Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19/10/2024, 17:58
General
-
Target
5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe
-
Size
684KB
-
MD5
5de9dcc57b578bf915e553ae272269dc
-
SHA1
162ef6514901b7783261eb12f68f8798dc0e8f3d
-
SHA256
5b14d9674cbd536403423c9822182497469034a86ad12ced50ab02bdc9166cce
-
SHA512
98f2d30c39ef4706ed95579dfccf6e6637b5643c06c41dcc0dd4f61f6628f1d9691684b92699045b80486313fbb9d076e734419d83e31a036c36a1e30cd7dff5
-
SSDEEP
6144:XkKRDBCU++To9SLXGvRitOcpuAtk42a85SZvmSj/IHhiohh0RZHy4Y4uGtBzcVT:PgSLGI4AgJ5SZ9QHhhCXqGPz
Malware Config
Extracted
blacknet
v3.7.0 Public
D7tJ7v
http://officialcomerce1.xyz/lee
BN[f9a1b17a]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
e162b1333458a713bc6916cc8ac4110c
-
startup
false
-
usb_spread
false
Signatures
-
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
-
BlackNET payload 1 IoCs
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5de9dcc57b578bf915e553ae272269dc_JaffaCakes118.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TiqvqaWbL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp46C8.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 1.1.1.1 -n 5 -w 5000 > Nul & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 5 -w 50004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Discovery
Peripheral Device Discovery
1Query Registry
5Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fa991282c015d583800c4d01e8af5b3a
SHA16c61731d6bd848dbc51734b58e646e904bfe7080
SHA256421f03c3ac9880cd07c37f877e11bcb882d5edd5cc8ba39269dec63040b6231c
SHA5123244c75c397e28f031e7b83a99050393e4bd7eb146612094686e1ab16f1923697c898119a26eea88c886d3fd700bb82792841659becca929867b0a21c1a5dd6b
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
344KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
472KB
-
Filesize
160KB
-
Filesize
408KB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
712KB