Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3controlloi...er.zip
windows7-x64
1controlloi...er.zip
windows10-2004-x64
1controlloi...ignore
windows7-x64
3controlloi...ignore
windows10-2004-x64
3controlloi...ICENSE
windows7-x64
1controlloi...ICENSE
windows10-2004-x64
1controlloi...DME.md
windows7-x64
3controlloi...DME.md
windows10-2004-x64
3controlloi...andler
ubuntu-18.04-amd64
1controlloi...art.sh
ubuntu-18.04-amd64
3controlloi...art.sh
debian-9-armhf
3controlloi...art.sh
debian-9-mips
3controlloi...art.sh
debian-9-mipsel
3controlloi....rules
windows7-x64
3controlloi....rules
windows10-2004-x64
3controlloi...tup.sh
ubuntu-18.04-amd64
3controlloi...tup.sh
debian-9-armhf
3controlloi...tup.sh
debian-9-mips
3controlloi...tup.sh
debian-9-mipsel
3controlloi...HANGES
windows7-x64
1controlloi...HANGES
windows10-2004-x64
1controlloi...DME.js
windows7-x64
1controlloi...DME.js
windows10-2004-x64
1controlloi...ocketd
ubuntu-18.04-amd64
3controlloi...ce.dll
windows7-x64
1controlloi...ce.dll
windows10-2004-x64
1controlloi...er.exe
windows7-x64
1controlloi...er.exe
windows10-2004-x64
1controlloi...rt.bat
windows7-x64
7controlloi...rt.bat
windows10-2004-x64
7controlloi...te.exe
windows7-x64
1controlloi...te.exe
windows10-2004-x64
1Analysis
-
max time kernel
1800s -
max time network
1612s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
01/07/2023, 15:36
Static task
static1
Behavioral task
behavioral1
Sample
controlloid-server-master.zip
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
controlloid-server-master.zip
Resource
win10v2004-20230621-en
Behavioral task
behavioral3
Sample
controlloid-server-master/.gitignore
Resource
win7-20230621-en
Behavioral task
behavioral4
Sample
controlloid-server-master/.gitignore
Resource
win10v2004-20230621-en
Behavioral task
behavioral5
Sample
controlloid-server-master/LICENSE
Resource
win7-20230621-en
Behavioral task
behavioral6
Sample
controlloid-server-master/LICENSE
Resource
win10v2004-20230621-en
Behavioral task
behavioral7
Sample
controlloid-server-master/README.md
Resource
win7-20230621-en
Behavioral task
behavioral8
Sample
controlloid-server-master/README.md
Resource
win10v2004-20230621-en
Behavioral task
behavioral9
Sample
controlloid-server-master/dist/linux/bin/ws_handler
Resource
ubuntu1804-amd64-20230621-en
Behavioral task
behavioral10
Sample
controlloid-server-master/dist/linux/start.sh
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral11
Sample
controlloid-server-master/dist/linux/start.sh
Resource
debian9-armhf-20221125-en
Behavioral task
behavioral12
Sample
controlloid-server-master/dist/linux/start.sh
Resource
debian9-mipsbe-20221111-en
Behavioral task
behavioral13
Sample
controlloid-server-master/dist/linux/start.sh
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral14
Sample
controlloid-server-master/dist/linux/udev/77-controlloid-uinput.rules
Resource
win7-20230621-en
Behavioral task
behavioral15
Sample
controlloid-server-master/dist/linux/udev/77-controlloid-uinput.rules
Resource
win10v2004-20230621-en
Behavioral task
behavioral16
Sample
controlloid-server-master/dist/linux/udev/setup.sh
Resource
ubuntu1804-amd64-20230621-en
Behavioral task
behavioral17
Sample
controlloid-server-master/dist/linux/udev/setup.sh
Resource
debian9-armhf-20221111-en
Behavioral task
behavioral18
Sample
controlloid-server-master/dist/linux/udev/setup.sh
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral19
Sample
controlloid-server-master/dist/linux/udev/setup.sh
Resource
debian9-mipsel-20221125-en
Behavioral task
behavioral20
Sample
controlloid-server-master/dist/linux/websocketd/CHANGES
Resource
win7-20230621-en
Behavioral task
behavioral21
Sample
controlloid-server-master/dist/linux/websocketd/CHANGES
Resource
win10v2004-20230621-en
Behavioral task
behavioral22
Sample
controlloid-server-master/dist/linux/websocketd/README.js
Resource
win7-20230621-en
Behavioral task
behavioral23
Sample
controlloid-server-master/dist/linux/websocketd/README.js
Resource
win10v2004-20230621-en
Behavioral task
behavioral24
Sample
controlloid-server-master/dist/linux/websocketd/websocketd
Resource
ubuntu1804-amd64-20230621-en
Behavioral task
behavioral25
Sample
controlloid-server-master/dist/windows/bin/vJoyInterface.dll
Resource
win7-20230621-en
Behavioral task
behavioral26
Sample
controlloid-server-master/dist/windows/bin/vJoyInterface.dll
Resource
win10v2004-20230621-en
Behavioral task
behavioral27
Sample
controlloid-server-master/dist/windows/bin/ws_handler.exe
Resource
win7-20230621-en
Behavioral task
behavioral28
Sample
controlloid-server-master/dist/windows/bin/ws_handler.exe
Resource
win10v2004-20230621-en
Behavioral task
behavioral29
Sample
controlloid-server-master/dist/windows/start.bat
Resource
win7-20230621-en
Behavioral task
behavioral30
Sample
controlloid-server-master/dist/windows/start.bat
Resource
win10v2004-20230621-en
Behavioral task
behavioral31
Sample
controlloid-server-master/dist/windows/vjoy/elevate.exe
Resource
win7-20230621-en
Behavioral task
behavioral32
Sample
controlloid-server-master/dist/windows/vjoy/elevate.exe
Resource
win10v2004-20230621-en
General
-
Target
controlloid-server-master/dist/linux/udev/77-controlloid-uinput.rules
-
Size
70B
-
MD5
76b1380215f173064b7c89553394c372
-
SHA1
b5c22f19ec767a8ab35c982f7ad2cc6492d78e8d
-
SHA256
39d0873154a96be37461ef6f61fdb1b03b6ed670f3a8ab2323b4a216f54550af
-
SHA512
1235fb20ff99cb364dc57861b667c36c858a696d3dcd311648a785fa58ab84b0105bb52e81d3f616ee9ec59251a4888a8fb6bff6d86a22852340ea36c86219fc
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_CLASSES\rules_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_CLASSES\rules_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_CLASSES\rules_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_CLASSES\rules_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_CLASSES\rules_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_CLASSES\rules_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_CLASSES\.rules rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000_CLASSES\.rules\ = "rules_auto_file" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1268 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1268 AcroRd32.exe 1268 AcroRd32.exe 1268 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1352 wrote to memory of 1876 1352 cmd.exe 29 PID 1352 wrote to memory of 1876 1352 cmd.exe 29 PID 1352 wrote to memory of 1876 1352 cmd.exe 29 PID 1876 wrote to memory of 1268 1876 rundll32.exe 30 PID 1876 wrote to memory of 1268 1876 rundll32.exe 30 PID 1876 wrote to memory of 1268 1876 rundll32.exe 30 PID 1876 wrote to memory of 1268 1876 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\controlloid-server-master\dist\linux\udev\77-controlloid-uinput.rules1⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\controlloid-server-master\dist\linux\udev\77-controlloid-uinput.rules2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\controlloid-server-master\dist\linux\udev\77-controlloid-uinput.rules"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1268
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59b007f879831256109024b56003db8bd
SHA1465364ff767f58393e8e3eaf37872062a3f0b26e
SHA256d1c4d4add17dfdf5d29e3bc705b4934ee26c2c9db741131c5e7ff03f6a2989a7
SHA5128b3607fc7bffde7e3f45b7e3577f64bd22198c2170b7a02fffa26c70e4192f7d791541bb0bba9652a3c79d3affe2bb855b18a22f4f91cf665f2144bdf52eb794