Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
6521f113d1087cab8fae09a384994dc9_JaffaCakes118
-
Size
356KB
-
Sample
241021-b8lawasfkc
-
MD5
6521f113d1087cab8fae09a384994dc9
-
SHA1
33a69cefcb6c699e15c7761501341c2b37c8f76b
-
SHA256
68134bc5a946b5d3b0a13151bf6c98b7980336a8bd0668c082c21405af80dc00
-
SHA512
d852bdb68d0b500df4a4916a16713c649375e346a89886ed70ca71942b503c2bac41201b43fc60500aa9b0258f4054337fe0e3688bb3512c273e8a439ba88e28
-
SSDEEP
6144:D5KfGcaskPkRYkszNGfpMaapkcHvXj6h+sHtCFKxiroHcCzVmgL/CmEM2yXeJ7MN:DEfGcAgDqoazpTHeh+sHtC9yoItmE
Static task
static1
Behavioral task
behavioral1
Sample
6521f113d1087cab8fae09a384994dc9_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6521f113d1087cab8fae09a384994dc9_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\+-HELP-RECOVER-+nipto-+.txt
http://vewrb.italisumo.at/D89BE53E1CCD74
http://gwbak.nickymaru.com/D89BE53E1CCD74
http://irudhkunrlfu25fhkaqw34blr5qlby4tgq43t.orrisbirth.com/D89BE53E1CCD74
http://k7tlx3ghr3m4n2tu.onion/D89BE53E1CCD74
Extracted
C:\Program Files\7-Zip\Lang\+-HELP-RECOVER-+qmdop-+.txt
http://vewrb.italisumo.at/67A2C1CD43BD6FE
http://gwbak.nickymaru.com/67A2C1CD43BD6FE
http://irudhkunrlfu25fhkaqw34blr5qlby4tgq43t.orrisbirth.com/67A2C1CD43BD6FE
http://k7tlx3ghr3m4n2tu.onion/67A2C1CD43BD6FE
Targets
-
-
Target
6521f113d1087cab8fae09a384994dc9_JaffaCakes118
-
Size
356KB
-
MD5
6521f113d1087cab8fae09a384994dc9
-
SHA1
33a69cefcb6c699e15c7761501341c2b37c8f76b
-
SHA256
68134bc5a946b5d3b0a13151bf6c98b7980336a8bd0668c082c21405af80dc00
-
SHA512
d852bdb68d0b500df4a4916a16713c649375e346a89886ed70ca71942b503c2bac41201b43fc60500aa9b0258f4054337fe0e3688bb3512c273e8a439ba88e28
-
SSDEEP
6144:D5KfGcaskPkRYkszNGfpMaapkcHvXj6h+sHtCFKxiroHcCzVmgL/CmEM2yXeJ7MN:DEfGcAgDqoazpTHeh+sHtC9yoItmE
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1