Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118
-
Size
1.3MB
-
Sample
240821-c9q37awfrf
-
MD5
b1d655ca4d6983bf47ba73acde4fa1f5
-
SHA1
20e777f69d69ba2ed01f7338c5800977d43701e8
-
SHA256
a74717f9d58b53c701d2a4646247ee51107e1ad4b066b7ff4c8ec415a234d85a
-
SHA512
409600228bdc55376db02834c95b482ccc6095e34975175c8f9bec1016149c1b59e3367d3653308d73d01f6380ef67ef39c139847f1f894422f462121d6ef313
-
SSDEEP
24576:6Y563ey8gZqj4ycxS3NqJojxt9TqfqOAaEwSDl7EOOkZWVlMZ3+ZGj9OZ:T/+qEycxy/xTTqfqOZEw8NSdZz
Static task
static1
Behavioral task
behavioral1
Sample
b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.drivehq.com - Port:
21 - Username:
UndeadLolipop
Targets
-
-
Target
b1d655ca4d6983bf47ba73acde4fa1f5_JaffaCakes118
-
Size
1.3MB
-
MD5
b1d655ca4d6983bf47ba73acde4fa1f5
-
SHA1
20e777f69d69ba2ed01f7338c5800977d43701e8
-
SHA256
a74717f9d58b53c701d2a4646247ee51107e1ad4b066b7ff4c8ec415a234d85a
-
SHA512
409600228bdc55376db02834c95b482ccc6095e34975175c8f9bec1016149c1b59e3367d3653308d73d01f6380ef67ef39c139847f1f894422f462121d6ef313
-
SSDEEP
24576:6Y563ey8gZqj4ycxS3NqJojxt9TqfqOAaEwSDl7EOOkZWVlMZ3+ZGj9OZ:T/+qEycxy/xTTqfqOZEw8NSdZz
-
Ardamax main executable
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence
-
ModiLoader Second Stage
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Modifies WinLogon
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
5Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
5Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
8