Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118
-
Size
4.2MB
-
Sample
240907-b68cmayfnj
-
MD5
d0d341d2d2f0f61a4c403b88085e3576
-
SHA1
bf8c04ebd83d850cfafce00c49b0ea2646acedee
-
SHA256
cef1d3f10fdb50df41e0dcb5c77e45c4587adb76747259ce893ceabb863d9994
-
SHA512
b35c7ccd2d7df90efe8457cfcfb8a13353216bb83c9900cdf64916e2956f0852d0272216679b10cd669db44db15c5fef0a6427bf3a2752cb585626144b0df95c
-
SSDEEP
49152:zOdVHtDhAcN9W4L0bXIOyyB85hOTm8z3th24azqaNBJkLy0vq3dsJ8zYNawVG9aE:CXNucUnyJ09h24azvFYyeU7kREDBZ
Static task
static1
Behavioral task
behavioral1
Sample
d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Sibuia.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Sibuia.dll
Resource
win10v2004-20240802-en
Malware Config
Extracted
cryptbot
bibinene03.top
moraass05.top
Targets
-
-
Target
d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118
-
Size
4.2MB
-
MD5
d0d341d2d2f0f61a4c403b88085e3576
-
SHA1
bf8c04ebd83d850cfafce00c49b0ea2646acedee
-
SHA256
cef1d3f10fdb50df41e0dcb5c77e45c4587adb76747259ce893ceabb863d9994
-
SHA512
b35c7ccd2d7df90efe8457cfcfb8a13353216bb83c9900cdf64916e2956f0852d0272216679b10cd669db44db15c5fef0a6427bf3a2752cb585626144b0df95c
-
SSDEEP
49152:zOdVHtDhAcN9W4L0bXIOyyB85hOTm8z3th24azqaNBJkLy0vq3dsJ8zYNawVG9aE:CXNucUnyJ09h24azvFYyeU7kREDBZ
-
CryptBot payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$PLUGINSDIR/Sibuia.dll
-
Size
524KB
-
MD5
6a3c3c97e92a5949f88311e80268bbb5
-
SHA1
48c11e3f694b468479bc2c978749d27b5d03faa2
-
SHA256
7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9
-
SHA512
6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693
-
SSDEEP
12288:yFlW+6yL4qXm3e39uB9dk6M6g89vYyw7UwogmySQk9GS168q:y/L6yL44oAP7LD7UvCaGSlq
Score3/10 -
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2