Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118

  • Size

    4.2MB

  • Sample

    240907-b68cmayfnj

  • MD5

    d0d341d2d2f0f61a4c403b88085e3576

  • SHA1

    bf8c04ebd83d850cfafce00c49b0ea2646acedee

  • SHA256

    cef1d3f10fdb50df41e0dcb5c77e45c4587adb76747259ce893ceabb863d9994

  • SHA512

    b35c7ccd2d7df90efe8457cfcfb8a13353216bb83c9900cdf64916e2956f0852d0272216679b10cd669db44db15c5fef0a6427bf3a2752cb585626144b0df95c

  • SSDEEP

    49152:zOdVHtDhAcN9W4L0bXIOyyB85hOTm8z3th24azqaNBJkLy0vq3dsJ8zYNawVG9aE:CXNucUnyJ09h24azvFYyeU7kREDBZ

Malware Config

Extracted

Family

cryptbot

C2

bibinene03.top

moraass05.top

Targets

    • Target

      d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118

    • Size

      4.2MB

    • MD5

      d0d341d2d2f0f61a4c403b88085e3576

    • SHA1

      bf8c04ebd83d850cfafce00c49b0ea2646acedee

    • SHA256

      cef1d3f10fdb50df41e0dcb5c77e45c4587adb76747259ce893ceabb863d9994

    • SHA512

      b35c7ccd2d7df90efe8457cfcfb8a13353216bb83c9900cdf64916e2956f0852d0272216679b10cd669db44db15c5fef0a6427bf3a2752cb585626144b0df95c

    • SSDEEP

      49152:zOdVHtDhAcN9W4L0bXIOyyB85hOTm8z3th24azqaNBJkLy0vq3dsJ8zYNawVG9aE:CXNucUnyJ09h24azvFYyeU7kREDBZ

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • CryptBot payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $PLUGINSDIR/Sibuia.dll

    • Size

      524KB

    • MD5

      6a3c3c97e92a5949f88311e80268bbb5

    • SHA1

      48c11e3f694b468479bc2c978749d27b5d03faa2

    • SHA256

      7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9

    • SHA512

      6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

    • SSDEEP

      12288:yFlW+6yL4qXm3e39uB9dk6M6g89vYyw7UwogmySQk9GS168q:y/L6yL44oAP7LD7UvCaGSlq

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks