Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b4e12063070e64a2592eccae4aa85bf7_JaffaCakes118

  • Size

    1.9MB

  • Sample

    240821-y1ppnasbql

  • MD5

    b4e12063070e64a2592eccae4aa85bf7

  • SHA1

    f983637dfc6567c8d0f2f6f9f890cb1b9e2e951e

  • SHA256

    b1830c3e13f039852a93dee4a54036a568253d8a73282b8255218cec81f27e7f

  • SHA512

    215012cc6f87fc4d9a8db6f503c75ca1c86bec1df13a87c2fd69f66eef1c816ef9707c09244a2e79e0bea015c445d9eb0b616948eabd9b4e1494ae8213529a2f

  • SSDEEP

    49152:5OZJ+0HLSCXTKMgwy9vxL60akE9P9TX+q+gamIZOuhVqrscZsb:5gHWCjUbx20akETTIRVCU

Malware Config

Extracted

Family

xtremerat

C2

yourchance19.no-ip.biz

Targets

    • Target

      ne-bot/ne-bot beta v.1.1 (x64).exe

    • Size

      1.1MB

    • MD5

      ccd462320dcd0eae2437c9fc92bb97cd

    • SHA1

      db95847f3a592c8959ad381099e20641da350348

    • SHA256

      6ffdbe1d18a5f9cf4f3f8de9f230a5cb59d9d403df10b2d7eef859a144500412

    • SHA512

      08061b7fcef132c90f779aaa0f7ff9338e51686769214431fbaee4ef96091f7d22b91483eea8122bca3b242d9c688e22b0d29a469273c95f308f07dc85b64c9c

    • SSDEEP

      24576:y2DW/xbHX2YIbCQsu3/PNL7Q/Hyc8lOuQ2VdEz43:y2EjXHQsW/PN3Qf1UOuQadEzK

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      ne-bot/ne-bot beta v.1.1 (x86).exe

    • Size

      596KB

    • MD5

      8ead6aa52c8f84637c95a64deef536c5

    • SHA1

      d1e6fd86f7b47ccd11b8ffadc7f74b9721f9bb2e

    • SHA256

      76ebd0d9944b3557c7f2575ae985774950a00156d84e524dd963986e352222ac

    • SHA512

      ec878cfbec7e0bac0b9db02c7529e2886639870f255b5a30ba46b49d72e2a86744dd12d0056c4d3a3d700226280cb283c34be5cc6e635619cb5bc16305471166

    • SSDEEP

      12288:fjkArEN249AyE/rbaMct4bO2/VEU5fXIyNOFF2VdEmmVCPf:MFE//Tct4bOsLQYOz2VdEz43

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Target

      ne-bot/ne-bot edc.dll

    • Size

      604KB

    • MD5

      1f55c7c1e338047dc5e329011a781fb3

    • SHA1

      fbaacc4c5c2a6cf0dfb980a4ba94bbda8e86c723

    • SHA256

      1fd4a2c44dddce33dec60e13ce3b7315782f310955cc13d7416eb10865a00229

    • SHA512

      9bab5541d5ce08dda5306835a9069c0db75c2dfc0cc336d57000c4dd276282096ec77df4fa5ab1fcc4f56915c32ca1dc39cbf391eebc80ce59a5b24ee05eac63

    • SSDEEP

      6144:53iyn569/L1Uc5gAeDOxwfENtHO5JZ5SQV3YwQwnAU1ZOhefo5EJ5:5X5mLWu06UEP0Z5z39jjyao

    Score
    3/10
    • Target

      ne-bot/ne-bot.dll

    • Size

      2.0MB

    • MD5

      f9e79fa16bac237b5e635f9fcc2a377c

    • SHA1

      ddfcae2db65bfea608a4f6f6d33bfe588bc0b84e

    • SHA256

      844f1418e05dfd12a127095c736406bd53e12cf7658cc9fd719c8e5ef6d11348

    • SHA512

      030d91885e4106e31859000353bdee108044d1d99240fb9b5cc66b154e8548ca8b23ada4d196a176a809daaeb34dcb0c7b2ceaa2424141fb2fee769e761737cd

    • SSDEEP

      24576:NH4El2AjGSEDLiAq1+C3MNNOCrXHKHn7YJcRaWK7EjhOg4e9:NH17jGSE/C1+pNNbrXHa7YJc4Et/N

    Score
    3/10
    • Target

      ne-bot/ne_up.exe

    • Size

      33KB

    • MD5

      cbaa5c06c1d253f33980175fa09de48b

    • SHA1

      17dea142b13a915d4816b1665286d6314ae5026d

    • SHA256

      2e7fdcac629313ff20d0310564442a641f4371440853c6e60b1e38c55db1baee

    • SHA512

      671cbfdceeef3f6051d68f358ca1a4213664366c995d691509f6c80b7a54ddea25eb4fdac1dc7d791233cd5ca81617d277b50c1344a05e1dccbc6fda1caa9e8f

    • SSDEEP

      768:SMuijtHf5g7/IIG3bGcYDBSvFIWuePQtv66lktACxAIBwY:PNW71rcYDAWeotvXlyDxM

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks