Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    f643942efa7d97d1b4c11647f6b3aab1_JaffaCakes118

  • Size

    701KB

  • Sample

    240925-sch93s1frr

  • MD5

    f643942efa7d97d1b4c11647f6b3aab1

  • SHA1

    626fca231aff717034528e652c10b3e2bea090e8

  • SHA256

    c6a501bc242f79307d9f1499cbd72337e902928f1e6ead7dbc035d0a77aaec1c

  • SHA512

    c15269413e4f8b59f867e552e370a9bd46ab6d0ea8f52a017d8d23551e686eba6af22b4fa73b9dd2156206ad4e79376318fb1efc38d78ddabf7ef942ceed26c0

  • SSDEEP

    12288:RIwVpvmNp+nin+nin+niyMo38XEkQKL4hN3Iu4Cxtf7xSQAWNV+niu:R7jONp+in+in+iPo38X6Zb3IuNrTxS8P

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.chrismehat.com
  • Port:
    587
  • Username:
    kelly1@chrismehat.com
  • Password:
    gHd(;8F#)aHE

Targets

    • Target

      f643942efa7d97d1b4c11647f6b3aab1_JaffaCakes118

    • Size

      701KB

    • MD5

      f643942efa7d97d1b4c11647f6b3aab1

    • SHA1

      626fca231aff717034528e652c10b3e2bea090e8

    • SHA256

      c6a501bc242f79307d9f1499cbd72337e902928f1e6ead7dbc035d0a77aaec1c

    • SHA512

      c15269413e4f8b59f867e552e370a9bd46ab6d0ea8f52a017d8d23551e686eba6af22b4fa73b9dd2156206ad4e79376318fb1efc38d78ddabf7ef942ceed26c0

    • SSDEEP

      12288:RIwVpvmNp+nin+nin+niyMo38XEkQKL4hN3Iu4Cxtf7xSQAWNV+niu:R7jONp+in+in+iPo38X6Zb3IuNrTxS8P

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.