Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    JaffaCakes118_1ae2e78d2b430f6611846c820d19d627

  • Size

    515KB

  • Sample

    250106-k5ehlasngx

  • MD5

    1ae2e78d2b430f6611846c820d19d627

  • SHA1

    2034c7970065c117a663b7a009d5f0c555857234

  • SHA256

    96ee59d995670b53d0049b7f763381428b19f87d919b83e1bcdebac90e9846d0

  • SHA512

    d9d781b1a31a90900fa3ec99f084c46294e25dfc147f5361107b1dd64b656d9e2e1d5440d5864207479cf8fadf41c04b8a4df97a17f1837f924a3203143a1e8c

  • SSDEEP

    12288:hJUi2iN199w2+Fzp5gMqDQb1mnpM1FzyLz6qK:hJUi1V9w265gMj1mnpM1Fzqzx

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.davaobay.com.ph
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    p@ssw0rd

Targets

    • Target

      JaffaCakes118_1ae2e78d2b430f6611846c820d19d627

    • Size

      515KB

    • MD5

      1ae2e78d2b430f6611846c820d19d627

    • SHA1

      2034c7970065c117a663b7a009d5f0c555857234

    • SHA256

      96ee59d995670b53d0049b7f763381428b19f87d919b83e1bcdebac90e9846d0

    • SHA512

      d9d781b1a31a90900fa3ec99f084c46294e25dfc147f5361107b1dd64b656d9e2e1d5440d5864207479cf8fadf41c04b8a4df97a17f1837f924a3203143a1e8c

    • SSDEEP

      12288:hJUi2iN199w2+Fzp5gMqDQb1mnpM1FzyLz6qK:hJUi1V9w265gMj1mnpM1Fzqzx

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • AgentTesla payload

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks