Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2024, 03:06 UTC

General

  • Target

    JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe

  • Size

    1.2MB

  • MD5

    d2c9a102f0f3c263e92c47fa9179a0b8

  • SHA1

    95071cb6fcaebd7899312be694df9e961f075b2b

  • SHA256

    8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997

  • SHA512

    bbe849b5e8e20e823676ea6ca94edeffa151bb3a55ad0c39b1061801480212588f266c4f726e98f2d3fea00c7deab5899256c403d57a70ff04af8cfc2e7f0b26

  • SSDEEP

    24576:wB0NWp6nr52LyDXRfJ5dwEztbXCmAUscM7P8g6A7Vpg83atTUHnlr:wBSDnV3XRfJ/emAUscMoCVuw

Malware Config

Signatures

  • Blackmoon family
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 7 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\SysWOW64\sc.exe
        sc failure SQL Server Reporting Services (MSSQLSERVSER) reset= 86400 actions= restart/1000
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1708
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\System32\\Delete00.bat
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2068
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2488
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2648

Network

  • flag-us
    DNS
    r.nxxxn.ga
    netsvcs
    Remote address:
    8.8.8.8:53
    Request
    r.nxxxn.ga
    IN A
    Response
  • flag-us
    DNS
    fuck88.f3322.net
    netsvcs
    Remote address:
    8.8.8.8:53
    Request
    fuck88.f3322.net
    IN A
    Response
  • 10.127.0.118:10020
    netsvcs
  • 10.127.0.118:5805
    netsvcs
  • 10.127.0.118:10020
    netsvcs
  • 10.127.0.118:5805
    netsvcs
  • 10.127.0.118:10020
    netsvcs
  • 10.127.0.118:5805
    netsvcs
  • 10.127.0.118:10020
    netsvcs
  • 10.127.0.118:5805
    netsvcs
  • 10.127.0.118:10020
    netsvcs
  • 10.127.0.118:5805
    netsvcs
  • 10.127.0.118:10020
    netsvcs
  • 10.127.0.118:5805
    netsvcs
  • 10.127.0.118:10020
    netsvcs
  • 10.127.0.118:5805
    netsvcs
  • 10.127.0.118:10020
    netsvcs
  • 10.127.0.118:5805
    netsvcs
  • 10.127.0.118:10020
    netsvcs
  • 10.127.0.118:5805
    netsvcs
  • 10.127.0.118:10020
    netsvcs
  • 8.8.8.8:53
    r.nxxxn.ga
    dns
    netsvcs
    56 B
    116 B
    1
    1

    DNS Request

    r.nxxxn.ga

  • 8.8.8.8:53
    fuck88.f3322.net
    dns
    netsvcs
    62 B
    123 B
    1
    1

    DNS Request

    fuck88.f3322.net

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Delete00.bat

    Filesize

    179B

    MD5

    e9bb28131aab66d39d574d4b5c51ffce

    SHA1

    ccdbaabdebdf23c369d89844d9046c4b84f51e00

    SHA256

    4321a4029e015e57b640641ac6a33b7c684f7ecdbce479ac1daec94ff8d76286

    SHA512

    08ef0d1c2beffcba68aff22d44084382867c9f4911d2f5876f82ebcef92298d0e7e88ad93c755f7949a717a56de968dde5b68fe5232f3063b33296890d764c49

  • \??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp

    Filesize

    936KB

    MD5

    2148ed98f723563683990f569d23bf43

    SHA1

    25cfad1a06933f65f7d110a81d7adbfa83c19005

    SHA256

    b53132d5c59e5e62e23a9cb65fa9c09aa8403f625d76877c4e8fd60a331be56a

    SHA512

    8ac4b829802e3238fcdf6629b09417dfb48b04d18880a230a387b3673c724a8281c795c83e7a088c12ef676b9fd054b70f90aebca34a1217fc7376aeb9f13dfa

  • memory/1560-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1560-26-0x0000000000400000-0x0000000000611000-memory.dmp

    Filesize

    2.1MB

  • memory/1560-10-0x0000000000400000-0x0000000000611000-memory.dmp

    Filesize

    2.1MB

  • memory/1560-9-0x0000000000400000-0x0000000000611000-memory.dmp

    Filesize

    2.1MB

  • memory/1560-5-0x0000000000400000-0x0000000000611000-memory.dmp

    Filesize

    2.1MB

  • memory/1560-8-0x0000000000400000-0x0000000000611000-memory.dmp

    Filesize

    2.1MB

  • memory/1560-4-0x0000000000400000-0x0000000000611000-memory.dmp

    Filesize

    2.1MB

  • memory/2188-14-0x0000000000400000-0x00000000005CA000-memory.dmp

    Filesize

    1.8MB

  • memory/2188-0-0x0000000000400000-0x00000000005CA000-memory.dmp

    Filesize

    1.8MB

  • memory/2188-6-0x0000000002B20000-0x0000000002CEA000-memory.dmp

    Filesize

    1.8MB

  • memory/2648-28-0x00000000001D0000-0x00000000001DB000-memory.dmp

    Filesize

    44KB

  • memory/2648-29-0x0000000010000000-0x0000000010100000-memory.dmp

    Filesize

    1024KB

  • memory/2648-30-0x0000000010000000-0x0000000010100000-memory.dmp

    Filesize

    1024KB

  • memory/2648-33-0x0000000010000000-0x0000000010100000-memory.dmp

    Filesize

    1024KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.