Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    a31d1b7f173441b0cb637813a9257e84_JaffaCakes118

  • Size

    866KB

  • Sample

    240817-s1x35sshqf

  • MD5

    a31d1b7f173441b0cb637813a9257e84

  • SHA1

    69389137c11e6c775156639c5a366f0bda973b40

  • SHA256

    0944994ed1f7612afe248bdbbe57bacad3d3720c8f5f43d8cd5e17e7ae299ebb

  • SHA512

    675b00cdad7a3625225cbef1fda371e42f5b8784b4506469669cba91add4dbc8cd711da4dd84ab577d87463c654b10a7a53de795cd0560516d4461da3bea147e

  • SSDEEP

    12288:rQxehvo8RRf42RakgGKqiFmvDOX5PVjIeck545Ac1Mh1jt:rQElo8RQ2qG+sURRR7cOhh

Malware Config

Extracted

Family

lokibot

C2

http://dickson--constant.com/chief/har/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      a31d1b7f173441b0cb637813a9257e84_JaffaCakes118

    • Size

      866KB

    • MD5

      a31d1b7f173441b0cb637813a9257e84

    • SHA1

      69389137c11e6c775156639c5a366f0bda973b40

    • SHA256

      0944994ed1f7612afe248bdbbe57bacad3d3720c8f5f43d8cd5e17e7ae299ebb

    • SHA512

      675b00cdad7a3625225cbef1fda371e42f5b8784b4506469669cba91add4dbc8cd711da4dd84ab577d87463c654b10a7a53de795cd0560516d4461da3bea147e

    • SSDEEP

      12288:rQxehvo8RRf42RakgGKqiFmvDOX5PVjIeck545Ac1Mh1jt:rQElo8RQ2qG+sURRR7cOhh

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks