Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

1cf62a27a2...18.exe

windows7-x64

10

1cf62a27a2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07/10/2024, 10:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe

  • Size

    542KB

  • MD5

    1cf62a27a2c8e2cbb12b5b49ddb83436

  • SHA1

    7a33bbe4825898c301cb2fb3a6695c2c96639e56

  • SHA256

    d448dd127cdf0a2ebbf5d0eb75a6c575d35ad9063b90f5954ef5d8920167d01d

  • SHA512

    abe514cda6a7ca884ffc64f12120101d30189c66d7dda031f0c10cbfcaa9bd6e9add2cb18cd3944d11b1072b2f8a7e34a31feca0489682140633285feb9cf6dd

  • SSDEEP

    12288:lZqvGfXlJkEK/tKqCKYXSrDI6DY4EwmGAr4YlzY4ZJEk/wrGEYXl5gvysgfBnnl6:l4v5Ehwy5gvysgpnnc5

Score
10/10
revengeratdiscoverystealertrojan

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe
      C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe -install -23218 -netzwelt -2a17c53a94f8440d8b2db25fdfe912ef - - -sofcupnesoulerfx
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2004

Network

  • flag-us
    DNS
    www.download-sponsor.de
    ocs_v6w.exe
    Remote address:
    8.8.8.8:53
    Request
    www.download-sponsor.de
    IN A
    Response
    www.download-sponsor.de
    IN A
    176.9.175.237
  • flag-us
    DNS
    www.download-sponsor.de
    ocs_v6w.exe
    Remote address:
    8.8.8.8:53
    Request
    www.download-sponsor.de
    IN A
  • flag-de
    GET
    http://www.download-sponsor.de/initdownload/tracking/beforeUAC/tracking-receiver_beforeUAC.php?cid=23218&pid=netzwelt&source=&setupid=2a17c53a94f8440d8b2db25fdfe912ef&lang=en-US
    ocs_v6w.exe
    Remote address:
    176.9.175.237:80
    Request
    GET /initdownload/tracking/beforeUAC/tracking-receiver_beforeUAC.php?cid=23218&pid=netzwelt&source=&setupid=2a17c53a94f8440d8b2db25fdfe912ef&lang=en-US HTTP/1.1
    Host: www.download-sponsor.de
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 07 Oct 2024 10:34:17 GMT
    Server: Apache
    Vary: Accept-Encoding
    Content-Length: 0
    Keep-Alive: timeout=5, max=1500
    Connection: Keep-Alive
    Content-Type: text/html
  • flag-us
    DNS
    bin.download-sponsor.de
    ocs_v6w.exe
    Remote address:
    8.8.8.8:53
    Request
    bin.download-sponsor.de
    IN A
    Response
    bin.download-sponsor.de
    IN A
    176.9.175.234
  • flag-de
    DNS
    ocs_v6w.exe
    Remote address:
    176.9.175.234:80
    Response
    HTTP/1.1 400 Bad Request
    Server: nginx
    Date: Mon, 07 Oct 2024 10:34:17 GMT
    Content-Type: text/html
    Content-Length: 150
    Connection: close
  • 176.9.175.237:80
    http://www.download-sponsor.de/initdownload/tracking/beforeUAC/tracking-receiver_beforeUAC.php?cid=23218&pid=netzwelt&source=&setupid=2a17c53a94f8440d8b2db25fdfe912ef&lang=en-US
    http
    ocs_v6w.exe
    449 B
     328 B
     5
    3

    HTTP Request

    GET http://www.download-sponsor.de/initdownload/tracking/beforeUAC/tracking-receiver_beforeUAC.php?cid=23218&pid=netzwelt&source=&setupid=2a17c53a94f8440d8b2db25fdfe912ef&lang=en-US

    HTTP Response

    200
  • 176.9.175.234:80
    bin.download-sponsor.de
    http
    ocs_v6w.exe
    435 B
     507 B
     5
    5

    HTTP Response

    400
  • 8.8.8.8:53
    www.download-sponsor.de
    dns
    ocs_v6w.exe
    138 B
     85 B
     2
    1

    DNS Request

    www.download-sponsor.de

    DNS Request

    www.download-sponsor.de

    DNS Response

    176.9.175.237

  • 8.8.8.8:53
    bin.download-sponsor.de
    dns
    ocs_v6w.exe
    69 B
     85 B
     1
    1

    DNS Request

    bin.download-sponsor.de

    DNS Response

    176.9.175.234

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\OCS\sofcupnesoulerfx.dat
    Filesize

    25B

    MD5

    0a3f15c0799a6131415052bca7a1240f

    SHA1

    55db59d7918eb56a8f0619c18abea844d8d1ac20

    SHA256

    b195bce571a284d6402cd66e09cfcd82f09e15e28c997205ee3cc6fde87cff59

    SHA512

    b5762f1f2d27d488ee445cf9d3354e297ea2502849cb6453bc5a766932bd9953b33c77690bad2d38d1c4043ce752063ca1722760f355373091eabafe3eb1bd81

    Download Submit

  • \Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe
    Filesize

    288KB

    MD5

    bf3d279766c65e104ac350f9341b7598

    SHA1

    a2c2496b99f467c8afdf1e55e2b546c6b03d878b

    SHA256

    a1c75633ae245c8b4e96558fa24413e6c209822086ea956f17b0d7ed9a74c381

    SHA512

    d6a831ae3c823a00f6beff707bb4935401ee38c96ef4c2deaf6925fd2d60a30dc34a026e8b6d4939449ac912821254754e9d0ffab62083b3446ad2b76f8a31fa

    Download Submit

  • memory/2004-19-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2004-20-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2004-13-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2004-16-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2004-17-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2004-18-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2004-12-0x000007FEF641E000-0x000007FEF641F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2004-14-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2004-21-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2004-22-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2004-23-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2004-24-0x000007FEF641E000-0x000007FEF641F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2004-25-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2004-26-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.