Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4a1b278e22...18.exe

windows7-x64

10

4a1b278e22...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4a1b278e22d8bacdb0764a0ef68fa44e_JaffaCakes118

  • Size

    784KB

  • Sample

    240715-r2c9pawakr

  • MD5

    4a1b278e22d8bacdb0764a0ef68fa44e

  • SHA1

    9d638697c5c1426295e7013e29da5da9fd7b6e08

  • SHA256

    7ddeb263d000da9cdad7f64b0fa20eaa6e49452da2c58231cc1f5d1b2075346c

  • SHA512

    ebf3bdefe5c17dc65fa227194c5392f381f76a2a9f13d4a79c9bbbdafd886f2ab870599e35e68c3299920b6d91b8459053f5151c463f84a10c338b2f8df24c87

  • SSDEEP

    12288:6DvpRBk2lTLqzEPlnvHeASzmR1CXEtwroAOCCE3VkxBH8Y1tz2wASRvBmL9c0zJU:KYARvBAcwioRS

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ranuranuwcs

Targets

    • Target

      4a1b278e22d8bacdb0764a0ef68fa44e_JaffaCakes118

    • Size

      784KB

    • MD5

      4a1b278e22d8bacdb0764a0ef68fa44e

    • SHA1

      9d638697c5c1426295e7013e29da5da9fd7b6e08

    • SHA256

      7ddeb263d000da9cdad7f64b0fa20eaa6e49452da2c58231cc1f5d1b2075346c

    • SHA512

      ebf3bdefe5c17dc65fa227194c5392f381f76a2a9f13d4a79c9bbbdafd886f2ab870599e35e68c3299920b6d91b8459053f5151c463f84a10c338b2f8df24c87

    • SSDEEP

      12288:6DvpRBk2lTLqzEPlnvHeASzmR1CXEtwroAOCCE3VkxBH8Y1tz2wASRvBmL9c0zJU:KYARvBAcwioRS

    Score
    10/10
    evasionpersistencespywarestealertrojan

    • Modifies visibility of file extensions in Explorer

      evasion

    • UAC bypass

      evasiontrojan

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

6
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks