Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
JaffaCakes118_09b252531de06bcfbb48725a7d42da46
-
Size
4.6MB
-
Sample
250122-ddqm8avjhv
-
MD5
09b252531de06bcfbb48725a7d42da46
-
SHA1
ea8392c6b0ed31fbba097d4f3c70f48aaaa15630
-
SHA256
74310b3edcd4808325036511e2499f37ae642e740f41817db993099310280bac
-
SHA512
deba8887eb6cdec0e30e2dafdfe5dc575ca439bec74f26e077fe2377d6e3d2f9ae6931f95b6ceebe0499a2d51be521d16d29a63967f4182dc74d589585b8f545
-
SSDEEP
49152:Qgrfs7FHahw1uYEUlZDxfOEKJMLvzBgnaBw9yzpJKaQcGGn/lN:
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_09b252531de06bcfbb48725a7d42da46.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_09b252531de06bcfbb48725a7d42da46.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
pooppoop
Targets
-
-
Target
JaffaCakes118_09b252531de06bcfbb48725a7d42da46
-
Size
4.6MB
-
MD5
09b252531de06bcfbb48725a7d42da46
-
SHA1
ea8392c6b0ed31fbba097d4f3c70f48aaaa15630
-
SHA256
74310b3edcd4808325036511e2499f37ae642e740f41817db993099310280bac
-
SHA512
deba8887eb6cdec0e30e2dafdfe5dc575ca439bec74f26e077fe2377d6e3d2f9ae6931f95b6ceebe0499a2d51be521d16d29a63967f4182dc74d589585b8f545
-
SSDEEP
49152:Qgrfs7FHahw1uYEUlZDxfOEKJMLvzBgnaBw9yzpJKaQcGGn/lN:
-
Cybergate family
-
Adds policy Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Drops file in Drivers directory
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4