Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26/01/2025, 01:39
General
-
Target
2025-01-26_df81ff95baf450f51910524927e4e3da_floxif_mafia.exe
-
Size
1.7MB
-
MD5
df81ff95baf450f51910524927e4e3da
-
SHA1
4396962bd0a99adfd38af6290a0b37497fe82959
-
SHA256
0e0ac11ba5fe37c2dad8eefa003cc36b4185d78ecf362dfb9d3316bdf4a711b9
-
SHA512
e877a404cf3f38f6c0e0745effb07dfe24326dc63d3a69eaf0dd50e8352b4e53c03b5ac5a95c3f2550009f9d1d21d6d380a15b10cfcc714fff0fed1e58f8f073
-
SSDEEP
49152:QOXCLdckT5HUTDCjgsjuQtIfr0pRAxGKoCl74GVxuOVwkRjcpfWaA3x:VFkT5H4C8sjuQtIfr0p6YKV74GVxPjca
Malware Config
Signatures
-
Floxif family
-
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
-
Detects Floxif payload 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Loads dropped DLL 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 2 IoCs
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-26_df81ff95baf450f51910524927e4e3da_floxif_mafia.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-26_df81ff95baf450f51910524927e4e3da_floxif_mafia.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Apache HTTP Server" dir=in action=allow description="RaidXpert2" program="C:\Program files (x86)\raidxpert2\apache\bin\httpd.exe" enable=yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
1.7MB
-
Filesize
192KB