Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

JaffaCakes...d0.exe

windows7-x64

7

JaffaCakes...d0.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_f3abcc954b5df6aab6332a634852d7d0

  • Size

    200KB

  • Sample

    250214-fc3bqstjes

  • MD5

    f3abcc954b5df6aab6332a634852d7d0

  • SHA1

    196d2ee0fe0a1c90c716efbb46e36b0583898161

  • SHA256

    02d752e92511281d36c2bb136ffd89ac0107949194871056080db4f223cf7a13

  • SHA512

    c6d8bf6010d1cc3a599056a7092cc2099081f044de7101eae32945f62c2b6c7de78282fffa9f3fe5a74d105001db2fdc6bac7a071f29ad766331fdf4a904c030

  • SSDEEP

    3072:FsRPRKyeIKDWx85IOlKeJVos/8eRwXiUUAdV95I4Rp+LH1xrl3Ez8ub8Xr7:FsRPRKdIKCC0ef//uXltKc+LVsz9b8

Score
10/10
isrstealeradwarediscoverypersistenceprivilege_escalationspywarestealerupx

Malware Config

Targets

    • Target

      JaffaCakes118_f3abcc954b5df6aab6332a634852d7d0

    • Size

      200KB

    • MD5

      f3abcc954b5df6aab6332a634852d7d0

    • SHA1

      196d2ee0fe0a1c90c716efbb46e36b0583898161

    • SHA256

      02d752e92511281d36c2bb136ffd89ac0107949194871056080db4f223cf7a13

    • SHA512

      c6d8bf6010d1cc3a599056a7092cc2099081f044de7101eae32945f62c2b6c7de78282fffa9f3fe5a74d105001db2fdc6bac7a071f29ad766331fdf4a904c030

    • SSDEEP

      3072:FsRPRKyeIKDWx85IOlKeJVos/8eRwXiUUAdV95I4Rp+LH1xrl3Ez8ub8Xr7:FsRPRKdIKCC0ef//uXltKc+LVsz9b8

    Score
    8/10
    discoveryspywarestealerupxadwarepersistenceprivilege_escalation

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks