Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    07/01/2025, 21:35

General

  • Target

    JaffaCakes118_7a9d83a1af4a72c8f4f3acdfe39e445f

  • Size

    2.7MB

  • MD5

    7a9d83a1af4a72c8f4f3acdfe39e445f

  • SHA1

    93202614e194352633aafe3a4cd46f75aeafe4d6

  • SHA256

    05448a71894d641cfe3c4ad2797077433307ef092d6f3da1082806a129583efb

  • SHA512

    c179295b7825a0fd24dd1fa3f75e7b9081b675ab67fc9d12717ba95a5b6c30d0f246a672b565351469e1672acb260fa8648b3e59d0c0c209c9fb19cff2f07caa

  • SSDEEP

    49152:stm70wqFk+DowagvqTdxi1sK5UGmgck/b5FRGGdLaEF9An2R1yhVf:stm7VQkMZ7gRqUPgcM5FvaqyhVf

Malware Config

Extracted

Family

stealthworker

Signatures

  • StealthWorker

    StealthWorker is golang-based brute force malware.

  • Stealthworker family
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 6 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 1 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/JaffaCakes118_7a9d83a1af4a72c8f4f3acdfe39e445f
    /tmp/JaffaCakes118_7a9d83a1af4a72c8f4f3acdfe39e445f
    1⤵
    • Reads runtime system information
    • Writes file to tmp directory
    PID:2819
    • /usr/bin/cat
      cat /proc/version
      2⤵
      • Reads runtime system information
      PID:2824
    • /usr/bin/cat
      cat /proc/cpuinfo
      2⤵
      • Checks CPU configuration
      PID:2826
    • /usr/bin/uname
      uname -a
      2⤵
        PID:2827
      • /usr/bin/getconf
        getconf LONG_BIT
        2⤵
          PID:2829
        • /tmp/JaffaCakes118_7a9d83a1af4a72c8f4f3acdfe39e445f
          "[stealth]"
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:2830
          • /usr/bin/cat
            cat /proc/version
            3⤵
            • Reads runtime system information
            PID:2837
          • /usr/bin/cat
            cat /proc/cpuinfo
            3⤵
            • Checks CPU configuration
            PID:2839
          • /usr/bin/uname
            uname -a
            3⤵
              PID:2841
            • /usr/bin/getconf
              getconf LONG_BIT
              3⤵
                PID:2842
              • /usr/bin/crontab
                /usr/bin/crontab /tmp/nip9iNeiph5chee
                3⤵
                • Creates/modifies Cron job
                • System Network Configuration Discovery
                PID:2843

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/.pid

            Filesize

            4B

            MD5

            0738069b244a1c43c83112b735140a16

            SHA1

            371822d2fa85504960f9581cfaeae6e7059bab61

            SHA256

            c6637ffab46701f1f145156dafcd21176a85a95c0f5ab71eecb03d15899efd05

            SHA512

            b3c23981c3eecd7f527dfa49958aa6f32a30d88ee1675cf7d7d233cfba2620bfea8ff18ac7d6b337d34e6f5f4b14dda0e5af01937e02bc224dd678e788714242

          • /tmp/nip9iNeiph5chee

            Filesize

            80B

            MD5

            fb9dae132cb60aa445373d12cd678b19

            SHA1

            40afa063d5401201ee2f3cfada33b724c846ebfc

            SHA256

            af2fc048cdb260afeb9ea374c620a39ad1bee29eee7e361d7f648eff3b8c5540

            SHA512

            f0dea792eb947b60ad0ed1685bcd3a78914996b2b5d08be4b85ce76c4f1bbb755a24fbe4f111ba0e34acb8dfb859745e34fe9a16c7d985ea3b582dc89d3fe158

          • /var/spool/cron/crontabs/tmp.YALe0c

            Filesize

            274B

            MD5

            8b1c6d7ab80ffb9e766486cf711667d3

            SHA1

            2245988199c8e749d0f67ac2ac41151d8c72deb4

            SHA256

            d9b43781857054defad7e79fa91f74f262cc62efb51982d0b6dec36ead9b5f36

            SHA512

            9d97d0068209c0d41f82b18117e64c167c53248c0b9239a9fb570ac3aab01bb61c9775a95a7c2a124a6382f508acd74ca0dee361133b2a8a708b7aafc1e51b51