Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118

  • Size

    362KB

  • Sample

    240329-xp9d9agb74

  • MD5

    2a3f7f15ae8521504021f70d028c4b3d

  • SHA1

    78130866eeaa2cc64fbdee360f18895058a81cad

  • SHA256

    f1b4a215a84e80e11e558a5c995fd05fe34838aacf38763ca11d5714f4f63091

  • SHA512

    05479fc0547c006d5fa39a12405433ac575dd5f7db00bc11176f1800ac70c7cc272a7d9aa8c5029e7949c766462441310de906c9503739fbe176ea2ede65751a

  • SSDEEP

    6144:rR7PBeJA8J4bTXax4cK0jzzbRe8t35h6DUEVtI7j2:RPB/Wjde8tJhOUEtC

Malware Config

Extracted

Family

netwire

C2

globalpersonaldns.ddns.net:54984

personalpractice1.hopto.org:54984

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    clients

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    vQSrxiLN

  • offline_keylogger

    true

  • password

    checkmate123

  • registry_autorun

    false

  • use_mutex

    true

Targets

    • Target

      2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118

    • Size

      362KB

    • MD5

      2a3f7f15ae8521504021f70d028c4b3d

    • SHA1

      78130866eeaa2cc64fbdee360f18895058a81cad

    • SHA256

      f1b4a215a84e80e11e558a5c995fd05fe34838aacf38763ca11d5714f4f63091

    • SHA512

      05479fc0547c006d5fa39a12405433ac575dd5f7db00bc11176f1800ac70c7cc272a7d9aa8c5029e7949c766462441310de906c9503739fbe176ea2ede65751a

    • SSDEEP

      6144:rR7PBeJA8J4bTXax4cK0jzzbRe8t35h6DUEVtI7j2:RPB/Wjde8tJhOUEtC

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks