Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    9defccdb9b148ce5728c8cd5b62d3cdc_JaffaCakes118

  • Size

    405KB

  • Sample

    240611-mznkesvdjp

  • MD5

    9defccdb9b148ce5728c8cd5b62d3cdc

  • SHA1

    def478c3e2ecf56253fd7c8d3ad35f04be33711e

  • SHA256

    e40d9ba826c7b62d65f7926892b6d37c3a32f2829fffdc232bfdc68a8d59acea

  • SHA512

    b6ec1b7208904a7d2329e68276c3baa10121d197b8953fe984f1cdda3010f2d8390ff8881f057886889474b0814e6b71415b030a6735054e26e5e984d649fcaf

  • SSDEEP

    12288:wSEQouESAo6hjHxq2UxEJ1/9RfzxHWeA8Ri:wSsLSAo6VxqVxE37fJrLs

Malware Config

Extracted

Family

lokibot

C2

http://www.newindiantt.com/seal/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      scan.doc768998.exe

    • Size

      429KB

    • MD5

      a68cf22105918f7cddb0a60a3180e300

    • SHA1

      b0b6314bd1959ac5b7931f0f0595bd9e57eef0b2

    • SHA256

      0fab5cb2a6325cb94875317856ea62083fe303c051460ad0ae6914fcba4bd7e5

    • SHA512

      8365d2597478c359ba07ce1f6e2e5d68d595370135e4403204351fd6cbcc2f4d3fc596185467aab0eaf26b74b7514ea77eb9c850c6ff553bef77898286de1163

    • SSDEEP

      6144:UuEvktmbNyan7fU8prYN9FLCTbqpQ+XWAHNTtD8ONyMUNjiCXKqcWrfSiUYEm:5tm57BRTbqpTWAHNTtD8OeIgXXqiUYE

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks