Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19/10/2024, 17:58
General
-
Target
5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe
-
Size
684KB
-
MD5
5de9dcc57b578bf915e553ae272269dc
-
SHA1
162ef6514901b7783261eb12f68f8798dc0e8f3d
-
SHA256
5b14d9674cbd536403423c9822182497469034a86ad12ced50ab02bdc9166cce
-
SHA512
98f2d30c39ef4706ed95579dfccf6e6637b5643c06c41dcc0dd4f61f6628f1d9691684b92699045b80486313fbb9d076e734419d83e31a036c36a1e30cd7dff5
-
SSDEEP
6144:XkKRDBCU++To9SLXGvRitOcpuAtk42a85SZvmSj/IHhiohh0RZHy4Y4uGtBzcVT:PgSLGI4AgJ5SZ9QHhhCXqGPz
Malware Config
Extracted
blacknet
v3.7.0 Public
D7tJ7v
http://officialcomerce1.xyz/lee
BN[f9a1b17a]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
e162b1333458a713bc6916cc8ac4110c
-
startup
false
-
usb_spread
false
Signatures
-
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
-
BlackNET payload 5 IoCs
-
Contains code to disable Windows Defender 5 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TiqvqaWbL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA3E.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 5 -w 50004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Discovery
Peripheral Device Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5421e39bc4f290945b14bd0e71c540ea9
SHA1858c802c4e5d693bca6f31e3f3294ac6d7922ca2
SHA256011c1592cf913d4f5573d5df748afb2b3b76dc9209c6022ee2cf02a6bf14ab84
SHA5121e0f9b3c8fb1b36e6c02aef3277f3be1eaf047203b0c93762a62108c485ea87d9d213a5864599af40af599c622aa0461cde82e9b6a41d1c883d85d652507f279
-
Filesize
6.9MB
-
Filesize
712KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
472KB
-
Filesize
160KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
6.9MB
-
Filesize
120KB
-
Filesize
6.9MB