Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

14/08/2024, 05:47

240814-ggy1jsxfkf 10

14/08/2024, 05:40

240814-gc194ssdjn 6

General

  • Target

    CyberDEV Client.zip

  • Size

    55.9MB

  • Sample

    240814-ggy1jsxfkf

  • MD5

    ad556d641cf1b45dfa32d2cf7131c711

  • SHA1

    d12ed4f1bba17f399d8221ff6964b049bfdf0955

  • SHA256

    7b476bbfc4d37fa50c1c5bec98b2e8aede8087b8873eb7de27b78ad4446dddbe

  • SHA512

    00def17b19fff0f5618da1ab01a97aa07e517c612b5a562b1acf5f5eaa3d2c7d83af5b468292e32c3db3f64452a7d75912446785c5fd63e46dc35645a8c33fef

  • SSDEEP

    1572864:ify3jDn6crTEyjuHvRl8KQNKlCziTYcGHDX/nGYl/LxL6Ya:NHrTEpHvRl8VKlxzGS2N6Ya

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe

Targets

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/command.pyc

    • Size

      5KB

    • MD5

      307283633a2bc4518f649d02d8c5ddba

    • SHA1

      6941e4f91a294f0228687a01692c12771d88a523

    • SHA256

      292fa5eea227bb2d15109ecd3bc422d68714ab671a7d9b8946998b38a7229c09

    • SHA512

      0980c22229bdaeba7c4277c7ed92b721a0ee4d3d7763de27eab679efd1100a394301d363a1e4db5ccb945c8cda4c3132f3129d1915d1ccb1dae192267801d1fc

    • SSDEEP

      96:0ZpXjpIszI2NySTXjHPOJQKo12xUxHNNOpkRNTqOIOFyM848mNVOoT7V9OX13Nz2:qVjpvygTHPOJQHcxUxdTyHNinV9OUH

    Score
    3/10
    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/errorhandler.pyc

    • Size

      8KB

    • MD5

      3130d50cd4a4be3b523587cc14fe0ab3

    • SHA1

      f38e9bb41695b2cf43f02308d313202077d43607

    • SHA256

      8baa518d72a1fdd8a61d7c6e28b0b2bd709cc4b4ebc6a0c4f57d8cf75ed2620c

    • SHA512

      96b24a4c85953fb26001bf20418aacbd4e68a3d1721ffd68ba4231801d5d36085a3049ea0601b984ad747e07244731119e3605d7fd0cb2e76006b5c9f44b8a50

    • SSDEEP

      192:gi8qUGzqYl8Z9pm+twGPse57RoXyef2V4WT/zLdSf9yd:d8NG+/xxEf2VNIf9g

    Score
    3/10
    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/file_detector.pyc

    • Size

      2KB

    • MD5

      87d6c3be641933bf41e627b32e8a48c9

    • SHA1

      b322fa4dbc38547f493acf79abd93217aac1e32b

    • SHA256

      49d0bf158ca9fb2f3ee40197bdcaf5c005d7e6c2cee4e084b9e989f74b29aecb

    • SHA512

      a8db1c7461ab84490bbc7ede93350f82d8f2fc09356996bdd4869e6483aa454f82f06cfa3561b6c44938dd932baa318b73ea836bdaf2db6c38726fe0986ea74e

    Score
    3/10
    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/findElements.js

    • Size

      52KB

    • MD5

      a5e246e5b9156c0e64a17e53e73671e6

    • SHA1

      307a4a0ef42b004a844037d60275a9af94786709

    • SHA256

      f34a83998d38484de801c7d97d32574dfbbd5213968c78a6085f0b5c368f9fad

    • SHA512

      aa97373aeacb1a437818469d0bc96bbfc9a9590c02e736f4ff86c3f3760066ca92bc981d8e830eb866e929d22083febaf0d8366558f4b4ff4870f0f5491d2063

    • SSDEEP

      1536:AXJFPWr+DEqXMn9XM3UkGdEMT8TZZ/6QSsdbj3SYKlnJ+S/Bf:ITU7dW6QhbrXS/Z

    Score
    3/10
    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/getAttribute.js

    • Size

      5KB

    • MD5

      e02d070d6419978d26f2d771541f79a4

    • SHA1

      53efb9c65d5eb60850225313c5251a68bdef6476

    • SHA256

      df3f5a60c6ae1c5b35760c0389f299406e14ec3b68ba6ae0511ce18cb7c20cff

    • SHA512

      dd459bba00feece414f8bc7546927b5019f84c12cb58041ba85e22f7a8a9501723a0fd9b9d6c900469983e81d8ee84c6426a8906ac794c673fe2b6ecbf84a75f

    • SSDEEP

      96:pSRH16yveW8EDrQN3N72l17l0qoIeqlr/yZStiZMxzWJ2ssKPhBX54UctJOJK:pSRH16yvfgN3NW1DoI2ZStzaJzsKPf8V

    Score
    3/10
    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/isDisplayed.js

    • Size

      16KB

    • MD5

      242b20671aadeb2edcf5c0394686cf40

    • SHA1

      926ae986a71aeefe20dbf23d47437f5f9a6fb186

    • SHA256

      c47a1d83321abd87bf054c80a4db4912108cf0af151958a1e563e57f9bd7fd56

    • SHA512

      53aeda4b6bcf8616704c44619aa123dba3e5455817bd8d7145e0395a77ae204f33ee4832407e3fbb3fbd0be3c779d20173e941ebe9481774e9c5d503ead07776

    • SSDEEP

      384:mSTsGtSMMC6tR69PEMzX5iNTLWO5hHaEhgNTOp77X93zS+trehT/qT:mwn56tR+icT/qT

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/mobile.pyc

    • Size

      3KB

    • MD5

      910d8cba2873be53dc7b9be0794237ab

    • SHA1

      9241a55557d36eaf2479a64d689ba0c8d1403357

    • SHA256

      90d57e8cbe54c0e4ad3382ad8ebeb79e5c25b1aec7bdf385fcf11839eaf3e08b

    • SHA512

      2423a26f24aa7d37aaba2e6cb6d8913161b6b130f9f67d19d740f98c248a5c08c45e13721fbafc289cb82dbb698b921fae8903db571694bc60094f219e15790d

    Score
    3/10
    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/remote_connection.pyc

    • Size

      22KB

    • MD5

      3e3051750eb79c9e0bb75f225c33cb62

    • SHA1

      3fc51d54a357e9b51c6ac2ad2d14145499037a84

    • SHA256

      dbe6a4386ba87833f2076f6dc6122d5073defd42681d18ee931219a6bfef92a0

    • SHA512

      95b780ad8e628f975a0c33fb492f70fea4ea319d603f9c84ecc5d10daf3f7268f6eea7e743f378cdd7b548a3be1177e421e2b576b967cc51a73abfb08b1d9629

    • SSDEEP

      384:eRfgZgleqsU1W2frvujwA9AOZASmWn2boukdjAoFVxDjNB4ypF:3qleqsUVjOT3BmljKcDypF

    Score
    3/10
    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/script_key.pyc

    • Size

      1KB

    • MD5

      288c6b352dee51939973a5e33999fe08

    • SHA1

      700e55433a827af75b6530018cda35a00cb24f2d

    • SHA256

      3758f9a4f71d89cd887725e8ab94c083f43e5414f06ce4398687c02a54004bd7

    • SHA512

      227ef8113860720eabc8a53d9111f7c0ff6b4e427f8573a903e1f397fa352a2a1567d5a11e8935245f984f1d1cbfcb18380e7aa4b8c0b9cc41f68327170abe7e

    Score
    3/10
    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/shadowroot.pyc

    • Size

      3KB

    • MD5

      9a6e43648c698d8e00ea626b2487ce97

    • SHA1

      c292ce9d88fe4e3df2ba14c926b290c1c3ca9918

    • SHA256

      b26741176f75f8eaf2cb0c542b1f4fc8d91feacc94b6ec82148de60108ccb529

    • SHA512

      ef32fc445f3c7c883456f5467ccc683041284d73e9c3a61ea9db9a3358fe58001a0505f309500d23981f0e5a2e87ca3021cf8ee53135443c65bd162ab4006ee3

    Score
    3/10
    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/switch_to.pyc

    • Size

      6KB

    • MD5

      a4f7f1c03bd23323e9cdbbea8fe2f5a7

    • SHA1

      a7155b2fc34773b580f8078e9bdee6f0eaef79d2

    • SHA256

      55056bbe51592d0bee90042dad783e6fdf6f97cbf577530d625cc5db9dcc18ac

    • SHA512

      70150fd0f85d7fbf4860be8720b50db49eee80460d7a15648720fe23f7473c2990054bef3a772dd156b7f54be309d384c558db48e304267328d1dd026da37c23

    • SSDEEP

      96:3T7isYn4mI+5QvCokxPXKvj5ywAjup1zPewd5zwKky:j7W4BwQvwXGAjuLj7iy

    Score
    3/10
    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/utils.pyc

    • Size

      727B

    • MD5

      c5b0c9d4946cbc737967509e6c83db1b

    • SHA1

      6814fa7a5b243143ccf3624bd08f31fff836cde8

    • SHA256

      796ea27fba24f8c0b79e88fb831b4a44c6e1fc18b9785d23e357bbab47f94b09

    • SHA512

      15a46870cc614ba1b593cb06679faaf6f21f5b4c32c15012197ea9041f9ce85d793e36e0183d4fe90a688c8cc619595974587350dc037db11dcf93ea3c04dea3

    Score
    3/10
    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/webdriver.pyc

    • Size

      55KB

    • MD5

      6755f3811ca78c00cb01406d6e7e8ff4

    • SHA1

      021dbd7815b4a02aa7fd133a8402f5c36dc7567c

    • SHA256

      c241db147dc9656fdf7e6a693a3b85b23e5c2b5ef908450b02215fd117f3f9ed

    • SHA512

      f936c53cc71be7d2098d4ef40b8bb35ca4c28e48d52d45030aed436068cbabc879a5efc10eb276bbca2381feb7913176cd6bfe7180c9275f3ffe6be78f1968c2

    • SSDEEP

      768:2uOLuxo4lDgbjYS3vX2kxEJXV6X9TtFEpnuYBuE5lXT5sqHb8+n7EdwIi:2soIR9lX4XHKpuYBuE5lj5H78+nD9

    Score
    3/10
    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/webelement.pyc

    • Size

      21KB

    • MD5

      9d53b34deaa155ccd5a9daaa0c1b46f0

    • SHA1

      eb20d3e302a5681dfed1a7f901acc13f92c10851

    • SHA256

      3bf5e7a87580424db227528e304bce35388cfc31f30742c3e91e63d849fc35fa

    • SHA512

      9347d8b8155077ddb5f8379436d4f680c1f5fcfe9096bdedff245daebee5616e7ecf64ac447ee243107d5e7d6a5e153ca8dea1320ce31062f6bb7fa507e874a8

    • SSDEEP

      384:ZIYdzhjJ8mreOCTkVUwTMDhdGiahhq92pWo6yuZoBK:ZIYlhjJ8mreOCYOwKWVTq92pH6yuZoBK

    Score
    3/10
    • Target

      CyberDEV Client/lib/selenium/webdriver/remote/websocket_connection.pyc

    • Size

      7KB

    • MD5

      e3b2213e4d662d74d8676cc7c9511b39

    • SHA1

      4ad9e652cbb840e84d8ae0c5127a65dc61491f2b

    • SHA256

      542ce0231cded5ce351632d136c108f74ccf9c39574385b47a1c2f480dd26ad1

    • SHA512

      098f85b6916823f2c0b0ff1fad3b3e5a184f37cbea59abe8c124f6095ce7348f29d76525c460d3c59fdff9d76c756b98d0de60e1acf93101172489dae819a61f

    • SSDEEP

      96:ahqgIierjGA6kL9Gwv2e5D9hSDtzJg/4B9NnStkere:WqQHOxJ9+tzJuqeK

    Score
    3/10
    • Target

      CyberDEV Client/lib/selenium/webdriver/safari/__init__.pyc

    • Size

      205B

    • MD5

      92b666552031db73604c2d0a3a905919

    • SHA1

      9cbc8044f6ac0dea3b9752a4c81faf08d96532fa

    • SHA256

      6303aeb5b2c80c55783599899b568ceabe6f66739a6c6a380f1260943e04e3ba

    • SHA512

      adff07f60f132e256a943c9f344e3c689a1e6967728c9dbc4313a10a1890a23352a9fecaf91fc97f602f7de2cc0edc4bf6b4dda946e550c3aac77d4720062b38

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

pdfevasion
Score
6/10

behavioral1

discovery
Score
3/10

behavioral2

Score
3/10

behavioral3

discovery
Score
3/10

behavioral4

Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

Score
3/10

behavioral7

execution
Score
3/10

behavioral8

execution
Score
3/10

behavioral9

execution
Score
3/10

behavioral10

execution
Score
3/10

behavioral11

execution
Score
3/10

behavioral12

credential_accessdiscoveryexecutionpersistenceprivilege_escalationstealer
Score
10/10

behavioral13

discovery
Score
3/10

behavioral14

Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

Score
3/10

behavioral19

discovery
Score
3/10

behavioral20

Score
3/10

behavioral21

discovery
Score
3/10

behavioral22

Score
3/10

behavioral23

discovery
Score
3/10

behavioral24

Score
3/10

behavioral25

execution
Score
3/10

behavioral26

execution
Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

Score
3/10

behavioral31

discovery
Score
3/10

behavioral32

Score
3/10