Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

CyberDEV C...nd.pyc

windows7-x64

3

CyberDEV C...nd.pyc

windows10-2004-x64

3

CyberDEV C...er.pyc

windows7-x64

3

CyberDEV C...er.pyc

windows10-2004-x64

3

CyberDEV C...or.pyc

windows7-x64

3

CyberDEV C...or.pyc

windows10-2004-x64

3

CyberDEV C...nts.js

windows7-x64

3

CyberDEV C...nts.js

windows10-2004-x64

3

CyberDEV C...ute.js

windows7-x64

3

CyberDEV C...ute.js

windows10-2004-x64

3

CyberDEV C...yed.js

windows7-x64

3

CyberDEV C...yed.js

windows10-2004-x64

10

CyberDEV C...le.pyc

windows7-x64

3

CyberDEV C...le.pyc

windows10-2004-x64

3

CyberDEV C...on.pyc

windows7-x64

3

CyberDEV C...on.pyc

windows10-2004-x64

3

CyberDEV C...ey.pyc

windows7-x64

3

CyberDEV C...ey.pyc

windows10-2004-x64

3

CyberDEV C...ot.pyc

windows7-x64

3

CyberDEV C...ot.pyc

windows10-2004-x64

3

CyberDEV C...to.pyc

windows7-x64

3

CyberDEV C...to.pyc

windows10-2004-x64

3

CyberDEV C...ls.pyc

windows7-x64

3

CyberDEV C...ls.pyc

windows10-2004-x64

3

CyberDEV C...ver.js

windows7-x64

3

CyberDEV C...ver.js

windows10-2004-x64

3

CyberDEV C...nt.pyc

windows7-x64

3

CyberDEV C...nt.pyc

windows10-2004-x64

3

CyberDEV C...on.pyc

windows7-x64

3

CyberDEV C...on.pyc

windows10-2004-x64

3

CyberDEV C...__.pyc

windows7-x64

3

CyberDEV C...__.pyc

windows10-2004-x64

3

Resubmissions

14/08/2024, 05:47 UTC

240814-ggy1jsxfkf 10

14/08/2024, 05:40 UTC

240814-gc194ssdjn 6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CyberDEV Client.zip

  • Size

    55.9MB

  • Sample

    240814-ggy1jsxfkf

  • MD5

    ad556d641cf1b45dfa32d2cf7131c711

  • SHA1

    d12ed4f1bba17f399d8221ff6964b049bfdf0955

  • SHA256

    7b476bbfc4d37fa50c1c5bec98b2e8aede8087b8873eb7de27b78ad4446dddbe

  • SHA512

    00def17b19fff0f5618da1ab01a97aa07e517c612b5a562b1acf5f5eaa3d2c7d83af5b468292e32c3db3f64452a7d75912446785c5fd63e46dc35645a8c33fef

  • SSDEEP

    1572864:ify3jDn6crTEyjuHvRl8KQNKlCziTYcGHDX/nGYl/LxL6Ya:NHrTEpHvRl8VKlxzGS2N6Ya

Score
10/10
credential_accessdiscoveryevasionexecutionpdfpersistenceprivilege_escalationstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
1
$url = "https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe"
2
$filepath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpwg27mq_j.exe"
3
invoke-webrequest -uri $url -outfile $filepath
4
URLs
exe.dropper

https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe

Extracted

Language
ps1
Deobfuscated
1
$url = "https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe"
2
$filepath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpxudmore1.exe"
3
invoke-webrequest -uri $url -outfile $filepath
4
URLs
exe.dropper

https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe

Targets

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/command.pyc

    • Size

      5KB

    • MD5

      307283633a2bc4518f649d02d8c5ddba

    • SHA1

      6941e4f91a294f0228687a01692c12771d88a523

    • SHA256

      292fa5eea227bb2d15109ecd3bc422d68714ab671a7d9b8946998b38a7229c09

    • SHA512

      0980c22229bdaeba7c4277c7ed92b721a0ee4d3d7763de27eab679efd1100a394301d363a1e4db5ccb945c8cda4c3132f3129d1915d1ccb1dae192267801d1fc

    • SSDEEP

      96:0ZpXjpIszI2NySTXjHPOJQKo12xUxHNNOpkRNTqOIOFyM848mNVOoT7V9OX13Nz2:qVjpvygTHPOJQHcxUxdTyHNinV9OUH

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/errorhandler.pyc

    • Size

      8KB

    • MD5

      3130d50cd4a4be3b523587cc14fe0ab3

    • SHA1

      f38e9bb41695b2cf43f02308d313202077d43607

    • SHA256

      8baa518d72a1fdd8a61d7c6e28b0b2bd709cc4b4ebc6a0c4f57d8cf75ed2620c

    • SHA512

      96b24a4c85953fb26001bf20418aacbd4e68a3d1721ffd68ba4231801d5d36085a3049ea0601b984ad747e07244731119e3605d7fd0cb2e76006b5c9f44b8a50

    • SSDEEP

      192:gi8qUGzqYl8Z9pm+twGPse57RoXyef2V4WT/zLdSf9yd:d8NG+/xxEf2VNIf9g

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/file_detector.pyc

    • Size

      2KB

    • MD5

      87d6c3be641933bf41e627b32e8a48c9

    • SHA1

      b322fa4dbc38547f493acf79abd93217aac1e32b

    • SHA256

      49d0bf158ca9fb2f3ee40197bdcaf5c005d7e6c2cee4e084b9e989f74b29aecb

    • SHA512

      a8db1c7461ab84490bbc7ede93350f82d8f2fc09356996bdd4869e6483aa454f82f06cfa3561b6c44938dd932baa318b73ea836bdaf2db6c38726fe0986ea74e

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/findElements.js

    • Size

      52KB

    • MD5

      a5e246e5b9156c0e64a17e53e73671e6

    • SHA1

      307a4a0ef42b004a844037d60275a9af94786709

    • SHA256

      f34a83998d38484de801c7d97d32574dfbbd5213968c78a6085f0b5c368f9fad

    • SHA512

      aa97373aeacb1a437818469d0bc96bbfc9a9590c02e736f4ff86c3f3760066ca92bc981d8e830eb866e929d22083febaf0d8366558f4b4ff4870f0f5491d2063

    • SSDEEP

      1536:AXJFPWr+DEqXMn9XM3UkGdEMT8TZZ/6QSsdbj3SYKlnJ+S/Bf:ITU7dW6QhbrXS/Z

    Score
    3/10
    execution
    behavioral7behavioral8

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/getAttribute.js

    • Size

      5KB

    • MD5

      e02d070d6419978d26f2d771541f79a4

    • SHA1

      53efb9c65d5eb60850225313c5251a68bdef6476

    • SHA256

      df3f5a60c6ae1c5b35760c0389f299406e14ec3b68ba6ae0511ce18cb7c20cff

    • SHA512

      dd459bba00feece414f8bc7546927b5019f84c12cb58041ba85e22f7a8a9501723a0fd9b9d6c900469983e81d8ee84c6426a8906ac794c673fe2b6ecbf84a75f

    • SSDEEP

      96:pSRH16yveW8EDrQN3N72l17l0qoIeqlr/yZStiZMxzWJ2ssKPhBX54UctJOJK:pSRH16yvfgN3NW1DoI2ZStzaJzsKPf8V

    Score
    3/10
    execution
    behavioral10behavioral9

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/isDisplayed.js

    • Size

      16KB

    • MD5

      242b20671aadeb2edcf5c0394686cf40

    • SHA1

      926ae986a71aeefe20dbf23d47437f5f9a6fb186

    • SHA256

      c47a1d83321abd87bf054c80a4db4912108cf0af151958a1e563e57f9bd7fd56

    • SHA512

      53aeda4b6bcf8616704c44619aa123dba3e5455817bd8d7145e0395a77ae204f33ee4832407e3fbb3fbd0be3c779d20173e941ebe9481774e9c5d503ead07776

    • SSDEEP

      384:mSTsGtSMMC6tR69PEMzX5iNTLWO5hHaEhgNTOp77X93zS+trehT/qT:mwn56tR+icT/qT

    Score
    10/10
    executioncredential_accessdiscoverypersistenceprivilege_escalationstealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral11behavioral12

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/mobile.pyc

    • Size

      3KB

    • MD5

      910d8cba2873be53dc7b9be0794237ab

    • SHA1

      9241a55557d36eaf2479a64d689ba0c8d1403357

    • SHA256

      90d57e8cbe54c0e4ad3382ad8ebeb79e5c25b1aec7bdf385fcf11839eaf3e08b

    • SHA512

      2423a26f24aa7d37aaba2e6cb6d8913161b6b130f9f67d19d740f98c248a5c08c45e13721fbafc289cb82dbb698b921fae8903db571694bc60094f219e15790d

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/remote_connection.pyc

    • Size

      22KB

    • MD5

      3e3051750eb79c9e0bb75f225c33cb62

    • SHA1

      3fc51d54a357e9b51c6ac2ad2d14145499037a84

    • SHA256

      dbe6a4386ba87833f2076f6dc6122d5073defd42681d18ee931219a6bfef92a0

    • SHA512

      95b780ad8e628f975a0c33fb492f70fea4ea319d603f9c84ecc5d10daf3f7268f6eea7e743f378cdd7b548a3be1177e421e2b576b967cc51a73abfb08b1d9629

    • SSDEEP

      384:eRfgZgleqsU1W2frvujwA9AOZASmWn2boukdjAoFVxDjNB4ypF:3qleqsUVjOT3BmljKcDypF

    Score
    3/10
    discovery
    behavioral15behavioral16

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/script_key.pyc

    • Size

      1KB

    • MD5

      288c6b352dee51939973a5e33999fe08

    • SHA1

      700e55433a827af75b6530018cda35a00cb24f2d

    • SHA256

      3758f9a4f71d89cd887725e8ab94c083f43e5414f06ce4398687c02a54004bd7

    • SHA512

      227ef8113860720eabc8a53d9111f7c0ff6b4e427f8573a903e1f397fa352a2a1567d5a11e8935245f984f1d1cbfcb18380e7aa4b8c0b9cc41f68327170abe7e

    Score
    3/10
    discovery
    behavioral17behavioral18

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/shadowroot.pyc

    • Size

      3KB

    • MD5

      9a6e43648c698d8e00ea626b2487ce97

    • SHA1

      c292ce9d88fe4e3df2ba14c926b290c1c3ca9918

    • SHA256

      b26741176f75f8eaf2cb0c542b1f4fc8d91feacc94b6ec82148de60108ccb529

    • SHA512

      ef32fc445f3c7c883456f5467ccc683041284d73e9c3a61ea9db9a3358fe58001a0505f309500d23981f0e5a2e87ca3021cf8ee53135443c65bd162ab4006ee3

    Score
    3/10
    discovery
    behavioral19behavioral20

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/switch_to.pyc

    • Size

      6KB

    • MD5

      a4f7f1c03bd23323e9cdbbea8fe2f5a7

    • SHA1

      a7155b2fc34773b580f8078e9bdee6f0eaef79d2

    • SHA256

      55056bbe51592d0bee90042dad783e6fdf6f97cbf577530d625cc5db9dcc18ac

    • SHA512

      70150fd0f85d7fbf4860be8720b50db49eee80460d7a15648720fe23f7473c2990054bef3a772dd156b7f54be309d384c558db48e304267328d1dd026da37c23

    • SSDEEP

      96:3T7isYn4mI+5QvCokxPXKvj5ywAjup1zPewd5zwKky:j7W4BwQvwXGAjuLj7iy

    Score
    3/10
    discovery
    behavioral21behavioral22

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/utils.pyc

    • Size

      727B

    • MD5

      c5b0c9d4946cbc737967509e6c83db1b

    • SHA1

      6814fa7a5b243143ccf3624bd08f31fff836cde8

    • SHA256

      796ea27fba24f8c0b79e88fb831b4a44c6e1fc18b9785d23e357bbab47f94b09

    • SHA512

      15a46870cc614ba1b593cb06679faaf6f21f5b4c32c15012197ea9041f9ce85d793e36e0183d4fe90a688c8cc619595974587350dc037db11dcf93ea3c04dea3

    Score
    3/10
    discovery
    behavioral23behavioral24

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/webdriver.pyc

    • Size

      55KB

    • MD5

      6755f3811ca78c00cb01406d6e7e8ff4

    • SHA1

      021dbd7815b4a02aa7fd133a8402f5c36dc7567c

    • SHA256

      c241db147dc9656fdf7e6a693a3b85b23e5c2b5ef908450b02215fd117f3f9ed

    • SHA512

      f936c53cc71be7d2098d4ef40b8bb35ca4c28e48d52d45030aed436068cbabc879a5efc10eb276bbca2381feb7913176cd6bfe7180c9275f3ffe6be78f1968c2

    • SSDEEP

      768:2uOLuxo4lDgbjYS3vX2kxEJXV6X9TtFEpnuYBuE5lXT5sqHb8+n7EdwIi:2soIR9lX4XHKpuYBuE5lj5H78+nD9

    Score
    3/10
    execution
    behavioral25behavioral26

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/webelement.pyc

    • Size

      21KB

    • MD5

      9d53b34deaa155ccd5a9daaa0c1b46f0

    • SHA1

      eb20d3e302a5681dfed1a7f901acc13f92c10851

    • SHA256

      3bf5e7a87580424db227528e304bce35388cfc31f30742c3e91e63d849fc35fa

    • SHA512

      9347d8b8155077ddb5f8379436d4f680c1f5fcfe9096bdedff245daebee5616e7ecf64ac447ee243107d5e7d6a5e153ca8dea1320ce31062f6bb7fa507e874a8

    • SSDEEP

      384:ZIYdzhjJ8mreOCTkVUwTMDhdGiahhq92pWo6yuZoBK:ZIYlhjJ8mreOCYOwKWVTq92pH6yuZoBK

    Score
    3/10
    discovery
    behavioral27behavioral28

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/websocket_connection.pyc

    • Size

      7KB

    • MD5

      e3b2213e4d662d74d8676cc7c9511b39

    • SHA1

      4ad9e652cbb840e84d8ae0c5127a65dc61491f2b

    • SHA256

      542ce0231cded5ce351632d136c108f74ccf9c39574385b47a1c2f480dd26ad1

    • SHA512

      098f85b6916823f2c0b0ff1fad3b3e5a184f37cbea59abe8c124f6095ce7348f29d76525c460d3c59fdff9d76c756b98d0de60e1acf93101172489dae819a61f

    • SSDEEP

      96:ahqgIierjGA6kL9Gwv2e5D9hSDtzJg/4B9NnStkere:WqQHOxJ9+tzJuqeK

    Score
    3/10
    discovery
    behavioral29behavioral30

    • Target

      CyberDEV Client/lib/selenium/webdriver/safari/__init__.pyc

    • Size

      205B

    • MD5

      92b666552031db73604c2d0a3a905919

    • SHA1

      9cbc8044f6ac0dea3b9752a4c81faf08d96532fa

    • SHA256

      6303aeb5b2c80c55783599899b568ceabe6f66739a6c6a380f1260943e04e3ba

    • SHA512

      adff07f60f132e256a943c9f344e3c689a1e6967728c9dbc4313a10a1890a23352a9fecaf91fc97f602f7de2cc0edc4bf6b4dda946e550c3aac77d4720062b38

    Score
    3/10
    discovery
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

JavaScript

1
T1059.007

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

5
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

pdfevasion
Score
6/10

behavioral1

discovery
Score
3/10

behavioral2

Score
3/10

behavioral3

discovery
Score
3/10

behavioral4

Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

Score
3/10

behavioral7

execution
Score
3/10

behavioral8

execution
Score
3/10

behavioral9

execution
Score
3/10

behavioral10

execution
Score
3/10

behavioral11

execution
Score
3/10

behavioral12

credential_accessdiscoveryexecutionpersistenceprivilege_escalationstealer
Score
10/10

behavioral13

discovery
Score
3/10

behavioral14

Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

Score
3/10

behavioral19

discovery
Score
3/10

behavioral20

Score
3/10

behavioral21

discovery
Score
3/10

behavioral22

Score
3/10

behavioral23

discovery
Score
3/10

behavioral24

Score
3/10

behavioral25

execution
Score
3/10

behavioral26

execution
Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

Score
3/10

behavioral31

discovery
Score
3/10

behavioral32

Score
3/10

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.