Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    JaffaCakes118_09b252531de06bcfbb48725a7d42da46

  • Size

    4.6MB

  • Sample

    250122-ddqm8avjhv

  • MD5

    09b252531de06bcfbb48725a7d42da46

  • SHA1

    ea8392c6b0ed31fbba097d4f3c70f48aaaa15630

  • SHA256

    74310b3edcd4808325036511e2499f37ae642e740f41817db993099310280bac

  • SHA512

    deba8887eb6cdec0e30e2dafdfe5dc575ca439bec74f26e077fe2377d6e3d2f9ae6931f95b6ceebe0499a2d51be521d16d29a63967f4182dc74d589585b8f545

  • SSDEEP

    49152:Qgrfs7FHahw1uYEUlZDxfOEKJMLvzBgnaBw9yzpJKaQcGGn/lN:

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    pooppoop

Targets

    • Target

      JaffaCakes118_09b252531de06bcfbb48725a7d42da46

    • Size

      4.6MB

    • MD5

      09b252531de06bcfbb48725a7d42da46

    • SHA1

      ea8392c6b0ed31fbba097d4f3c70f48aaaa15630

    • SHA256

      74310b3edcd4808325036511e2499f37ae642e740f41817db993099310280bac

    • SHA512

      deba8887eb6cdec0e30e2dafdfe5dc575ca439bec74f26e077fe2377d6e3d2f9ae6931f95b6ceebe0499a2d51be521d16d29a63967f4182dc74d589585b8f545

    • SSDEEP

      49152:Qgrfs7FHahw1uYEUlZDxfOEKJMLvzBgnaBw9yzpJKaQcGGn/lN:

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • Cybergate family

    • Adds policy Run key to start application

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Drops file in Drivers directory

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks