Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    e3095c7f50ad6559e8aa569390c1fa94_JaffaCakes118

  • Size

    420KB

  • Sample

    240915-v7prfsvdjb

  • MD5

    e3095c7f50ad6559e8aa569390c1fa94

  • SHA1

    e79ac8e78b26dee69a424325932e33cbe41c779e

  • SHA256

    30fbbb57213f860b61302762e7a6febcd16b1ce982c57be120fc92436f40eda2

  • SHA512

    fcde747c26d38e196647ce2f74649459ea2c911e1fa1d9c164b5b941bf683cb90b1b9a68d9611db355fa79cc5d3b130e235dc17033271177a775d1f8d4600362

  • SSDEEP

    12288:JZUvtaGX86HF/vpF8MdvXV2fm9r3EAVF57ZV13:Jlidl/vAcAe13EAZZ/3

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

pm

Decoy

pinkdolphingame.com

littlecarprice.com

zhangjinkai.com

daveycoin.com

brcomatualizacaobb.com

greenworldarg.com

constructorarabguar.com

0pe140.com

onevanillavariety.com

thedispensaryuk.com

missmomth.com

thealpha.biz

jjapanese.com

infinihybrid.com

bydcosmetics.com

jvboisoj.win

smartarchiving.com

kremesomorfias.com

akku2life.com

llbag.win

Targets

    • Target

      e3095c7f50ad6559e8aa569390c1fa94_JaffaCakes118

    • Size

      420KB

    • MD5

      e3095c7f50ad6559e8aa569390c1fa94

    • SHA1

      e79ac8e78b26dee69a424325932e33cbe41c779e

    • SHA256

      30fbbb57213f860b61302762e7a6febcd16b1ce982c57be120fc92436f40eda2

    • SHA512

      fcde747c26d38e196647ce2f74649459ea2c911e1fa1d9c164b5b941bf683cb90b1b9a68d9611db355fa79cc5d3b130e235dc17033271177a775d1f8d4600362

    • SSDEEP

      12288:JZUvtaGX86HF/vpF8MdvXV2fm9r3EAVF57ZV13:Jlidl/vAcAe13EAZZ/3

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Formbook payload

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks