Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/05/2024, 19:53
Static task
static1
Behavioral task
behavioral1
Sample
7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
7e325204fdaa3d9a4be3facd66a01bf9
-
SHA1
72ae942dbdd61ab7256bac03a71c2f6488c4f381
-
SHA256
dfedae8d3b13ad57c1ce0abcccc3578c411e890fde8c118c64aa7b1564aeead4
-
SHA512
e91f5a3a8fd3e6800454eeba81c6489c3097d00f18e3126c036307f0d6909e91e618d26340fcadf4c7fc61a632f9fede8a8573f6712a3ad0f4d85b28ee834865
-
SSDEEP
24576:yAHnh+eWsN3skA4RV1Hom2KXMmHaCfIGCImN5:1h+ZkldoPK8YaCy
Malware Config
Extracted
netwire
checklewis.ddns.net:3361
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
qbpWIrEm
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 3 IoCs
resource yara_rule behavioral1/memory/3020-34-0x0000000000080000-0x00000000000AC000-memory.dmp netwire behavioral1/memory/2216-12-0x0000000000080000-0x00000000000AC000-memory.dmp netwire behavioral1/memory/2216-1-0x0000000000080000-0x00000000000AC000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
pid Process 2480 Host.exe 3020 Host.exe -
Loads dropped DLL 6 IoCs
pid Process 2216 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 2656 WerFault.exe 2656 WerFault.exe 2656 WerFault.exe 2656 WerFault.exe 2656 WerFault.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000b000000015c3c-31.dat autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2168 set thread context of 2216 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 28 PID 2480 set thread context of 3020 2480 Host.exe 30 -
Program crash 2 IoCs
pid pid_target Process procid_target 2884 2168 WerFault.exe 27 2656 2480 WerFault.exe 29 -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 2480 Host.exe 2480 Host.exe 2480 Host.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 2480 Host.exe 2480 Host.exe 2480 Host.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2216 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 28 PID 2168 wrote to memory of 2216 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 28 PID 2168 wrote to memory of 2216 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 28 PID 2168 wrote to memory of 2216 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 28 PID 2168 wrote to memory of 2216 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 28 PID 2168 wrote to memory of 2216 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 28 PID 2216 wrote to memory of 2480 2216 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 29 PID 2216 wrote to memory of 2480 2216 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 29 PID 2216 wrote to memory of 2480 2216 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 29 PID 2216 wrote to memory of 2480 2216 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 29 PID 2480 wrote to memory of 3020 2480 Host.exe 30 PID 2480 wrote to memory of 3020 2480 Host.exe 30 PID 2480 wrote to memory of 3020 2480 Host.exe 30 PID 2480 wrote to memory of 3020 2480 Host.exe 30 PID 2480 wrote to memory of 3020 2480 Host.exe 30 PID 2480 wrote to memory of 3020 2480 Host.exe 30 PID 2168 wrote to memory of 2884 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 31 PID 2168 wrote to memory of 2884 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 31 PID 2168 wrote to memory of 2884 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 31 PID 2168 wrote to memory of 2884 2168 7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe 31 PID 2480 wrote to memory of 2656 2480 Host.exe 32 PID 2480 wrote to memory of 2656 2480 Host.exe 32 PID 2480 wrote to memory of 2656 2480 Host.exe 32 PID 2480 wrote to memory of 2656 2480 Host.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
PID:3020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 4324⤵
- Loads dropped DLL
- Program crash
PID:2656
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 4242⤵
- Program crash
PID:2884
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD57e325204fdaa3d9a4be3facd66a01bf9
SHA172ae942dbdd61ab7256bac03a71c2f6488c4f381
SHA256dfedae8d3b13ad57c1ce0abcccc3578c411e890fde8c118c64aa7b1564aeead4
SHA512e91f5a3a8fd3e6800454eeba81c6489c3097d00f18e3126c036307f0d6909e91e618d26340fcadf4c7fc61a632f9fede8a8573f6712a3ad0f4d85b28ee834865