Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd
-
Size
608KB
-
Sample
250123-jdgcfazjdt
-
MD5
15040e3948d3698515f8aeb59ec41ebd
-
SHA1
3e106304a9ed54ec20af8addcda0ca6b4ed258ce
-
SHA256
4499816b1494243ba7d05c7332d7eaabc2942af222ae3bd44a1fe62cfd94e66c
-
SHA512
4ad460baba45b8c15b455e0b2a204ebd803f5d30c1cfdb655061a60f04967cc26748f22e2f6eeed7749c37c3ef96e92ae0b400c596d99f9647cd9e068a76f95c
-
SSDEEP
12288:mBYDZJr1E+3JcdrXxE3Vq4Vcim38bJ6vKDn5gcPUbjC:mqF6+ydroLrJ6vKVgkUb
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
JaffaCakes118_15040e3948d3698515f8aeb59ec41ebd
-
Size
608KB
-
MD5
15040e3948d3698515f8aeb59ec41ebd
-
SHA1
3e106304a9ed54ec20af8addcda0ca6b4ed258ce
-
SHA256
4499816b1494243ba7d05c7332d7eaabc2942af222ae3bd44a1fe62cfd94e66c
-
SHA512
4ad460baba45b8c15b455e0b2a204ebd803f5d30c1cfdb655061a60f04967cc26748f22e2f6eeed7749c37c3ef96e92ae0b400c596d99f9647cd9e068a76f95c
-
SSDEEP
12288:mBYDZJr1E+3JcdrXxE3Vq4Vcim38bJ6vKDn5gcPUbjC:mqF6+ydroLrJ6vKVgkUb
-
Cycbot family
-
Detects Cycbot payload
Cycbot is a backdoor and trojan written in C++.
-
Modifies security service
-
Modifies visiblity of hidden/system files in Explorer
-
Pony family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables taskbar notifications via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3