Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    1173ca30d76e1993380712b278b6a109_JaffaCakes118

  • Size

    1.1MB

  • Sample

    241004-cwy7mszbml

  • MD5

    1173ca30d76e1993380712b278b6a109

  • SHA1

    b064d00b7c7ac33f0b329421412a5a59a24af92c

  • SHA256

    c6133d9ed21a03bf391b5428aa4af7702fa7704e4939f43d526a8fcba25a7874

  • SHA512

    a698bf539217e56abf3a5b6c810f903526176a8bf6950af6efd6bc4a251cb63e4f34fb6d1064ce8801fa384a39cfc11d0c3f920323397b84b6f7583aea86169e

  • SSDEEP

    24576:vSHZa/h/B9MNjFho70L14GmSKnXJQT0OXQsiN7f:vSHZVhr+0LBKnXJ/OXQlh

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.spamora.net
  • Port:
    587
  • Username:
    account@jiqdyi.com
  • Password:
    Emotion22

Targets

    • Target

      1173ca30d76e1993380712b278b6a109_JaffaCakes118

    • Size

      1.1MB

    • MD5

      1173ca30d76e1993380712b278b6a109

    • SHA1

      b064d00b7c7ac33f0b329421412a5a59a24af92c

    • SHA256

      c6133d9ed21a03bf391b5428aa4af7702fa7704e4939f43d526a8fcba25a7874

    • SHA512

      a698bf539217e56abf3a5b6c810f903526176a8bf6950af6efd6bc4a251cb63e4f34fb6d1064ce8801fa384a39cfc11d0c3f920323397b84b6f7583aea86169e

    • SSDEEP

      24576:vSHZa/h/B9MNjFho70L14GmSKnXJQT0OXQsiN7f:vSHZVhr+0LBKnXJ/OXQlh

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.