Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    JaffaCakes118_634e63dda69c926af3b3b24e1defe501

  • Size

    409KB

  • Sample

    250102-hhh66aymby

  • MD5

    634e63dda69c926af3b3b24e1defe501

  • SHA1

    0d4bc8442c04bb445ec8f5d1342fd9ca2e03656e

  • SHA256

    b3c259b32cb52d11eff189f8ac5953a2a1b347d283c5a1fedb72deef1e49cde4

  • SHA512

    5573d3c203d5100cf5c4b35f51151fc93daa40a613a7cf53465046c056ba8e0c0b160efa7683c7381871003b9863be043921b0bd74b12056ba014e851462f19a

  • SSDEEP

    12288:uFr6E5VXruaazSj0dadFm070MZVkX2J5asdNAVun:u35ViaaWQda/NwmVk05asvcun

Malware Config

Targets

    • Target

      JaffaCakes118_634e63dda69c926af3b3b24e1defe501

    • Size

      409KB

    • MD5

      634e63dda69c926af3b3b24e1defe501

    • SHA1

      0d4bc8442c04bb445ec8f5d1342fd9ca2e03656e

    • SHA256

      b3c259b32cb52d11eff189f8ac5953a2a1b347d283c5a1fedb72deef1e49cde4

    • SHA512

      5573d3c203d5100cf5c4b35f51151fc93daa40a613a7cf53465046c056ba8e0c0b160efa7683c7381871003b9863be043921b0bd74b12056ba014e851462f19a

    • SSDEEP

      12288:uFr6E5VXruaazSj0dadFm070MZVkX2J5asdNAVun:u35ViaaWQda/NwmVk05asvcun

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Modiloader family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VirtualBox drivers on disk

    • ModiLoader Second Stage

    • Adds policy Run key to start application

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.