Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f6deaf165d...18.exe

windows7-x64

10

f6deaf165d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 21:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6deaf165da7a337c68048a046178c57_JaffaCakes118.exe

  • Size

    318KB

  • MD5

    f6deaf165da7a337c68048a046178c57

  • SHA1

    ff6ce2d1eb1d81a392e0b6acf02017fbbf526181

  • SHA256

    d19c4864f78997a15056dd3dd3e53e144c412d1add11866ed2b36c6e933797a5

  • SHA512

    ba8f18fc2806e3325e09dd7aef269da6eacf6ce6a884b87b4e354b311106a0f24bbc147ba987087bdfa861d395b9412c5464efbd7a570d51a4d0d75a83dc5562

  • SSDEEP

    6144:gTu5OUFQPwNcv0kPmAGsyRILcAHRsNW+oKE0QJDBx0KEVaLOrd8ZH22aY:iuzmOCzGyiNW+oz06Bx0fByH2BY

Score
10/10
darkcomethawkeyediscoverykeyloggerpersistenceratspywarestealertrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6deaf165da7a337c68048a046178c57_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f6deaf165da7a337c68048a046178c57_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:984
      • C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe
        "C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe
          "C:\Users\Admin\AppData\Local\Temp\System\nwtray.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2880
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2628

Network

  • flag-us
    DNS
    z1x4c4.no-ip.biz
    AppLaunch.exe
    Remote address:
    8.8.8.8:53
    Request
    z1x4c4.no-ip.biz
    IN A
    Response
No results found
  • 8.8.8.8:53
    z1x4c4.no-ip.biz
    dns
    AppLaunch.exe
    62 B
     122 B
     1
    1

    DNS Request

    z1x4c4.no-ip.biz

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
    Filesize

    84B

    MD5

    8922901d63b9e2258191ccb4a17c6652

    SHA1

    220ea54ec503be0dc8e98816f3f50f84eabec6f4

    SHA256

    0c4eba0fba9195a885727f305e6be04f4906ddfc979f82b31e55afebbfa3fa3a

    SHA512

    660a51f4df1ed354424538224cc5756a12eb752124fcc271283a417870db56261da82c66b77732da9ce30a2dc452fd407f0292447432b5b68118519bb07d55f6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\System\nvxdsinc.exe
    Filesize

    39KB

    MD5

    38abcaec6ee62213f90b1717d830a1bb

    SHA1

    d8f5849d0d3f4ccc0dfb66a9a4a0442ac66a31b9

    SHA256

    6fee9a2c70b2cc48b0812f7cb2e09497c9c90941976f430a8f8279ad3c787768

    SHA512

    77eaabcbc6f7a3835b6220d72c4b1cae82d2125ea971907e33b15ceeede7e4da0741c6e63e988bd782ed6eb72ad3cbcba10ea83919eafd9b95d612c43a735274

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    318KB

    MD5

    f6deaf165da7a337c68048a046178c57

    SHA1

    ff6ce2d1eb1d81a392e0b6acf02017fbbf526181

    SHA256

    d19c4864f78997a15056dd3dd3e53e144c412d1add11866ed2b36c6e933797a5

    SHA512

    ba8f18fc2806e3325e09dd7aef269da6eacf6ce6a884b87b4e354b311106a0f24bbc147ba987087bdfa861d395b9412c5464efbd7a570d51a4d0d75a83dc5562

    Download Submit

  • memory/984-25-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/984-34-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/984-35-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/984-36-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/984-37-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/984-29-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/984-30-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/984-28-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/984-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/984-22-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/984-33-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/984-32-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/984-24-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/2852-16-0x0000000074C80000-0x000000007522B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2852-15-0x0000000074C80000-0x000000007522B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2852-63-0x0000000074C80000-0x000000007522B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2916-0-0x0000000074C81000-0x0000000074C82000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2916-2-0x0000000074C80000-0x000000007522B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2916-14-0x0000000074C80000-0x000000007522B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2916-1-0x0000000074C80000-0x000000007522B000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.