Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ea2729d917d24f794e57dc27a5edbb6d_JaffaCakes118

  • Size

    305KB

  • Sample

    240918-2789esyclk

  • MD5

    ea2729d917d24f794e57dc27a5edbb6d

  • SHA1

    4acbd39f6c95793feb9c7e52f256274aa8c02e80

  • SHA256

    184365416efed1893465d9c1dc0e59aab43f3b6dba54e7e51434ed240c43799b

  • SHA512

    8d9a5d455dbd4e71a5a642a2dff2701fb9fecde0c875e17980533496ae4d9adc845ea3bf930cb3c03c9bd455bc40d444f827b500bb185d99baceaf258ac26f96

  • SSDEEP

    6144:l+/8yFfrs5dxZaxISwaFuW+RikI0hRDfcdD6k2fRFtYbG3B1EVa7wchNHi7HrD/:l+/xFWdHaFj+RpI0bD0dDupFtYbGrqxr

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

hx211

Decoy

benriya-gucci.net

rakecare.ltd

dentalrenaissance.net

filmaporter.com

www284234.com

gnjacnheating.com

bzjxbzsb.com

977zzi.info

zfur.ltd

codingsir.com

test-testin424dgd.com

from-france-with-love.wine

new-igrovyeavtomatiwulcan.com

alexisandtim.com

oneconvey.com

vanhavadurumu.com

perthshirescotland.com

xp666.ink

amywrightportfolio.com

teicoma.com

Targets

    • Target

      ea2729d917d24f794e57dc27a5edbb6d_JaffaCakes118

    • Size

      305KB

    • MD5

      ea2729d917d24f794e57dc27a5edbb6d

    • SHA1

      4acbd39f6c95793feb9c7e52f256274aa8c02e80

    • SHA256

      184365416efed1893465d9c1dc0e59aab43f3b6dba54e7e51434ed240c43799b

    • SHA512

      8d9a5d455dbd4e71a5a642a2dff2701fb9fecde0c875e17980533496ae4d9adc845ea3bf930cb3c03c9bd455bc40d444f827b500bb185d99baceaf258ac26f96

    • SSDEEP

      6144:l+/8yFfrs5dxZaxISwaFuW+RikI0hRDfcdD6k2fRFtYbG3B1EVa7wchNHi7HrD/:l+/xFWdHaFj+RpI0bD0dDupFtYbGrqxr

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Formbook payload

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks