Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ec7367b9beb277067a569bccabc5ad93_JaffaCakes118

  • Size

    750KB

  • Sample

    240920-aepwjaybmf

  • MD5

    ec7367b9beb277067a569bccabc5ad93

  • SHA1

    92155ec04724b64fe833cc16b2d5c6e6e44d6a81

  • SHA256

    25b053a977a63f13c383b7e3de256e5c20ea50524325211e8d1ee415bdbe5671

  • SHA512

    2bde97416c5f008811e406d36ba74f616500132e70e3f8b806d4af30b6b3f2182a86471049e17663c43bb21c1aebb9e4bbacd33d7bc29884900589f3f5bc1a4a

  • SSDEEP

    12288:G/XajMQHg/CBwuO5fO0xLoeIFxMnFth2/SqT3wUCkAvu5LEzjKCQ4ifhqGsPgayJ:G/XaIbOOqF2nLY/Sq1CkAGYjK54TH

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.caisvn.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    PTVXgsM4

Targets

    • Target

      ec7367b9beb277067a569bccabc5ad93_JaffaCakes118

    • Size

      750KB

    • MD5

      ec7367b9beb277067a569bccabc5ad93

    • SHA1

      92155ec04724b64fe833cc16b2d5c6e6e44d6a81

    • SHA256

      25b053a977a63f13c383b7e3de256e5c20ea50524325211e8d1ee415bdbe5671

    • SHA512

      2bde97416c5f008811e406d36ba74f616500132e70e3f8b806d4af30b6b3f2182a86471049e17663c43bb21c1aebb9e4bbacd33d7bc29884900589f3f5bc1a4a

    • SSDEEP

      12288:G/XajMQHg/CBwuO5fO0xLoeIFxMnFth2/SqT3wUCkAvu5LEzjKCQ4ifhqGsPgayJ:G/XaIbOOqF2nLY/Sq1CkAGYjK54TH

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks