Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2024, 16:59

General

  • Target

    fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe

  • Size

    249KB

  • MD5

    fef89b11c40ba67c88e0b02fcb495c63

  • SHA1

    935db72361f09f21e75b20273b8186983d6cf611

  • SHA256

    a2b18afee1bc8dceb3b39a3b55c7c0a2eb4bfaaf814968610cf709f4ebea3b59

  • SHA512

    36fa1c821d8b057cf6360f2b90916e0fab09cfc567c08083643df617577f38a225651ae0b8a9d40c116743efe355574026b8c22da3ddccaf931dcfab1dc9deab

  • SSDEEP

    6144:aKhoOpdqoHNN4fyciRsbZoF/3jFuf9POx12CXW3ei0C9o7:9pLtu6cWsbuF/91X+eih

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 5 IoCs
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Boot or Logon Autostart Execution: Port Monitors 1 TTPs 2 IoCs

    Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

  • Executes dropped EXE 4 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 17 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fef89b11c40ba67c88e0b02fcb495c63_JaffaCakes118.exe"
    1⤵
    • Boot or Logon Autostart Execution: Port Monitors
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3720
    • C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\Fonts\*.exe /e /d system
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1288
  • C:\Windows\Logs\RunDllExe.exe
    C:\Windows\Logs\RunDllExe.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
        PID:1356
    • C:\Windows\Logs\RunDllExe.exe
      C:\Windows\Logs\RunDllExe.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:3536
      • C:\Windows\Logs\RunDllExe.exe
        C:\Windows\Logs\RunDllExe.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1096
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          2⤵
            PID:4476

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\Logs\RunDllExe

          Filesize

          160KB

          MD5

          48d40b7e1f63ea4913b90a000d0c4eb6

          SHA1

          8f1f63b0d63cd7f12dc59afc76ce4c1281b0fff0

          SHA256

          47387258eb65722196c91c5ee1d6ca9fecf0bc0d696c4590f8799f9d9cd3d01e

          SHA512

          b6515e146336295f2e367ec9f088c29d9ccea894d9867052cdf9ec36268084fe673e8d87f793545a299796004e26e104f11f5569ac206253bbc5f39c89f47398

        • C:\Windows\Logs\RunDllExe

          Filesize

          160KB

          MD5

          8d667041806f2b9689529fb2969930be

          SHA1

          5f654e79f6680dc21039652fda77d381ed3d03d0

          SHA256

          1d21ca4aa53b3089b2dc9645c131792d6c6c7a08a848aa8b9b4b3b5bd1abb979

          SHA512

          dc1dd9128659b73fc021ee858e245cf4267b4054d8401664cb4b3b093bcedd2899aca14fac6f1aface2f848aab3c9e4fbc461b6d86373ea12e439159f875e8ad

        • C:\Windows\Logs\RunDllExe.dll

          Filesize

          89KB

          MD5

          2dbb48047fcd2476ae0337b9bdb6b8fb

          SHA1

          fd8e8823449b4e569eec522c488d0223c31bf337

          SHA256

          ef1c22b4e8c461e54dee81b8ad69c0e6823551012c69233a0ff8ce37eb7a9518

          SHA512

          5ca2fc75087776dba81a671aa7d7ba737f3c27d3370ad48c955a740a3a301890ad4ba521e6e3d7b5a6d9520ebcbf35dd0112afe5275b1e9cd9c41a0d82f09511

        • C:\Windows\Logs\RunDllExe.dll

          Filesize

          89KB

          MD5

          1a371ffa3a59d7c29e0bf3948dd0a3dd

          SHA1

          5bf87456155f3477d56780304c231910dcfebcec

          SHA256

          6c920ccc28450418e24fb08348aa3933db927ced75f6c0af1994821464e238b5

          SHA512

          1f016f65105400c883cbee501bf612d799d67fc295df49ca09e0a9eb31d067c8b5e519f3b7466842c3ac094fbf54a1839905784ca1c4ead907c24602c5564399

        • C:\Windows\Logs\RunDllExe.dll

          Filesize

          89KB

          MD5

          c02d9300deea8aaa42bf5e9c56ddcf29

          SHA1

          4c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89

          SHA256

          54dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5

          SHA512

          c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1

        • C:\Windows\Logs\RunDllExe.exe

          Filesize

          160KB

          MD5

          645564cf1c80e047a6e90ac0f2d6a6b7

          SHA1

          35e4b5e065b90fe5b1713e5a4645875f023b6a18

          SHA256

          6f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9

          SHA512

          e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21

        • C:\Windows\Logs\RunDllExe_New

          Filesize

          160KB

          MD5

          1ed05b19071c5e823d793ffe7556ec45

          SHA1

          45ff2431e3c4460f123a3b4a4bd599902c26af04

          SHA256

          78803c914d43a14b5c8f3b4141b3d80b80abaa0bf3d2f39d88ead12d29761434

          SHA512

          47aba4a4ea7e515e7a44e05c9d7930bda3bb2e2b5c6221ef2597cc55e2b3cbf65305bf70e94df6f3e340cd433686c7706304fe66532e9ef63a7059178a417214

        • memory/3720-13-0x0000000000400000-0x00000000004D7000-memory.dmp

          Filesize

          860KB

        • memory/3720-0-0x0000000000400000-0x00000000004D7000-memory.dmp

          Filesize

          860KB

        • memory/4476-64-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/4476-46-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/4476-45-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/4476-44-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB