Score
    1/10
    • Target

      $PROGRAMFILES/CCBComponents/Plugins/CARoot/$PROGRAMFILES/CCBComponents/Plugins/CARoot/InstallP11.exe

    • Size

      56KB

    • MD5

      4cf8946b95aaacc7397528f87f544931

    • SHA1

      ea453cca204512982e0f60d848e434e5f069bc94

    • SHA256

      690eca7ebb28c4839e2971b5d268eab080c84a34eefff6a3ed1c80bd38b618b1

    • SHA512

      f4cc9da0a33760daa331da1c5d8c73f8cdd69b5c9ad76db4a76252b4898fb1ab01a35d9aa856d07a9771e0d8da175ccb569c1f17cb7986ecc599fbd3a4408207

    • SSDEEP

      768:mcAV80m0ZhJbkes1/x/IHfDSmaUwCPSVukCs61FTDi+BfuLWMmlDbCYx:pASR0GJ+f2m7PSUFS+FuaDl/CYx

    Score
    1/10
    • Target

      $PROGRAMFILES/CCBComponents/Plugins/CARoot/$PROGRAMFILES/CCBComponents/Plugins/CARoot/InstallP11.exe.$1

    • Size

      56KB

    • MD5

      4cf8946b95aaacc7397528f87f544931

    • SHA1

      ea453cca204512982e0f60d848e434e5f069bc94

    • SHA256

      690eca7ebb28c4839e2971b5d268eab080c84a34eefff6a3ed1c80bd38b618b1

    • SHA512

      f4cc9da0a33760daa331da1c5d8c73f8cdd69b5c9ad76db4a76252b4898fb1ab01a35d9aa856d07a9771e0d8da175ccb569c1f17cb7986ecc599fbd3a4408207

    • SSDEEP

      768:mcAV80m0ZhJbkes1/x/IHfDSmaUwCPSVukCs61FTDi+BfuLWMmlDbCYx:pASR0GJ+f2m7PSUFS+FuaDl/CYx

    Score
    1/10
    • Target

      $SYSDIR/$SYSDIR/CCBDMBDI.dll

    • Size

      480KB

    • MD5

      f193cf67af971f235f316af24f200d86

    • SHA1

      3b22b8a07d0e4348a14a5b4a8288740e1780f5de

    • SHA256

      20c1c1f9bfc08e8068a259f99fadecad71084d252aa7a2fe7d23f69a1588bbd0

    • SHA512

      84db1b26898d696ad4741126c9856d740ef8d43c85f390a981029973c8adbfca47d432b8dcddfc0ba5c40dd93d810263d517feaa1b8924936a04178fed9da05b

    • SSDEEP

      12288:1rJfsfhzdC62CArzwAzVzMAuTa/VOZyZ8UUGU5VvNmhsSgqRsn7tp+a:1rJfwhACArzww/Vn8bvKgqRsd

    Score
    5/10
    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

vmprotect
Score
7/10

behavioral1

discoveryevasionexecutionpersistencespywarestealervmprotect
Score
8/10

behavioral2

discoveryevasionexecutionpersistencespywarestealervmprotect
Score
8/10

behavioral3

Score
3/10

behavioral4

Score
3/10

behavioral5

persistence
Score
7/10

behavioral6

persistence
Score
7/10

behavioral7

Score
3/10

behavioral8

Score
3/10

behavioral9

Score
3/10

behavioral10

Score
3/10

behavioral11

Score
3/10

behavioral12

Score
3/10

behavioral13

Score
3/10

behavioral14

Score
3/10

behavioral15

Score
3/10

behavioral16

Score
3/10

behavioral17

Score
1/10

behavioral18

Score
3/10

behavioral19

Score
1/10

behavioral20

Score
3/10

behavioral21

Score
1/10

behavioral22

Score
3/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
5/10

behavioral32

Score
5/10