Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2024, 03:06

General

  • Target

    JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe

  • Size

    1.2MB

  • MD5

    d2c9a102f0f3c263e92c47fa9179a0b8

  • SHA1

    95071cb6fcaebd7899312be694df9e961f075b2b

  • SHA256

    8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997

  • SHA512

    bbe849b5e8e20e823676ea6ca94edeffa151bb3a55ad0c39b1061801480212588f266c4f726e98f2d3fea00c7deab5899256c403d57a70ff04af8cfc2e7f0b26

  • SSDEEP

    24576:wB0NWp6nr52LyDXRfJ5dwEztbXCmAUscM7P8g6A7Vpg83atTUHnlr:wBSDnV3XRfJ/emAUscMoCVuw

Malware Config

Signatures

  • Blackmoon family
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 7 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\SysWOW64\sc.exe
        sc failure SQL Server Reporting Services (MSSQLSERVSER) reset= 86400 actions= restart/1000
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:1708
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Windows\System32\\Delete00.bat
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2068
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2488
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Delete00.bat

    Filesize

    179B

    MD5

    e9bb28131aab66d39d574d4b5c51ffce

    SHA1

    ccdbaabdebdf23c369d89844d9046c4b84f51e00

    SHA256

    4321a4029e015e57b640641ac6a33b7c684f7ecdbce479ac1daec94ff8d76286

    SHA512

    08ef0d1c2beffcba68aff22d44084382867c9f4911d2f5876f82ebcef92298d0e7e88ad93c755f7949a717a56de968dde5b68fe5232f3063b33296890d764c49

  • \??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp

    Filesize

    936KB

    MD5

    2148ed98f723563683990f569d23bf43

    SHA1

    25cfad1a06933f65f7d110a81d7adbfa83c19005

    SHA256

    b53132d5c59e5e62e23a9cb65fa9c09aa8403f625d76877c4e8fd60a331be56a

    SHA512

    8ac4b829802e3238fcdf6629b09417dfb48b04d18880a230a387b3673c724a8281c795c83e7a088c12ef676b9fd054b70f90aebca34a1217fc7376aeb9f13dfa

  • memory/1560-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1560-26-0x0000000000400000-0x0000000000611000-memory.dmp

    Filesize

    2.1MB

  • memory/1560-10-0x0000000000400000-0x0000000000611000-memory.dmp

    Filesize

    2.1MB

  • memory/1560-9-0x0000000000400000-0x0000000000611000-memory.dmp

    Filesize

    2.1MB

  • memory/1560-5-0x0000000000400000-0x0000000000611000-memory.dmp

    Filesize

    2.1MB

  • memory/1560-8-0x0000000000400000-0x0000000000611000-memory.dmp

    Filesize

    2.1MB

  • memory/1560-4-0x0000000000400000-0x0000000000611000-memory.dmp

    Filesize

    2.1MB

  • memory/2188-14-0x0000000000400000-0x00000000005CA000-memory.dmp

    Filesize

    1.8MB

  • memory/2188-0-0x0000000000400000-0x00000000005CA000-memory.dmp

    Filesize

    1.8MB

  • memory/2188-6-0x0000000002B20000-0x0000000002CEA000-memory.dmp

    Filesize

    1.8MB

  • memory/2648-28-0x00000000001D0000-0x00000000001DB000-memory.dmp

    Filesize

    44KB

  • memory/2648-29-0x0000000010000000-0x0000000010100000-memory.dmp

    Filesize

    1024KB

  • memory/2648-30-0x0000000010000000-0x0000000010100000-memory.dmp

    Filesize

    1024KB

  • memory/2648-33-0x0000000010000000-0x0000000010100000-memory.dmp

    Filesize

    1024KB