Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118

  • Size

    23.9MB

  • Sample

    240512-v6xexabd65

  • MD5

    3b4bc58ccc9d3b7cc593bbf228255a3f

  • SHA1

    323f70c103705ce86db4309a0f6863fe0cf76e38

  • SHA256

    b64324cf3e3fe9e4d6dad9fc9da32b963a6d845f9e47473394ceb33eddac1fed

  • SHA512

    40e275c70355e32d46243ee11bf9de31241b13a7adfcf09c6f07571dabc918773ba47787cf209a926260c3dfbe38443cd7cc9285fd4df9eaa596f5e235f4deaf

  • SSDEEP

    393216:8K8zOUmoejKYL2uilJXPlJyu0s+3W2Qm/niWbZ4B9mESYfz9lJJIu5cpCqS1Guy:n8zD8KYGXPfX0x33QGp4jmEFzz5CCDy

Malware Config

Targets

    • Target

      3b4bc58ccc9d3b7cc593bbf228255a3f_JaffaCakes118

    • Size

      23.9MB

    • MD5

      3b4bc58ccc9d3b7cc593bbf228255a3f

    • SHA1

      323f70c103705ce86db4309a0f6863fe0cf76e38

    • SHA256

      b64324cf3e3fe9e4d6dad9fc9da32b963a6d845f9e47473394ceb33eddac1fed

    • SHA512

      40e275c70355e32d46243ee11bf9de31241b13a7adfcf09c6f07571dabc918773ba47787cf209a926260c3dfbe38443cd7cc9285fd4df9eaa596f5e235f4deaf

    • SSDEEP

      393216:8K8zOUmoejKYL2uilJXPlJyu0s+3W2Qm/niWbZ4B9mESYfz9lJJIu5cpCqS1Guy:n8zD8KYGXPfX0x33QGp4jmEFzz5CCDy

    • Creates new service(s)

    • Stops running service(s)

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Adds Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $PLUGINSDIR/CCB_DM_LCD_32_silent.exe

    • Size

      4.2MB

    • MD5

      41eb203bdc4ad6aecac9ea2ccac4afd9

    • SHA1

      b6c35b4171581fc61a6c39cc8d2ccd54b22f4c86

    • SHA256

      d87e85a1cebd90e0fc680c5487488fe93a66d0c8b2f73c37705759a5f67a6bd2

    • SHA512

      ff15025671e5df2c75b315bdf81bd9de10d833c5189d35437cb38a38c80b4afcc24e060b05fe0d3e370b90ebe099afd930876a72a6c23ef57a473ffb94cf0e68

    • SSDEEP

      98304:oujyjE14MDuihGwBYJirNMVABqdFgugNvGBKwngx+IYe6Z:oAhqihNYJ0eweFgu4vGswg8

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $PLUGINSDIR/GetVersion.dll

    • Size

      9KB

    • MD5

      b4cec45a9909c10a8d387c8eb72e8d0d

    • SHA1

      609e1ff7627aa88db0adbf79897fc8c786f42be5

    • SHA256

      aea495c63eb5aef15961c03a73213ac586830ced769f489b147e8076e59eb8c8

    • SHA512

      337e84ec8b5acec83091833d70ffb4828442467d82a044ec6986547d4d55c9e39a861f3d06fd76289dad81b98f44ef7fe70f449db5baa51699464a7d95cc301a

    • SSDEEP

      96:MpH/9yVYGHuvJs7p/X6Tx+Jvpd6y6ycm6yHQXlBG4Hezi91Nhh+8Bi46AQ5VuNnZ:MZ/95yT7U4CuA1HNLBi46AQ5VuNxHi

    Score
    3/10
    • Target

      $PLUGINSDIR/KillProcDLL.dll

    • Size

      32KB

    • MD5

      83142eac84475f4ca889c73f10d9c179

    • SHA1

      dbe43c0de8ef881466bd74861b2e5b17598b5ce8

    • SHA256

      ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

    • SHA512

      1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

    • SSDEEP

      384:3rYz6grZodORNWATt4TBmlk5ooyzFh7BukAUdJoUtSOSR:3QggDWATWNCFh7BNddJoxO+

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      00a0194c20ee912257df53bfe258ee4a

    • SHA1

      d7b4e319bc5119024690dc8230b9cc919b1b86b2

    • SHA256

      dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

    • SHA512

      3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

    • SSDEEP

      192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw

    Score
    3/10
    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      1e8e11f465afdabe97f529705786b368

    • SHA1

      ea42bed65df6618c5f5648567d81f3935e70a2a0

    • SHA256

      7d099352c82612ab27ddfd7310c1aa049b58128fb04ea6ea55816a40a6f6487b

    • SHA512

      16566a8c1738e26962139aae893629098dc759e4ac87df3e8eb9819df4e0e422421836bb1e4240377e00fb2f4408ce40f40eee413d0f6dd2f3a4e27a52d49a0b

    Score
    3/10
    • Target

      $PROGRAMFILES/CCBComponents/Plugins/$PROGRAMFILES/CCBComponents/Plugins/npdmccbplugin.dll

    • Size

      118KB

    • MD5

      a88d3c80e9e1f850fe30c9b97557ea69

    • SHA1

      51b0a906439dda5d92a405f1f80acaaf6bf15881

    • SHA256

      969c6dc4526a539b2ef4fe8221f9fd0a0f2bc67d6de78057687d251634bd212c

    • SHA512

      33e36cdc92646e1045f4f64bc6586f134db9bdc671ed172ada848bac49d81eebdba9a7dd918b5179f8a1399919c0d4f8f8ef326b9df3f4d7bd327dc49b540874

    • SSDEEP

      3072:WdhPxVHs3DWng4UKMH6UHxDV41/O5dyigS:WdVxqSg4QH6cBV0W5g

    Score
    3/10
    • Target

      $PROGRAMFILES/CCBComponents/Plugins/$PROGRAMFILES/CCBComponents/Plugins/npdmccbplugin.dll.$1

    • Size

      118KB

    • MD5

      a88d3c80e9e1f850fe30c9b97557ea69

    • SHA1

      51b0a906439dda5d92a405f1f80acaaf6bf15881

    • SHA256

      969c6dc4526a539b2ef4fe8221f9fd0a0f2bc67d6de78057687d251634bd212c

    • SHA512

      33e36cdc92646e1045f4f64bc6586f134db9bdc671ed172ada848bac49d81eebdba9a7dd918b5179f8a1399919c0d4f8f8ef326b9df3f4d7bd327dc49b540874

    • SSDEEP

      3072:WdhPxVHs3DWng4UKMH6UHxDV41/O5dyigS:WdVxqSg4QH6cBV0W5g

    Score
    3/10
    • Target

      $PROGRAMFILES/CCBComponents/Plugins/$PROGRAMFILES/CCBComponents/Plugins/npdmwritecert.dll

    • Size

      606KB

    • MD5

      07b6d542a6ee05324bc1ad30ba361a19

    • SHA1

      f1d790c4e380be74a0647e432156810fe1f2e46c

    • SHA256

      4ed67712581a014e6d2e893e339ab16eeb13997f9a7cf54daa1d81fdb9dc43be

    • SHA512

      a0d987045950fd58379efaca23c78ad5756d31c58870030604c7a4493fb3b91f52f3e57e7aac92d39c453e2b4a659f28044b07565e916e248e92fa52ae7f11d2

    • SSDEEP

      12288:d2/f4sedpF4u5+IimdaKRLuF/unHyYbOR:d2/w9Eu5Rimdao6F/QyYaR

    Score
    3/10
    • Target

      $PROGRAMFILES/CCBComponents/Plugins/$PROGRAMFILES/CCBComponents/Plugins/npdmwritecert.dll.$1

    • Size

      606KB

    • MD5

      07b6d542a6ee05324bc1ad30ba361a19

    • SHA1

      f1d790c4e380be74a0647e432156810fe1f2e46c

    • SHA256

      4ed67712581a014e6d2e893e339ab16eeb13997f9a7cf54daa1d81fdb9dc43be

    • SHA512

      a0d987045950fd58379efaca23c78ad5756d31c58870030604c7a4493fb3b91f52f3e57e7aac92d39c453e2b4a659f28044b07565e916e248e92fa52ae7f11d2

    • SSDEEP

      12288:d2/f4sedpF4u5+IimdaKRLuF/unHyYbOR:d2/w9Eu5Rimdao6F/QyYaR

    Score
    3/10
    • Target

      $PROGRAMFILES/CCBComponents/Plugins/CARoot/$PROGRAMFILES/CCBComponents/Plugins/CARoot/CheckP11.exe

    • Size

      45KB

    • MD5

      d9967301eb3c30324e05b2d53cea1622

    • SHA1

      d1d4f19850d81c7c7cd07e81b6bfab7c924f27af

    • SHA256

      9a925779dd06f34da1398d7d9f5209343c93e03cbcefbe0248c388af3c976c9a

    • SHA512

      22deb414b396eb311120a774d2f47756c8b3fa6d0b4d11c961172272879d8ba315355b51da9d884d65f5ba14f12fd36387fdb50f1abaadea9223394b138c54a3

    • SSDEEP

      768:z1Xb0lXlA94SUy/wgoHO0Zgv6v+x7yWlt+7/VQpjmLWMmlDbCt:z1u5fy/wtHO+gv65w+7VQpjmaDl/Ct

    Score
    1/10
    • Target

      $PROGRAMFILES/CCBComponents/Plugins/CARoot/$PROGRAMFILES/CCBComponents/Plugins/CARoot/CheckP11.exe.$1

    • Size

      45KB

    • MD5

      d9967301eb3c30324e05b2d53cea1622

    • SHA1

      d1d4f19850d81c7c7cd07e81b6bfab7c924f27af

    • SHA256

      9a925779dd06f34da1398d7d9f5209343c93e03cbcefbe0248c388af3c976c9a

    • SHA512

      22deb414b396eb311120a774d2f47756c8b3fa6d0b4d11c961172272879d8ba315355b51da9d884d65f5ba14f12fd36387fdb50f1abaadea9223394b138c54a3

    • SSDEEP

      768:z1Xb0lXlA94SUy/wgoHO0Zgv6v+x7yWlt+7/VQpjmLWMmlDbCt:z1u5fy/wtHO+gv65w+7VQpjmaDl/Ct

    Score
    1/10
    • Target

      $PROGRAMFILES/CCBComponents/Plugins/CARoot/$PROGRAMFILES/CCBComponents/Plugins/CARoot/InstallP11.exe

    • Size

      56KB

    • MD5

      4cf8946b95aaacc7397528f87f544931

    • SHA1

      ea453cca204512982e0f60d848e434e5f069bc94

    • SHA256

      690eca7ebb28c4839e2971b5d268eab080c84a34eefff6a3ed1c80bd38b618b1

    • SHA512

      f4cc9da0a33760daa331da1c5d8c73f8cdd69b5c9ad76db4a76252b4898fb1ab01a35d9aa856d07a9771e0d8da175ccb569c1f17cb7986ecc599fbd3a4408207

    • SSDEEP

      768:mcAV80m0ZhJbkes1/x/IHfDSmaUwCPSVukCs61FTDi+BfuLWMmlDbCYx:pASR0GJ+f2m7PSUFS+FuaDl/CYx

    Score
    1/10
    • Target

      $PROGRAMFILES/CCBComponents/Plugins/CARoot/$PROGRAMFILES/CCBComponents/Plugins/CARoot/InstallP11.exe.$1

    • Size

      56KB

    • MD5

      4cf8946b95aaacc7397528f87f544931

    • SHA1

      ea453cca204512982e0f60d848e434e5f069bc94

    • SHA256

      690eca7ebb28c4839e2971b5d268eab080c84a34eefff6a3ed1c80bd38b618b1

    • SHA512

      f4cc9da0a33760daa331da1c5d8c73f8cdd69b5c9ad76db4a76252b4898fb1ab01a35d9aa856d07a9771e0d8da175ccb569c1f17cb7986ecc599fbd3a4408207

    • SSDEEP

      768:mcAV80m0ZhJbkes1/x/IHfDSmaUwCPSVukCs61FTDi+BfuLWMmlDbCYx:pASR0GJ+f2m7PSUFS+FuaDl/CYx

    Score
    1/10
    • Target

      $SYSDIR/$SYSDIR/CCBDMBDI.dll

    • Size

      513KB

    • MD5

      193a33c6c16f816c22deb5d5738c7306

    • SHA1

      3e174015d9d87be3a213002c1a99228e9dc5b6ea

    • SHA256

      4c67fffcccdf3e51e110959b1df4fe67303737c4000f8bd33cd9e92d84daa681

    • SHA512

      b623655dd59084b2f9057c793e5b9ab9c6b8f3e627f9a0d871b0e4bdbff2486691cfa6b8f1a11177f127488c92d78725da6cfd52c741731fb65d3b303b8880d4

    • SSDEEP

      12288:HAfAAHChpsAx2uXeihpgZb78LYq7Mbr22bw6mgESjgSc:HLAuFFPgVvDbw6mgEhSc

    Score
    5/10
    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $SYSDIR/$SYSDIR/CCBDMBDI.dll.$1

    • Size

      513KB

    • MD5

      193a33c6c16f816c22deb5d5738c7306

    • SHA1

      3e174015d9d87be3a213002c1a99228e9dc5b6ea

    • SHA256

      4c67fffcccdf3e51e110959b1df4fe67303737c4000f8bd33cd9e92d84daa681

    • SHA512

      b623655dd59084b2f9057c793e5b9ab9c6b8f3e627f9a0d871b0e4bdbff2486691cfa6b8f1a11177f127488c92d78725da6cfd52c741731fb65d3b303b8880d4

    • SSDEEP

      12288:HAfAAHChpsAx2uXeihpgZb78LYq7Mbr22bw6mgESjgSc:HLAuFFPgVvDbw6mgEhSc

    Score
    5/10
    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

vmprotect
Score
7/10

behavioral1

discoveryevasionexecutionpersistencespywarestealervmprotect
Score
8/10

behavioral2

discoveryevasionexecutionpersistencespywarestealervmprotect
Score
8/10

behavioral3

persistence
Score
7/10

behavioral4

persistence
Score
7/10

behavioral5

Score
3/10

behavioral6

Score
3/10

behavioral7

Score
3/10

behavioral8

Score
3/10

behavioral9

Score
3/10

behavioral10

Score
3/10

behavioral11

Score
3/10

behavioral12

Score
3/10

behavioral13

Score
3/10

behavioral14

Score
3/10

behavioral15

Score
3/10

behavioral16

Score
3/10

behavioral17

Score
3/10

behavioral18

Score
3/10

behavioral19

Score
1/10

behavioral20

Score
3/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
5/10

behavioral30

Score
5/10

behavioral31

Score
5/10

behavioral32

Score
5/10