Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

JaffaCakes...31.exe

windows7-x64

3

JaffaCakes...31.exe

windows10-2004-x64

3

$PLUGINSDI...sh.dll

windows7-x64

3

$PLUGINSDI...sh.dll

windows10-2004-x64

3

$PLUGINSDI...ar.exe

windows7-x64

7

$PLUGINSDI...ar.exe

windows10-2004-x64

3

$PROGRAM_F...er.exe

windows7-x64

3

$PROGRAM_F...er.exe

windows10-2004-x64

3

$PROGRAM_F...ar.dll

windows7-x64

7

$PROGRAM_F...ar.dll

windows10-2004-x64

7

$PROGRAM_F...rX.dll

windows7-x64

7

$PROGRAM_F...rX.dll

windows10-2004-x64

7

$PROGRAM_F...er.exe

windows7-x64

3

$PROGRAM_F...er.exe

windows10-2004-x64

3

$PROGRAM_F...rc.dll

windows7-x64

3

$PROGRAM_F...rc.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...pt.exe

windows7-x64

7

$PLUGINSDI...pt.exe

windows10-2004-x64

7

$PLUGINSDI...an.exe

windows7-x64

7

$PLUGINSDI...an.exe

windows10-2004-x64

7

$PLUGINSDI...an.exe

windows7-x64

7

$PLUGINSDI...an.exe

windows10-2004-x64

7

$PLUGINSDI...st.exe

windows7-x64

7

$PLUGINSDI...st.exe

windows10-2004-x64

3

$PLUGINSDIR/v9fft.exe

windows7-x64

10

$PLUGINSDIR/v9fft.exe

windows10-2004-x64

10

$TEMP/AskPIP_FF_.exe

windows7-x64

3

$TEMP/AskPIP_FF_.exe

windows10-2004-x64

3

$TEMP/AskT...IC.dll

windows7-x64

8

$TEMP/AskT...IC.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_1501f2ea21bf8b38b5ad8bd8219bec31

  • Size

    10.3MB

  • Sample

    250221-y2a8nazkhq

  • MD5

    1501f2ea21bf8b38b5ad8bd8219bec31

  • SHA1

    6f6d7764d59ec02b07b0c071035bee58795efc02

  • SHA256

    8bd05c7e27e65b921ae28194857ff2769f249dd942342a70ff0878e678a3ed22

  • SHA512

    8a284124c51a0eb7ca23b7f75bce07219e9007af08280ccb34e7bf2aa021c7e3fc335daa85fec673872750bb1acafe8e34121046d3dcd85dd3ce97ded33a3671

  • SSDEEP

    196608:3ivEfavbRmnlDv6/Nyrcta3tMxOMhwA+rdo+nEbJAY6k4aY:1fWdC6KWQMx+Ro+eHP4X

Score
10/10
pandastealeradwarebootkitdiscoverypersistencespywarestealerupx

Malware Config

Targets

    • Target

      JaffaCakes118_1501f2ea21bf8b38b5ad8bd8219bec31

    • Size

      10.3MB

    • MD5

      1501f2ea21bf8b38b5ad8bd8219bec31

    • SHA1

      6f6d7764d59ec02b07b0c071035bee58795efc02

    • SHA256

      8bd05c7e27e65b921ae28194857ff2769f249dd942342a70ff0878e678a3ed22

    • SHA512

      8a284124c51a0eb7ca23b7f75bce07219e9007af08280ccb34e7bf2aa021c7e3fc335daa85fec673872750bb1acafe8e34121046d3dcd85dd3ce97ded33a3671

    • SSDEEP

      196608:3ivEfavbRmnlDv6/Nyrcta3tMxOMhwA+rdo+nEbJAY6k4aY:1fWdC6KWQMx+Ro+eHP4X

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      $PLUGINSDIR/AdvSplash.dll

    • Size

      6KB

    • MD5

      a1bba35c752b36f575350cb7ddf238e4

    • SHA1

      9603b691ae71d4fbc7a14dbb837bd97cecac8aab

    • SHA256

      0667863d71a3021ab844069b6dd0485f874bf638af478ab11c6fb8b7d6c834b6

    • SHA512

      eb5d3498dd994bec42a437cf91343665d3c35bfe3f6277a7393af6a0b8348772c3166d9be48955edddf6ef79fa508ec8d4f96d7d5df37ecdc52c90042e0a2967

    • SSDEEP

      96:6ONSXIcmYjkvTS6MnBNZ1BMjDfhkkEkkXstWpiwoS:sXIpzTSd1BSk/kJtWpi

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/Baidu-TB-ASBar.exe

    • Size

      1.3MB

    • MD5

      d848ef0636ea49d340f074f939db817b

    • SHA1

      56a9d762d288ab173b7bfd42c9902e12b673bdb7

    • SHA256

      c91716ba6dd14b67c3ccd797ac90a07f535b9d1db9a2a58c20738c791bc793ba

    • SHA512

      6117d668f40bc468e20cd93527435858c23557ef24947ed8fe7206db4b02a34eaa0b37a1f3d3897057b74bec23d784b1f462faf2027e007ba52b503269b5cbc5

    • SSDEEP

      24576:Q2kD39pDYvFHvnLdktGrNX8syDaOmQuHYwRjXq8kWfPRwxVdBwQOOTG8Yz:Q2kLfYvFvnBFBXIgpRD/kWfPRYVMYTGB

    Score
    7/10
    adwarediscoverystealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware
    behavioral5behavioral6

    • Target

      $PROGRAM_FILES/Baidu/ASBarBroker.exe

    • Size

      129KB

    • MD5

      74f5e70ef8ed469759474c64ac6fd35b

    • SHA1

      ff52fa0039c835bf78356dc87ba1390e7e4dafe5

    • SHA256

      d7a15f7a7c8e48876aebf99056d212e57c7c1c250be7f61a96e44b0161f27da2

    • SHA512

      a528b1d17d1dfe54d46decd7b553f090d1372a30528aa88ce74eb6b4ede20a9f0f247cd1785c956d33dd0c4b7d776b6fc1e052ba3da99db1548ba7f4ba4ade8e

    • SSDEEP

      1536:v+4yiwujgLVFsP+TCwXCqm5vb+cNCZkBfT3ol9t7tG2Tn+dZ7nzrNPTJdSnaxCC:XdwusDXUfvbhNCool9t7tG2TaJz9ma7

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      $PROGRAM_FILES/Baidu/AddressBar.dll

    • Size

      1.1MB

    • MD5

      1650515a849b044871bd0703ebc87ff1

    • SHA1

      fa99046655efcf31bc8df831bfef9ee0c94b070a

    • SHA256

      d0b8a57c604cd89a37fbe6e56412ed9a4bdf04b61d16300f4409167a76206b85

    • SHA512

      3593716fd0c4a56ac0e7ef92803b3553ad94c2abd7d547939004af804f00b60a7bec890aaa51810f6fc42c2b182daf20109a4548c66231d87307321d12a9951c

    • SSDEEP

      24576:MENcJTZKFYkO5EmrWeYGd+9aBzm9PCRUjJ5C/sp5AtTWcTTswxGAk:MENcJTZKFYn59WeHd+q05KTWITswxGAk

    Score
    7/10
    adwarediscoverystealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware
    behavioral10behavioral9

    • Target

      $PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll

    • Size

      2.7MB

    • MD5

      9929bf8efb3087a1a832fc09ac97bef4

    • SHA1

      4df24505648dec56488d68cd1ce5265c4c31e5bb

    • SHA256

      2867243b3b6584986098d5e5f921f2dff5dfe5fe605725b263371bc8ff3fa279

    • SHA512

      a172e659ac803bf8ed260af80caf6e94ab076e6759a8f77e30e0cf8dd99fb0db690db7b0656bfeb3bae324082665d6ca219d775591df988f90be0d5633054cdb

    • SSDEEP

      49152:5WiPPqsRfBqN7+PBHWNUhDGJRmO+HJT99zxy+BQ9AwiTgTnklMV:5W+qsdBqN7+PBHWNUyJRDw9EUQ9Au

    Score
    7/10
    adwarediscoverystealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware
    behavioral11behavioral12

    • Target

      $PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BarBroker.exe

    • Size

      232KB

    • MD5

      6b224c78c4b3433e754676dfab012142

    • SHA1

      0ef3ad9248de0f4cef24ff110c87157c8433cc83

    • SHA256

      567ea2b8aee289f74b5affd5ff6e22ca0fd68d03071670ae060359fc5dae2e88

    • SHA512

      9561fa4efe992781a5692c7da7eb9b765668b7592f41417c3de9e1841f8e85f6dfc3fcd0233842489da54157c81c31211123bda45798539efa696f8cae6149d7

    • SSDEEP

      3072:oKoVLlXnf4rgYVKC6kB31Z+Q2Kbxp92fE+3yTBfF+LBLHxTt5eGzJz9Nbd:oKQFf47wrqLlbxCj3yTBtmxXeid

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      $PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/rc.dll

    • Size

      496KB

    • MD5

      51e4f617d2ad241171f437001565ac71

    • SHA1

      1af01b7428e3493825451980e25306941ca50e31

    • SHA256

      ca30dd00c9586efc075376c4b53fdcc2dcee6c1ad3ee83eb8f801e95d1dd250a

    • SHA512

      93044c79020a710dc85a848fef030084b41e12334492e7a11973107c7d79e352c1ea7b9f8fc0f116d5fce341cb6d3317acd4fa8fb5396765cc3724773f571e6f

    • SSDEEP

      3072:/XWheB5tzYw0c8WOWHxtXbDukGzcCORpFRcjoI6XI0VnEGcIVQ20PUG7dcliVs1E:fmSfukGzcCORpFZW2097dVGbdrVnWa2N

    Score
    3/10
    discovery
    behavioral15behavioral16

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      00a0194c20ee912257df53bfe258ee4a

    • SHA1

      d7b4e319bc5119024690dc8230b9cc919b1b86b2

    • SHA256

      dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

    • SHA512

      3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

    • SSDEEP

      192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw

    Score
    3/10
    discovery
    behavioral17behavioral18

    • Target

      $PLUGINSDIR/hao123inst-egypt.exe

    • Size

      1.2MB

    • MD5

      c1392f10fbeafb4c15693add92e92961

    • SHA1

      24eacadaf8910146b00a3b6146fad19e11bff03b

    • SHA256

      051af720d19a480a6e54beadcf3947ec08ac555bdff69a477478ecfe97ba0ba0

    • SHA512

      a41a3a2681861af7b06c6ead0c8a5b73210d72d6cfc283ac1c9316a3205f47192a6c737a33ff9c44c554b4ff95b68474cf9fa5e28df1c531fb5cd7337816c353

    • SSDEEP

      24576:Z/vxuUOf5Hl2lHwJ4PEZB4gbZLPEZo74gbZm:ZHqf55IEZB4gbZzEZC4gbZm

    Score
    7/10
    discoveryspywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral19behavioral20

    • Target

      $PLUGINSDIR/hao123inst-japan.exe

    • Size

      776KB

    • MD5

      35216cfcfcdfd7c2df84804ed69fdcfd

    • SHA1

      34d77a23aa7c7648948e4bfab31f33f517a785dc

    • SHA256

      a2157e3cf367d84dac8847bf2f20d32e1a420ddf297d879fa06113e08f9fc6dd

    • SHA512

      385d4b10c29c35b0b933f3dcf02e269e784f01e4836e6e1c9d60536cc7c30afb15bf5a70cfeaa4f2d1ec02e12c174d21c4924a02fabf3774f6f9834ca913a2c8

    • SSDEEP

      24576:f1Du4E0/zuFrHQR0pFGFbPEZB4gbZTkz74gbZg:dDFzuEDEZB4gbZY34gbZg

    Score
    7/10
    discoveryspywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral21behavioral22

    • Target

      $PLUGINSDIR/hao123inst-taiwan.exe

    • Size

      305KB

    • MD5

      efd47a079976283cde2a1f9547689cde

    • SHA1

      9f90940372c37d7d4125774190efcd5c8263a2c6

    • SHA256

      4c52fc7d54f3b4cb1b4e7bcc66a778e9c704211f8406f382cfbb541db42398a1

    • SHA512

      47fac55eb2bd937692048ceebaf5da8d1b72e9d7e6954c51082d2b753039a2c00a82c5db04d7216c412b4376e6da7126662e3f7e6734008333d6840b28301a53

    • SSDEEP

      6144:gjbTUh/hQXxBvQ0utY3jNp1NZEE/1rEpYANhWx:gzGQXDo0utIjNHNqGrEKChc

    Score
    7/10
    discoveryspywarestealerupx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral23behavioral24

    • Target

      $PLUGINSDIR/hao123inst.exe

    • Size

      880KB

    • MD5

      c374143d357ed3f438a9709449fbe10a

    • SHA1

      e5a3c100d2d0fd94482783af2b2ff94cdfc9923f

    • SHA256

      4397adaca2f86760f6d635c69c5ebb46e8ef4a1be79d303895c57fa9a519cf5d

    • SHA512

      5701c9ae34c1cfa53e71e514ab27e537fdaeb1ff3d87e38339648c31a6961bfca4bfa929fd41e62b9955ac24c65b6ef76c5381ef4111527d0a54fa01f5b5be16

    • SSDEEP

      12288:uv9tt9VhNZOTeNjx8P7D164gbZB2Ttm0m6UT8333mG33333m5G333mG33333mPjR:StzNZORP7564gbZIKP7564gbZXe

    Score
    7/10
    discovery

    • Loads dropped DLL

    behavioral25behavioral26

    • Target

      $PLUGINSDIR/v9fft.exe

    • Size

      1.7MB

    • MD5

      1d05817fe02a8f9c077d2429c7cfdcf6

    • SHA1

      eb0acb51721e9a5ecad7b686d301e784824344bd

    • SHA256

      95fb369cba9b5d35630e253253cd62762440125243329adc1f3c267d56ba499e

    • SHA512

      9bed5e93767cad1c4088b8c7180d61973a6c8b8353d0f59717689903affa88e353ffaf4fc5eda5903f2272a98dce69da252db8064c28176a7e704ea22f459e95

    • SSDEEP

      24576:3F19ad/7Dz78CTrDMJdZCSmwdxY2MaugVXyDANT4KoRFoRfMdM+i6Vp1kT:lADzgCTqZCRyxpXesdGPVzkT

    Score
    10/10
    pandastealerbootkitdiscoverypersistencestealerupx

    • Panda Stealer payload

    • PandaStealer

      Panda Stealer is a fork of CollectorProject Stealer written in C++.

      stealerpandastealer

    • Pandastealer family

      pandastealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral27behavioral28

    • Target

      $TEMP/AskPIP_FF_.exe

    • Size

      765KB

    • MD5

      b3a840e05f27dc6ae773a5d622bfa994

    • SHA1

      304a3b9c9a3c02079f43ed1f65fdfd64a5f32802

    • SHA256

      5fef00dda21fe6cb878868fccb5aec0cc3ea25a93b096b17d0cf9ffeb235e60c

    • SHA512

      ea3861b33e2d2f961c94736867cdc7d3bbaeef454acfc81727f0c9f659d589a00ef30632c67110459df802e84fd184265da2a18ac31e0595624d349717164e8d

    • SSDEEP

      12288:A2uKx2KF6JauMvbCH0U++0DtsZSgRx/ko0xtM5b/NKv1XK5fkzwq6NPd9BMDHR2v:Aex2KMJauMvvJ+0D7o0TM5b/NKv1GsEH

    Score
    3/10
    discovery
    behavioral29behavioral30

    • Target

      $TEMP/AskToolbarTemp/ApnIC.dll

    • Size

      208KB

    • MD5

      687dcb2ca77eca83497086335c9710f9

    • SHA1

      7de60a3aeac96f7fa559d468d852fbdda731391f

    • SHA256

      caeb83fae060030e9d722b79b379e357474289547df736697072399fab1b0f8c

    • SHA512

      ef755a63681fafeb58d2a2359091681af1e6f710da2f2d886ecf3ce58e521e3b76771b519b1c90bbf4879322b7bfe761cb8364e7c932669d81795836c5d771cb

    • SSDEEP

      3072:Omm6F1MBYDqRgekmafnkUo+4ssaMIFo+NzanQT73IRwfyR5gpo6b9:OmmQ1TqRgeFCkUasOjEzaQTLjek

    Score
    8/10
    discoveryspywarestealer

    • Blocklisted process makes network request

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

upx
Score
5/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

adwarediscoverystealer
Score
7/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

adwarediscoverystealer
Score
7/10

behavioral10

adwarediscoverystealer
Score
7/10

behavioral11

adwarediscoverystealer
Score
7/10

behavioral12

adwarediscoverystealer
Score
7/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

discoveryspywarestealer
Score
7/10

behavioral20

discoveryspywarestealer
Score
7/10

behavioral21

discoveryspywarestealer
Score
7/10

behavioral22

discoveryspywarestealer
Score
7/10

behavioral23

discoveryspywarestealerupx
Score
7/10

behavioral24

discoveryspywarestealerupx
Score
7/10

behavioral25

discovery
Score
7/10

behavioral26

discovery
Score
3/10

behavioral27

pandastealerbootkitdiscoverypersistencestealerupx
Score
10/10

behavioral28

pandastealerbootkitdiscoverypersistencestealerupx
Score
10/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

discoveryspywarestealer
Score
8/10

behavioral32

discovery
Score
3/10