Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 21:14 UTC

General

  • Target

    f6deaf165da7a337c68048a046178c57_JaffaCakes118.exe

  • Size

    318KB

  • MD5

    f6deaf165da7a337c68048a046178c57

  • SHA1

    ff6ce2d1eb1d81a392e0b6acf02017fbbf526181

  • SHA256

    d19c4864f78997a15056dd3dd3e53e144c412d1add11866ed2b36c6e933797a5

  • SHA512

    ba8f18fc2806e3325e09dd7aef269da6eacf6ce6a884b87b4e354b311106a0f24bbc147ba987087bdfa861d395b9412c5464efbd7a570d51a4d0d75a83dc5562

  • SSDEEP

    6144:gTu5OUFQPwNcv0kPmAGsyRILcAHRsNW+oKE0QJDBx0KEVaLOrd8ZH22aY:iuzmOCzGyiNW+oz06Bx0fByH2BY

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6deaf165da7a337c68048a046178c57_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f6deaf165da7a337c68048a046178c57_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:984
      • C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe
        "C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe
          "C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2880
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2628

Network

  • flag-us
    DNS
    z1x4c4.no-ip.biz
    AppLaunch.exe
    Remote address:
    8.8.8.8:53
    Request
    z1x4c4.no-ip.biz
    IN A
    Response
No results found
  • 8.8.8.8:53
    z1x4c4.no-ip.biz
    dns
    AppLaunch.exe
    62 B
    122 B
    1
    1

    DNS Request

    z1x4c4.no-ip.biz

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

    Filesize

    84B

    MD5

    8922901d63b9e2258191ccb4a17c6652

    SHA1

    220ea54ec503be0dc8e98816f3f50f84eabec6f4

    SHA256

    0c4eba0fba9195a885727f305e6be04f4906ddfc979f82b31e55afebbfa3fa3a

    SHA512

    660a51f4df1ed354424538224cc5756a12eb752124fcc271283a417870db56261da82c66b77732da9ce30a2dc452fd407f0292447432b5b68118519bb07d55f6

  • C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe

    Filesize

    39KB

    MD5

    38abcaec6ee62213f90b1717d830a1bb

    SHA1

    d8f5849d0d3f4ccc0dfb66a9a4a0442ac66a31b9

    SHA256

    6fee9a2c70b2cc48b0812f7cb2e09497c9c90941976f430a8f8279ad3c787768

    SHA512

    77eaabcbc6f7a3835b6220d72c4b1cae82d2125ea971907e33b15ceeede7e4da0741c6e63e988bd782ed6eb72ad3cbcba10ea83919eafd9b95d612c43a735274

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

    Filesize

    318KB

    MD5

    f6deaf165da7a337c68048a046178c57

    SHA1

    ff6ce2d1eb1d81a392e0b6acf02017fbbf526181

    SHA256

    d19c4864f78997a15056dd3dd3e53e144c412d1add11866ed2b36c6e933797a5

    SHA512

    ba8f18fc2806e3325e09dd7aef269da6eacf6ce6a884b87b4e354b311106a0f24bbc147ba987087bdfa861d395b9412c5464efbd7a570d51a4d0d75a83dc5562

  • memory/984-25-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/984-34-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/984-35-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/984-36-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/984-37-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/984-29-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/984-30-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/984-28-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/984-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/984-22-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/984-33-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/984-32-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/984-24-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

  • memory/2852-16-0x0000000074C80000-0x000000007522B000-memory.dmp

    Filesize

    5.7MB

  • memory/2852-15-0x0000000074C80000-0x000000007522B000-memory.dmp

    Filesize

    5.7MB

  • memory/2852-63-0x0000000074C80000-0x000000007522B000-memory.dmp

    Filesize

    5.7MB

  • memory/2916-0-0x0000000074C81000-0x0000000074C82000-memory.dmp

    Filesize

    4KB

  • memory/2916-2-0x0000000074C80000-0x000000007522B000-memory.dmp

    Filesize

    5.7MB

  • memory/2916-14-0x0000000074C80000-0x000000007522B000-memory.dmp

    Filesize

    5.7MB

  • memory/2916-1-0x0000000074C80000-0x000000007522B000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.