Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

02c6de821f...18.exe

windows7-x64

9

02c6de821f...18.exe

windows10-2004-x64

9

$PROGRAMFI...il.exe

windows7-x64

3

$PROGRAMFI...il.exe

windows10-2004-x64

3

$PROGRAMFI...r4.dll

windows7-x64

3

$PROGRAMFI...r4.dll

windows10-2004-x64

3

$PROGRAMFI...c4.dll

windows7-x64

3

$PROGRAMFI...c4.dll

windows10-2004-x64

3

$PROGRAMFI...s4.dll

windows7-x64

3

$PROGRAMFI...s4.dll

windows10-2004-x64

3

$PROGRAMFI...s3.dll

windows7-x64

3

$PROGRAMFI...s3.dll

windows10-2004-x64

3

$PROGRAMFI...e3.dll

windows7-x64

3

$PROGRAMFI...e3.dll

windows10-2004-x64

3

$PROGRAMFI...n3.dll

windows7-x64

3

$PROGRAMFI...n3.dll

windows10-2004-x64

3

$PROGRAMFI...PC.exe

windows7-x64

9

$PROGRAMFI...PC.exe

windows10-2004-x64

9

$PROGRAMFI...er.exe

windows7-x64

9

$PROGRAMFI...er.exe

windows10-2004-x64

9

$PROGRAMFI...up.exe

windows7-x64

6

$PROGRAMFI...up.exe

windows10-2004-x64

6

$PROGRAMFI...LL.dll

windows7-x64

3

$PROGRAMFI...LL.dll

windows10-2004-x64

3

$PROGRAMFI...rd.dll

windows7-x64

3

$PROGRAMFI...rd.dll

windows10-2004-x64

3

$PROGRAMFI...SC.dll

windows7-x64

3

$PROGRAMFI...SC.dll

windows10-2004-x64

3

$PROGRAMFI...WR.dll

windows7-x64

3

$PROGRAMFI...WR.dll

windows10-2004-x64

3

$PROGRAMFI...LL.dll

windows7-x64

3

$PROGRAMFI...LL.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    02c6de821fc433304ee204d4b930392e_JaffaCakes118

  • Size

    9.3MB

  • Sample

    240727-3sm83sydla

  • MD5

    02c6de821fc433304ee204d4b930392e

  • SHA1

    68b1cc41a9d00e0f7d6dd3fa70b816e158839f45

  • SHA256

    03595be308cd92512645f8f37b6731f372da3c6b5dbf298c4d16a9683a8e4f19

  • SHA512

    c874685a0342e0b0af53630650188f2c3b5e2196ffbb10b74cb1c00e1cae0a35bcfba9d3d096b7d7f9bbe636862a653a85bb353b6308ce323e5ce6d8c51873c7

  • SSDEEP

    196608:9AAkXmjdt4e14FhATdRzWEgOwZYKjm/lKIMaJPxEN0N:me4eyhWddWEhztlK7cPGQ

Score
9/10
discoveryevasionpersistenceprivilege_escalationspywarestealer

Malware Config

Targets

    • Target

      02c6de821fc433304ee204d4b930392e_JaffaCakes118

    • Size

      9.3MB

    • MD5

      02c6de821fc433304ee204d4b930392e

    • SHA1

      68b1cc41a9d00e0f7d6dd3fa70b816e158839f45

    • SHA256

      03595be308cd92512645f8f37b6731f372da3c6b5dbf298c4d16a9683a8e4f19

    • SHA512

      c874685a0342e0b0af53630650188f2c3b5e2196ffbb10b74cb1c00e1cae0a35bcfba9d3d096b7d7f9bbe636862a653a85bb353b6308ce323e5ce6d8c51873c7

    • SSDEEP

      196608:9AAkXmjdt4e14FhATdRzWEgOwZYKjm/lKIMaJPxEN0N:me4eyhWddWEhztlK7cPGQ

    Score
    9/10
    discoveryevasionpersistenceprivilege_escalationspywarestealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PROGRAMFILES/SoftForum/XecureWeb/AnySign/cert/certutil.exe

    • Size

      283KB

    • MD5

      e082bd597129b93f8afe414021f7dd30

    • SHA1

      d861f0cefd66ed14fde82b0541237e42c5c7c63a

    • SHA256

      22c4d27af891ac0d7d1cd511f0aade8c1aa1c1648a3b4ef2828764b0f9daafef

    • SHA512

      0f8cf28e99f74326d418a70e36a40fe6e078b78007298416fa17db3fce010fef2857af4eb28eb9e3eaddc7520bb737c85b14f4ad370e5552273c8e113b396f43

    • SSDEEP

      3072:mH6sserkXqC3x+g2TDxBzDCeQtj/T/EglLPRKgzIoF7Q+Yhf0ZS0IYS1ahAqIUwV:maCzpgGBzDEA1Is0xzSeAqFwiIDF

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PROGRAMFILES/SoftForum/XecureWeb/AnySign/cert/libnspr4.dll

    • Size

      204KB

    • MD5

      7957e822b5e67afe2cb64e1fbfc923db

    • SHA1

      49e065f2ebc213c445e8c637b32f101674ca4dc8

    • SHA256

      480c54abd5c555520ee38069d9233b1c2739286471376a56ee66bd756a37fde2

    • SHA512

      ed44cc693175c01e1d1a7b856ca800e3cd641a3f434ffecd1532324111aa55010601c1aa92ce069133c012d6e89d5b99bd9526283da9b972b53f788a820e63bb

    • SSDEEP

      3072:AtiZp9HzAEvs0thsMy0jHWkN+IsQ5kPGd+pEbqxvh50SyvHerJu8g:sGp9HMEvsqsQHBsQ5kPGd+pEevVyv8

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      $PROGRAMFILES/SoftForum/XecureWeb/AnySign/cert/libplc4.dll

    • Size

      28KB

    • MD5

      c3700234160aeea85be0be637744f8a1

    • SHA1

      27b86964b29ffb287180cc2875e4467e7b092084

    • SHA256

      b6a12653b2b8024f64bc581e67dc10a469edcfdabdad3da405ef7b709eb34805

    • SHA512

      2ff671c0633f78d3e6736bcc445b72de1d81a74dbae29673f4c88d57485ff3a0f2de2a60a137113091a55feca7c5dd1fa7816b0d630fe5f5fbd0af70667da4e0

    • SSDEEP

      192:aIc4fylGikcNlsIvBnmAq+yB2Y1NjqPCSfi4Yg8utInnnqCv/qWARuPsBQVhmmTa:aIc4fyPqivyjOBdqAyOkdWVHg

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      $PROGRAMFILES/SoftForum/XecureWeb/AnySign/cert/libplds4.dll

    • Size

      24KB

    • MD5

      a4f672b53c53e322d8f474e7980f432e

    • SHA1

      5359b8ac02d98801edc6c2eb46e223c39ce42ee3

    • SHA256

      6b8d5ecd92b9705d54ad48c873226991de558e57c36effeefbea63e006aae75f

    • SHA512

      b25d18403a586b03588ddc6b283b09bd431c71d3cb548d4fe59628ab3431fef7c7c2364ee05bf1e3983379f11e7c442f21bdcdc6df191c4f08379ba15a10cc43

    • SSDEEP

      96:ryDKJp9bk/uFBUcmOHeV6Yqebl6swLmwi2gGh0Gl10y6ynrJ3K1SxMRN3L6Cfw5Z:MKJp9bLF6cqSE1wi2gGGGES9aYyFfm

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      $PROGRAMFILES/SoftForum/XecureWeb/AnySign/cert/nss3.dll

    • Size

      1.6MB

    • MD5

      37016e05495f1daca0af21f23654203f

    • SHA1

      ce75de300b5984a96fbbc561a70c21b6bf7fd02c

    • SHA256

      eb609f53bc2d1ca5f771b577f4a160b2974dc42196d82508d84d7767ac2ca6a7

    • SHA512

      98a077deb5b13eb74a1a8b105778f923112888339c0482645c481c9ae736622bf1cbf21c830eb18130ba161aebbf5599f0816ad6ed8de1ffea22cec46cbd78c9

    • SSDEEP

      24576:Oj70j9vgSNMN9k95HmoM5H7HMFnpn5AhSZhGopzFBJF:o70BgSNo0pEMZMSZhGEF

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      $PROGRAMFILES/SoftForum/XecureWeb/AnySign/cert/smime3.dll

    • Size

      558KB

    • MD5

      5264e5d087b395e91b739778e8e76933

    • SHA1

      67f216749c1a8ca7194dcb7a2cceb47fc6457f59

    • SHA256

      4a846a28573048cad28714b7623e7c5f03001b66d55092aada3da7a3c397b26e

    • SHA512

      a1f9f95fc35642f6cf0104a0ab277e10359ec836977b8d2da2812ff26aaaea2d11b2e0dce18712c9296a62c51e6c2a114c9bc85634fa342aac384661cfe73e35

    • SSDEEP

      12288:6nOmn6yR8HE3KdbtE2EnwLd4FTPO5VnDmIzbs:6nOs6lEy+SdqTPOFs

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      $PROGRAMFILES/SoftForum/XecureWeb/AnySign/cert/softokn3.dll

    • Size

      1.2MB

    • MD5

      aba9a1d88c35d1e380054a18d2087291

    • SHA1

      51ae68d6efd42bb51653a3dd0733a1c36ed5c632

    • SHA256

      178dac494dc58ff2a2874d54cd2fc96364a12fec2b5bd25d5bcefea187a8979e

    • SHA512

      ecef7bc477ab3819cc5d266af57cbe4722daf106fdc5dbf663ee700fd487194607fe541248bd00e69bddfc39ad31810c1c768eb510fae10bed89b3e9fa361256

    • SSDEEP

      24576:S8JgeTeX+6iknOSDzPz7hPPiKoOTnDlD1D1zD5DLTKLS6I3GR:mWAJDzPz7hPPdoOTnDlD1D1zD5DLCe8

    Score
    3/10
    discovery
    behavioral15behavioral16

    • Target

      $PROGRAMFILES/SoftForum/XecureWeb/AnySign/dll/AnySign4PC.exe

    • Size

      2.3MB

    • MD5

      dede7b51dee26b56e94991f33504ba8a

    • SHA1

      7715ff2ee133265f94cc77f01e32d00f77b42cd1

    • SHA256

      e2333c3dda14fafbcbe1ab29bf433ae89280c7fc4b1f5ce4b3e45943415b7c6a

    • SHA512

      dd2181b0a87ac9fd66ffb6a889087584ead7630073eb501e3b357dfc7526dfc24d0a4e67fdb638199ab250f5d008baa085d0a3aeddd46ed5d5721d969101c915

    • SSDEEP

      49152:PconvcLJ5n0wrATGphLjUwrILioeZ3NTICXmI:UovcLJ50JSLjxrILioKNsCf

    Score
    9/10
    discoveryevasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral17behavioral18

    • Target

      $PROGRAMFILES/SoftForum/XecureWeb/AnySign/dll/AnySign4PCLauncher.exe

    • Size

      2.2MB

    • MD5

      d0d596a7aee7c949d4fb625269ccc4a3

    • SHA1

      7f4db9b10ab88273eecfb145fe9a01293ee6c28c

    • SHA256

      80ce82de0a6635d47d0fc1be310ebf8e5238d8598f83e7df83be0215f18bb7f9

    • SHA512

      1f5cc7c07e6ad5222fef42589a21c31566e6606e202b00bacc0e9b960cb29f26f6c04eefa31b6109844269a4370b4a6b60d92e4577543bc905b0ffc0b7046550

    • SSDEEP

      49152:6O5PzPs+X18XrgoijVTLbHqFhFITkjPbIxtqfPl9hEKzIOYTYBbLp:6O57EW1Sg95/evFUGtn1IJTY5Lp

    Score
    9/10
    discoveryevasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral19behavioral20

    • Target

      $PROGRAMFILES/SoftForum/XecureWeb/AnySign/dll/Any_setup.exe

    • Size

      144KB

    • MD5

      894222e8962b46263c26aa9ea08c2050

    • SHA1

      9778d5e7d4cd15717f3240cae4255934ccd5231c

    • SHA256

      e5c6a460471e5f1d37c083c1069e95e253ad80c25e42f5624f6824bb1f4ce826

    • SHA512

      472787c8827cb5df1c527caee6bb0766429a096f3931f30d7a435d891a0741b333c16000ae53cf1bb2398ba77187c5ae240145b30f51899bff074232e7f900b5

    • SSDEEP

      1536:O3Wakjwa5CkyoH+p5nyn3nuC7XJ9Mje5rxLtLEc9Eccdk5GGA93EpjjMe61BW+pi:r8y0e5rxLtLnXLDMJLWFXG3yvD

    Score
    6/10
    discoveryevasionpersistenceprivilege_escalation

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral21behavioral22

    • Target

      $PROGRAMFILES/SoftForum/XecureWeb/AnySign/dll/DESDLL.dll

    • Size

      56KB

    • MD5

      33eb65fc4be4336acf4d5223fceacd23

    • SHA1

      fec700ac34496350f5d802422f65587be333b4fd

    • SHA256

      8dc4f78cca4fa57c18b8b062222d55650b54f5b28dc9ecd512cc3b16b8cce71c

    • SHA512

      26024fce4d9987199cc23497375a8c7212a845fab3f7894ba08cbce8fbc49d5a59a403c5f38b2e3de2717396bf1d049067dfb890c716356912615d0fd6d795da

    • SSDEEP

      768:Jcgkc/ghFTCs0PSqRkrO+3oX2wnqP3vjkjEjSpD0UdiB9Cf9PS7h5gAofJWbcj:Jkc4FTCs0PStzoX2kjEjSpJX9CzoRoG

    Score
    3/10
    discovery
    behavioral23behavioral24

    • Target

      $PROGRAMFILES/SoftForum/XecureWeb/AnySign/dll/DllOpenkeyboard.dll

    • Size

      136KB

    • MD5

      54f1c18f29bdbc61863ce9da1d09fe1e

    • SHA1

      fa19ebe25b1da3e022980703c712a13cf3dfdb11

    • SHA256

      94769b487a295bf0cbb61d71b1b99303c558d89fed1a60e40440fec6ebe236ec

    • SHA512

      a2e89738d36dec23eff9dcf7cadff702cf4d07795a34f7f78407f65fccf657cea3ee63b2d3b8bcfcfde2d6b1916fba774a2a5b32bc6e6af089f4c91a5c91700b

    • SSDEEP

      1536:Z562Jsu3IqUWtROLotIRqZqRorMzngrsIvzkbpe7FgF+QmR3bcCaxA5kaMe/puc+:SQtqbHGvM4HIwT+tbGnPZi

    Score
    3/10
    discovery
    behavioral25behavioral26

    • Target

      $PROGRAMFILES/SoftForum/XecureWeb/AnySign/dll/KEBSFSC.dll

    • Size

      484KB

    • MD5

      f2b1512cee1a36dd5a7e9b7a9d668f7c

    • SHA1

      df48f9d5140b11e80e4d0df2550fe9ad5bdb7eba

    • SHA256

      4ef6061fd74e6cc0124812a8d2d10d4445ac84ab36185a7a2568aa0117c8049c

    • SHA512

      a619826f6956b9aa011c525f135da690b6fdedafb5403a2860856aaec2f31764c7d1c4164ea155d016288dd59cd2eb8f496e08071f65ca179a79cef6bd84704e

    • SSDEEP

      6144:oFVRGFImOWky5opqont8UJUOkkkkkkkkkkkkkkkkkwkkkkkkkkkkkkkkkkkNfo:EGG58opqKt8i

    Score
    3/10
    discovery
    behavioral27behavioral28

    • Target

      $PROGRAMFILES/SoftForum/XecureWeb/AnySign/dll/KEBSFSC_WR.dll

    • Size

      14KB

    • MD5

      cf95ac23bf29820858daa738a45c666f

    • SHA1

      baec586aaa13cbc4623a0371065fb523f7d8ec3c

    • SHA256

      d28631be5c2a582fab6c47d5348fb7ff058c2f72c312e816f6106d1c9ee2c3ef

    • SHA512

      451d4323132c5dd0f622226a04b739b1145f13501675b5733d7b69c6be861c350ca2aa21f2ecd916ef398a1d519e41f5e5fdcbf7aa68b7b45e01048c3e869ea2

    • SSDEEP

      384:iLOj4DMzhL0+77gG1lFsDCrZxEUM5OArZ6AjG8GZR:rOGhL0+78+uAEUmOABS5

    Score
    3/10
    discovery
    behavioral29behavioral30

    • Target

      $PROGRAMFILES/SoftForum/XecureWeb/AnySign/dll/KTBDLL.dll

    • Size

      576KB

    • MD5

      bd5c8c9e408153eda25465d790a4e81e

    • SHA1

      8c14f4efa5b8b87d69187587fa9f25a02c284bb2

    • SHA256

      d39b60b3e3b44244bd43dd3fcffa1861f709a6cfa583613ca0b54f4c2237e327

    • SHA512

      d273a23384fddb191f95bea8805f458f82b8c21e7b60fc43143b61a8b3209afc0d70a53c46bd99d95e22a74e65f4bd19bde84ab633bc7f3aba4bacafab377244

    • SSDEEP

      6144:OZ2wqKv1HxoEw4YNvFTWkEvEkUGVTYiH/FdXKFqKG0EG/kCdB6LTh8WtV1E9+kzl:AtJYqEkUSjdXKMFeBEjtV1q

    Score
    3/10
    discovery
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

5
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

discoveryevasionpersistenceprivilege_escalationspywarestealer
Score
9/10

behavioral2

discoveryevasionpersistenceprivilege_escalationspywarestealer
Score
9/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

discoveryevasion
Score
9/10

behavioral18

discoveryevasion
Score
9/10

behavioral19

discoveryevasion
Score
9/10

behavioral20

discoveryevasion
Score
9/10

behavioral21

discoveryevasionpersistenceprivilege_escalation
Score
6/10

behavioral22

discoveryevasionpersistenceprivilege_escalation
Score
6/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
3/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10