Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    e0481d215eb5a6d8eaab639888c87851_JaffaCakes118

  • Size

    841KB

  • Sample

    240914-qrybfawdqn

  • MD5

    e0481d215eb5a6d8eaab639888c87851

  • SHA1

    7509d007466cfeff5e935b28ea6fdd894b646035

  • SHA256

    f8be5adbd627ccaf7b9377cb184dc5301246e872b16d0e5a87ead6db52b4c61c

  • SHA512

    7a85bfa9ab45ceacf6b8dc4155ce2b861b3d7e01c91bb1c2d9e821e5801040748624eb0c2b92975bf0eb15a16119e127108570546935861961c38446bca1ccda

  • SSDEEP

    6144:00cgUiX4ifPM1715kQRm1DKLmpv1w0IU8GB92gkk9/EhSWH3neVErgYy0yZKuPE/:vUwMLWEMGaYI9Bk/gou6MYGZHwXgcsc

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

da7

Decoy

mtqyc.com

www41116677.com

accessorydwellingarchitect.com

ebizlite.net

ijetsglobal.com

rigrout.info

saritagoldie.com

ambrb.net

surebuthow.com

hayvay.net

tru.store

kfastt.com

tisonbuildingsolutions.com

hotel-mayadelmar.com

josestories.com

jlwriters.com

fertilitypatientleads.net

mobilespraytanlasvegas.com

stlm1688.net

sejingmovie121.com

Targets

    • Target

      e0481d215eb5a6d8eaab639888c87851_JaffaCakes118

    • Size

      841KB

    • MD5

      e0481d215eb5a6d8eaab639888c87851

    • SHA1

      7509d007466cfeff5e935b28ea6fdd894b646035

    • SHA256

      f8be5adbd627ccaf7b9377cb184dc5301246e872b16d0e5a87ead6db52b4c61c

    • SHA512

      7a85bfa9ab45ceacf6b8dc4155ce2b861b3d7e01c91bb1c2d9e821e5801040748624eb0c2b92975bf0eb15a16119e127108570546935861961c38446bca1ccda

    • SSDEEP

      6144:00cgUiX4ifPM1715kQRm1DKLmpv1w0IU8GB92gkk9/EhSWH3neVErgYy0yZKuPE/:vUwMLWEMGaYI9Bk/gou6MYGZHwXgcsc

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Formbook payload

    • Adds policy Run key to start application

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks