Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2cd5dbd4dc815734edf7be4cb6b68ae0_JaffaCakes118

  • Size

    497KB

  • Sample

    240708-sss48avgkp

  • MD5

    2cd5dbd4dc815734edf7be4cb6b68ae0

  • SHA1

    f26bb84555eb01073294e0c9b9a9659e377ca695

  • SHA256

    65cf63b950f32653a891754d6b52686a4de351a3aeb1324907d3b7c4cc7282f7

  • SHA512

    bb26b6f181aa686692f0e34b28fab46e62dba20d00d28dc9395497498d0a826dc4ea1e70103b4aa86702085c3f2a6fceeee6943f87aca73e990c756a7e9be544

  • SSDEEP

    12288:f3QT+2UNiASP5Q+M635lH4cVEuhc1Jupj6Y+MuzqLWUrqNQS2B1S:LNiASxQMjH4cVVNpj6Y+7zXRr2B1S

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.fakly-cambodia.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Mmhh#2014

Targets

    • Target

      NEW ORDER.exe

    • Size

      740KB

    • MD5

      161eb73b1e04a20bad1b9f47716abe8d

    • SHA1

      0fc916438fb79d83b1232a9c6913a599ffa5c641

    • SHA256

      5ae71498e3b1d2707c84bcd6f43566b8834f310dccafd64ef81e54cbe7ac4b01

    • SHA512

      1b27317105bf51911ad5e355bea51278dbf49d72365171eba914bfd612a40839490d073be4bd9974a9d51330c869b8aa18b88c860e19869249a533df18498d50

    • SSDEEP

      12288:ADX3jNNQniCpB5A+W6nRHDWcVYuhi1xaDjuY+wuzaLWUrm9Osd:ADnjNNwrAU5DWcVZPDjuY+fznjH

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks