Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

9ddf9a29e4...18.exe

windows7-x64

10

9ddf9a29e4...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9ddf9a29e4e7a26ade32ba492ad12851_JaffaCakes118

  • Size

    1.4MB

  • Sample

    240611-mjy18atdmd

  • MD5

    9ddf9a29e4e7a26ade32ba492ad12851

  • SHA1

    ee86814c37343e5385231fd3bccc686222c178b3

  • SHA256

    6480317220b83a20606f5f8e835254fd66984024fb9f3f358a9aee33bb9b387a

  • SHA512

    5f23c86d58389e223006a653b49e29c99a07a9754e92edc0d2f2993ce94e3f11018759ec7d0a3598425d873bd85d5cf6a108643067fa3fc9938994a4062e841b

  • SSDEEP

    24576:8UQK3C0RdSRKQ428hCst8Pd1lhkVOhjRbLH/RFalSZLZhIJ4FZwS:8URndUKl18lvhsI1L/aeo4

Score
10/10
lokibotnetwirebotnetcollectionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://lallahome2.ru/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

netwire

C2

181.215.247.253:20881

Attributes
  • activex_autorun

    true

  • activex_key

    {W17VSAE7-MM7D-VKP1-T6CH-ASC0300H32OY}

  • copy_executable

    true

  • delete_original

    true

  • host_id

    HostIdwadja

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • offline_keylogger

    true

  • password

    QtK37ulUUZ

  • registry_autorun

    true

  • startup_name

    chrome

  • use_mutex

    false

Targets

    • Target

      9ddf9a29e4e7a26ade32ba492ad12851_JaffaCakes118

    • Size

      1.4MB

    • MD5

      9ddf9a29e4e7a26ade32ba492ad12851

    • SHA1

      ee86814c37343e5385231fd3bccc686222c178b3

    • SHA256

      6480317220b83a20606f5f8e835254fd66984024fb9f3f358a9aee33bb9b387a

    • SHA512

      5f23c86d58389e223006a653b49e29c99a07a9754e92edc0d2f2993ce94e3f11018759ec7d0a3598425d873bd85d5cf6a108643067fa3fc9938994a4062e841b

    • SSDEEP

      24576:8UQK3C0RdSRKQ428hCst8Pd1lhkVOhjRbLH/RFalSZLZhIJ4FZwS:8URndUKl18lvhsI1L/aeo4

    Score
    10/10
    lokibotnetwirebotnetcollectionpersistenceratspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Modifies Installed Components in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks