Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
21/05/2024, 13:21
General
-
Target
636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe
-
Size
419KB
-
MD5
636fe98bde392f519b60e46f80dbbda5
-
SHA1
1d174d0235c74b87011d0ac4cb5097b533c41163
-
SHA256
8de3dda2e65faa4fffcac28429edb1dbd767edbfebf45314cba0269c3a4e6933
-
SHA512
1eaa2fb0d90a8e4119875904d26d0b50aa882f62bd149aefc0c8a3919f4e439e9dc0289105ea1497d6b619e7b60039557d8f8d46b424cb5fbb3f0b75562aa805
-
SSDEEP
12288:JFtRqnzyWrELTwWjhC7mQBN097mSOQcT:T+nzyWrEQ7mloSvcT
Malware Config
Extracted
netwire
sepp.myq-see.com:2001
-
activex_autorun
true
-
activex_key
{50L4QLIK-5N0E-1U7P-5W65-RDN0R6N72FF0}
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
XdWObmml
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 4 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKoqzTArbkVKfc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFA8C.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe"{path}"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe"{path}"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe"{path}"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKoqzTArbkVKfc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8066.tmp"4⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"{path}"4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56241885e9d60fc29b7226071c451e28b
SHA156b8e815b8fd1773f93e8ec2eb14e9be43444cc0
SHA256742866e820fee8acda2606c0bb164a92e26c8acd524436eebce1466b89b91d4b
SHA512f4e551c8bec596219d7da30035437e19922c6caffc1f50c75bbbb393934b83becfe1fba85b157c669ea0e56a87c86ec17ef494f306efe3c58120191ecc533e7f
-
Filesize
419KB
MD5636fe98bde392f519b60e46f80dbbda5
SHA11d174d0235c74b87011d0ac4cb5097b533c41163
SHA2568de3dda2e65faa4fffcac28429edb1dbd767edbfebf45314cba0269c3a4e6933
SHA5121eaa2fb0d90a8e4119875904d26d0b50aa882f62bd149aefc0c8a3919f4e439e9dc0289105ea1497d6b619e7b60039557d8f8d46b424cb5fbb3f0b75562aa805
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
368KB
-
Filesize
624KB
-
Filesize
296KB
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
3.3MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
448KB
-
Filesize
3.3MB
-
Filesize
4KB