Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

c88dc765a7...18.exe

windows7-x64

10

c88dc765a7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2024, 16:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c88dc765a7c177418c78681e6c997ff4_JaffaCakes118.exe

  • Size

    2.3MB

  • MD5

    c88dc765a7c177418c78681e6c997ff4

  • SHA1

    a1c6b7a24474ffd02ac9a3d515ffb9c1a255259e

  • SHA256

    a815984315b712dc2067fcf34bc1ba95b9badebb78e20afb7fb3068bcdf1dbb7

  • SHA512

    7680712c56b8fda096d8115d82dad75f44723f2b9298820a3d4b08276502584ac2f83d3930a27ed7ecad47f2774f4296870d9cf4bf10eafa15ae0d146451ebe1

  • SSDEEP

    49152:4fSA5sZBZ2bLAqFEBjlqDnlhPYEwXYP5Rw3t8BxDemj2KgH:+16kRFEBjlanMGR6twpekg

Score
10/10
stealthworkerbotnetdiscoveryupx

Malware Config

Extracted

Family

stealthworker

Version

3.11

C2

http://176.121.14.113:8888

Signatures

  • StealthWorker

    StealthWorker is golang-based brute force malware.

    botnetstealthworker
  • Stealthworker family
    stealthworker
  • Drops startup file 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c88dc765a7c177418c78681e6c997ff4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c88dc765a7c177418c78681e6c997ff4_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Windows\SysWOW64\cmd.exe
      cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
      2⤵
      • Drops startup file
      • System Location Discovery: System Language Discovery
      PID:2120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\s.bat
    Filesize

    305B

    MD5

    71b616e6a039339d8d805b180c5fb9ad

    SHA1

    1b1d9fbee32b71d9bd4b125a6be4a694a926ca2e

    SHA256

    95e61578f1b14f4421c388872cbc940608ff6ecb1a3c6ec446d46a7554506507

    SHA512

    bcd5e935265417c3a71097d68fb2f83b87bd06fb6d67e3019f4cddee953af9aab12dee61f7da8aa2f8131f090b3b7bc0c332a89b46e07effb156b4f491ef34e0

    Download Submit

  • memory/3508-2-0x0000000004FE0000-0x00000000051F1000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3508-1-0x0000000004DC0000-0x0000000004FD9000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3508-3-0x0000000000400000-0x0000000000AE5000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3508-8-0x0000000000400000-0x0000000002E34000-memory.dmp

    Filesize

    42.2MB

    Download

  • memory/3508-10-0x0000000004DC0000-0x0000000004FD9000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3508-11-0x0000000004FE0000-0x00000000051F1000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3508-12-0x0000000000400000-0x0000000000AE5000-memory.dmp

    Filesize

    6.9MB

    Download