Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 21:13
Static task
static1
Behavioral task
behavioral1
Sample
21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe
-
Size
227KB
-
MD5
21c0027924a5a4a70cd1e61220716224
-
SHA1
5546ef57a890ca54ee59f52a39d86ea3f24ffe0e
-
SHA256
cd309ad77ef0180c2c59bab487e90dc967fd0781ec10a4f5196a0fda75cac36d
-
SHA512
2571b525c8a9ac2abbe09fee720cbc1a4deb9aff288f75f9729475ae3497bcc4853e680015d7ea32d5f09b66425973fa564c0e51b7d10eeff91e369d3ed1ddf0
-
SSDEEP
6144:JpTfdT/KELr+ILii5Ea8NplE8AOcWRaIF2nYMg:JpTfp/KE3+ILkTplNUWkxYT
Malware Config
Extracted
netwire
zicopele2018.sytes.net:3584
zicopele2018backup.sytes.net:3584
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
vkRChWpP
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 9 IoCs
resource yara_rule behavioral1/memory/2396-23-0x0000000000C10000-0x0000000000C3C000-memory.dmp netwire behavioral1/memory/2660-32-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2660-38-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2660-34-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2660-30-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2660-40-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2660-41-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2660-43-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2660-50-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ymbWet.url 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2396 set thread context of 2660 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 31 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2864 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 28 PID 2396 wrote to memory of 2864 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 28 PID 2396 wrote to memory of 2864 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 28 PID 2396 wrote to memory of 2864 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 28 PID 2864 wrote to memory of 2172 2864 csc.exe 30 PID 2864 wrote to memory of 2172 2864 csc.exe 30 PID 2864 wrote to memory of 2172 2864 csc.exe 30 PID 2864 wrote to memory of 2172 2864 csc.exe 30 PID 2396 wrote to memory of 2660 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 31 PID 2396 wrote to memory of 2660 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 31 PID 2396 wrote to memory of 2660 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 31 PID 2396 wrote to memory of 2660 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 31 PID 2396 wrote to memory of 2660 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 31 PID 2396 wrote to memory of 2660 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 31 PID 2396 wrote to memory of 2660 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 31 PID 2396 wrote to memory of 2660 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 31 PID 2396 wrote to memory of 2660 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 31 PID 2396 wrote to memory of 2660 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 31 PID 2396 wrote to memory of 2660 2396 21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hyk1wkwn\hyk1wkwn.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11AD.tmp" "c:\Users\Admin\AppData\Local\Temp\hyk1wkwn\CSC17DF46B7AF6A42CAB0CEBBC8E2010.TMP"3⤵PID:2172
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵PID:2660
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58bac3777a0b62eb657f975a727f6f76a
SHA1c32e8c421e726d2812b0c867bb8eeee4c47837c9
SHA256cb7afc10c599e4afc03b70caba6ee8250bf3792073ac3dcb6deb994a34ef1e65
SHA512d443a1208f38dde5044a0b99f19ecf6e8574823c1b323f3c2e267d0edeac10c65bb8fe57d2b8877fbbc713b2f4497b01ad7aa3128cc450a6b225463ba31a2ffc
-
Filesize
13KB
MD5697cefc27273e9ecb45bed285a87e2b5
SHA1d056ca0ba2224a59ad23d8fa8ba0a49ae5de00fb
SHA2568b4868218d801f4c385b0bb19fdfa824f2fe9769c68e24a16af70f418ff4e4db
SHA5122c3371bbd9354fb2384f9876073abce24b6c6bc64e7a3c676ff74536023dce08655a59574c72a47e4e98c6966729cb018574e3109824ebf378f16377229365f1
-
Filesize
39KB
MD581516d8f52454f48142f3491ef6c509c
SHA1c34bafae1d0bdfbc699941eed1fa83968654236d
SHA2565535dea91d1cb4333b3eb5e028da4466abd06f1a882186120c71c6e753b2c2c9
SHA512632930a37e3d1c56c8bd9c7fdacfa5db32a39b7cc5b34eda2d15b1d2ad82e2589ca66e48633745d7303dcc8b91974074bc9cbcf545ab5f374dfc02c421d971da
-
Filesize
1KB
MD5aa4e75645e25a0561e43d899ac7d81d6
SHA1e8b051d3f6d6bfa8af9220024c59fc10b6914de0
SHA2565b7557b805fe7185758381494f2ec8baf6c3a5642350391b4fc0813acd883391
SHA5123d1e2dbe067af72e50974828207b950d9a8cab22e467cd244989050f262ff7b2d25ae08140fe06db4b7a7a4843149ce409c2df13fe2b2d798915308c62317d71
-
Filesize
23KB
MD5f836341851788bcc914ee5b7c184806f
SHA1cc4f180e695f1036498bc7a16d0f1885b0c5af4f
SHA256426571217dc194753b55e1a1d51ed64c3606590c7cd7557d5925b6d6bb7b3364
SHA512d6b64906ac580c682141a545ac025433708bc1fc8cc9f65da3d5d21ed1ec6e4ed559102ce82daf996277bb86597c767ec0eab9d954e728d0743c82138ffa0a58
-
Filesize
312B
MD5ec7e07ee2d521250473d977c498d73b8
SHA1a9ca6eb300dc6afd46fcb43ef2069d650d26f81b
SHA256a0b4795b6f37a0a86d5716a855c7ce174b0d9fce9c11302cfd5de22f552d0e74
SHA51200a41aa043ac195bba5f64311aa3158ef98c66856568ed4e2c8c9ab6f6decaab42a3ae08ff5973371cd36c1ff4454c06be4417d7c5e4f56ae793e0ed12fabb86