Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

fa5db355d9...18.exe

windows7-x64

10

fa5db355d9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 11:59 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe

  • Size

    566KB

  • MD5

    fa5db355d930b96f0e8a17a16eb995a4

  • SHA1

    c1fd477689b7769dd54460a141001d4a7cfe6ad9

  • SHA256

    16ad6580e3df177aa5c7bdb0a009e630e13800f98f97e9138b384d2f88f5280e

  • SHA512

    5095f61c153da5fcf9158013dfe6b9f9c58b6d7b64f08c2aba385148f22d2cfc1214933882c5a74ec882201f9b5674b067a4483ff2bf19f268938ba210c11ea3

  • SSDEEP

    6144:tKbsiJAXfCElJk12MetPHNaP+HI9ygY0bPmAHw4HFfEysVufBn597NX2L:tDAAXfXlJkEMYNaGU/jQysgfBnnl2L

Score
10/10
revengeratdiscoverystealertrojan

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1836
    • C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6y.exe
      C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6y.exe -install -228273 -dcu -c07f7b6842d1455f83f41b817891625a - -hu -pkidnrrvjouhavom
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1708

Network

  • flag-us
    DNS
    www.download-sponsor.de
    ocs_v6y.exe
    Remote address:
    8.8.8.8:53
    Request
    www.download-sponsor.de
    IN A
    Response
    www.download-sponsor.de
    IN A
    176.9.175.237
  • flag-de
    GET
    http://www.download-sponsor.de/initdownload/tracking/beforeUAC/tracking-receiver_beforeUAC.php?cid=228273&pid=dcu&source=hu&setupid=c07f7b6842d1455f83f41b817891625a&lang=en-US
    ocs_v6y.exe
    Remote address:
    176.9.175.237:80
    Request
    GET /initdownload/tracking/beforeUAC/tracking-receiver_beforeUAC.php?cid=228273&pid=dcu&source=hu&setupid=c07f7b6842d1455f83f41b817891625a&lang=en-US HTTP/1.1
    Host: www.download-sponsor.de
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 27 Sep 2024 11:59:58 GMT
    Server: Apache
    Vary: Accept-Encoding
    Content-Length: 0
    Keep-Alive: timeout=5, max=1500
    Connection: Keep-Alive
    Content-Type: text/html
  • flag-us
    DNS
    bin.download-sponsor.de
    ocs_v6y.exe
    Remote address:
    8.8.8.8:53
    Request
    bin.download-sponsor.de
    IN A
    Response
    bin.download-sponsor.de
    IN A
    176.9.175.234
  • flag-de
    DNS
    ocs_v6y.exe
    Remote address:
    176.9.175.234:80
    Response
    HTTP/1.1 400 Bad Request
    Server: nginx
    Date: Fri, 27 Sep 2024 11:59:59 GMT
    Content-Type: text/html
    Content-Length: 150
    Connection: close
  • 176.9.175.237:80
    http://www.download-sponsor.de/initdownload/tracking/beforeUAC/tracking-receiver_beforeUAC.php?cid=228273&pid=dcu&source=hu&setupid=c07f7b6842d1455f83f41b817891625a&lang=en-US
    http
    ocs_v6y.exe
    447 B
     328 B
     5
    3

    HTTP Request

    GET http://www.download-sponsor.de/initdownload/tracking/beforeUAC/tracking-receiver_beforeUAC.php?cid=228273&pid=dcu&source=hu&setupid=c07f7b6842d1455f83f41b817891625a&lang=en-US

    HTTP Response

    200
  • 176.9.175.234:80
    bin.download-sponsor.de
    http
    ocs_v6y.exe
    664 B
     507 B
     6
    5

    HTTP Response

    400
  • 8.8.8.8:53
    www.download-sponsor.de
    dns
    ocs_v6y.exe
    69 B
     85 B
     1
    1

    DNS Request

    www.download-sponsor.de

    DNS Response

    176.9.175.237

  • 8.8.8.8:53
    bin.download-sponsor.de
    dns
    ocs_v6y.exe
    69 B
     85 B
     1
    1

    DNS Request

    bin.download-sponsor.de

    DNS Response

    176.9.175.234

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\OCS\pkidnrrvjouhavom.dat
    Filesize

    91B

    MD5

    25678888b10c3e4d58de707877dbd5aa

    SHA1

    ed057f1111b2c19bb40fa1a1bedfed8d967bc1c9

    SHA256

    d51a6a1f606837337ab6c3b8f86e2d023ff75e0d527c3d470c79dd5661d07ffd

    SHA512

    22a5e64c61268c47852f96257f9e552c0dc880701c80feb7cf5594d413655f13597ce825d3e9f7ed97c21c70c7a6e1dfec7758e4ae0e561bdd4f699f14be3531

    Download Submit

  • \Users\Admin\AppData\Local\Temp\OCS\ocs_v6y.exe
    Filesize

    312KB

    MD5

    e4453576e0680ca18e0cfd2ffad226b0

    SHA1

    988e557e6896f2607b38de46886057f285bf1904

    SHA256

    5c3d2ddc13f7852d5c055cc4c719c5a64522cb04fa7eee730856fc3d5f40b0d4

    SHA512

    9329109c69e1ff0cc486a6d14aa88b3e2092867fd943e6083c5f674479e3cf58fd60a0782e1d2623f4b40a76d5ff280f1252c894591bb0790686e08eecf7aa8a

    Download Submit

  • memory/1708-21-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1708-20-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1708-13-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1708-16-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1708-17-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1708-22-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1708-12-0x000007FEF558E000-0x000007FEF558F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1708-14-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1708-19-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1708-18-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1708-23-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1708-24-0x000007FEF558E000-0x000007FEF558F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1708-25-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1708-26-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

    Filesize

    9.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.