Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

fef89b11c4...18.exe

windows7-x64

10

fef89b11c4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/09/2024, 16:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe

  • Size

    249KB

  • MD5

    fef89b11c40ba67c88e0b02fcb495c63

  • SHA1

    935db72361f09f21e75b20273b8186983d6cf611

  • SHA256

    a2b18afee1bc8dceb3b39a3b55c7c0a2eb4bfaaf814968610cf709f4ebea3b59

  • SHA512

    36fa1c821d8b057cf6360f2b90916e0fab09cfc567c08083643df617577f38a225651ae0b8a9d40c116743efe355574026b8c22da3ddccaf931dcfab1dc9deab

  • SSDEEP

    6144:aKhoOpdqoHNN4fyciRsbZoF/3jFuf9POx12CXW3ei0C9o7:9pLtu6cWsbuF/91X+eih

Score
10/10
blackmoongh0stratbankerdiscoverypersistencerattrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 3 IoCs
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Boot or Logon Autostart Execution: Port Monitors 1 TTPs 2 IoCs

    Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

    persistence
  • Executes dropped EXE 3 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe"
    1⤵
    • Boot or Logon Autostart Execution: Port Monitors
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Fonts\*.exe /e /d system
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2884
  • C:\Windows\Logs\RunDllExe.exe
    C:\Windows\Logs\RunDllExe.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
        PID:2604
    • C:\Windows\Logs\RunDllExe.exe
      C:\Windows\Logs\RunDllExe.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:2724

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Logs\RunDllExe
        Filesize

        160KB

        MD5

        eca781d7d82b7332c11f4c963aabd717

        SHA1

        e802e1db7bcde6f8af376b9211e34a93f6160547

        SHA256

        91f6d5ee6ded010d4c30f01b19d0af8ca1304d647ca6a2e523753aba82a26d6a

        SHA512

        88c90e5c110457b27b8bc47f28828c2a7d4c9921ba09f710d0eca10b124fd4755fd56e7a3072b6ed25f2fa641813fbf70c9a88479aad71a15572fea14ef2db84

        Download Submit

      • C:\Windows\Logs\RunDllExe.dll
        Filesize

        89KB

        MD5

        57d45b1127ff35e4c1644920e4c2b342

        SHA1

        f8baa79d5fabf77cf358c1aad152d937eccceebb

        SHA256

        5de9aa8b4da7da62f705aa062a29baf7ac249108661127464a4e93332afabb7b

        SHA512

        4c6fd1b001cfa1f55a94fd03165716cb21a57c5cef51761c7b25a18f217f48f4341b4df32d10417df1a564c3b96b3d68b9adfc270c4e360512375774fae82030

        Download Submit

      • C:\Windows\Logs\RunDllExe.exe
        Filesize

        160KB

        MD5

        645564cf1c80e047a6e90ac0f2d6a6b7

        SHA1

        35e4b5e065b90fe5b1713e5a4645875f023b6a18

        SHA256

        6f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9

        SHA512

        e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21

        Download Submit

      • \Windows\Logs\RunDllExe.dll
        Filesize

        89KB

        MD5

        c02d9300deea8aaa42bf5e9c56ddcf29

        SHA1

        4c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89

        SHA256

        54dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5

        SHA512

        c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1

        Download Submit

      • memory/2096-0-0x0000000000400000-0x00000000004D7000-memory.dmp

        Filesize

        860KB

        Download

      • memory/2096-62-0x0000000000400000-0x00000000004D7000-memory.dmp

        Filesize

        860KB

        Download

      • memory/2604-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2604-29-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2604-23-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2604-17-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2604-13-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2604-9-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2604-58-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download