Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    3c31ae3a0e6825a0e37ae6a662ea5afa_JaffaCakes118

  • Size

    21.2MB

  • Sample

    240712-ggx39a1blr

  • MD5

    3c31ae3a0e6825a0e37ae6a662ea5afa

  • SHA1

    5fd70780a64c8386e365c598b2e766858967aec5

  • SHA256

    1d2dd29ed3e57eb0da6ed185cc2ebe7f69985953a3c214c4ba47c4b4e915fec8

  • SHA512

    56732de6ed6519fcad796004d195ad042686322928f56cfeacc5b731e1437c205aee9cfb1694ec64629a16b71962a28eb8fdd06c55d0e59cd41b32c34068baf0

  • SSDEEP

    393216:roWcToMPDllAY4l81+I833ZvjG1ZMrCzMjauPIyPQJtAiB:Sp7V4Fb5bG1CM8augyIMi

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

dontreachme3.ddns.net:3603

dontreachme1.ddns.net:3603

Mutex

19a5c2b0-5593-40da-9945-6c6b53e85d75

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    dontreachme1.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-11-15T15:45:18.745530536Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    3603

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    19a5c2b0-5593-40da-9945-6c6b53e85d75

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    dontreachme3.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

dontreachme3.ddns.net:3601

dontreachme1.ddns.net:3601

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    EpicGames.exe

  • install_folder

    %AppData%

aes.plain
1
RdHoVWcwvBCVS21RtYZfXxQ2TWrxAoLC

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Bot

C2

https://furyx.de/panel

Mutex

BN[e5decf896675e5ecc7bbef8ebff8a786]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    50651597687556f33b7fc75d90350b99

  • startup

    false

  • usb_spread

    true

aes.plain
1
SENuT0JwSFZ5eWg2ejNjdiV1YmdPenZuTEkjeTUkOGdrRDY4ZXJrV2J6MWpiNURQUE4

Extracted

Family

njrat

Version

0.7.3

Botnet

Client

C2

dontreachme3.ddns.net:3604

Mutex

EdgeBrowser.exe

Attributes
  • reg_key

    EdgeBrowser.exe

  • splitter

    123

Targets

    • Target

      3c31ae3a0e6825a0e37ae6a662ea5afa_JaffaCakes118

    • Size

      21.2MB

    • MD5

      3c31ae3a0e6825a0e37ae6a662ea5afa

    • SHA1

      5fd70780a64c8386e365c598b2e766858967aec5

    • SHA256

      1d2dd29ed3e57eb0da6ed185cc2ebe7f69985953a3c214c4ba47c4b4e915fec8

    • SHA512

      56732de6ed6519fcad796004d195ad042686322928f56cfeacc5b731e1437c205aee9cfb1694ec64629a16b71962a28eb8fdd06c55d0e59cd41b32c34068baf0

    • SSDEEP

      393216:roWcToMPDllAY4l81+I833ZvjG1ZMrCzMjauPIyPQJtAiB:Sp7V4Fb5bG1CM8augyIMi

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

    • BlackNET payload

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies WinLogon for persistence

    • Modifies Windows Defender Real-time Protection settings

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Turns off Windows Defender SpyNet reporting

    • UAC bypass

    • Windows security bypass

    • XMRig Miner payload

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.