Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 13:50
Static task
static1
Behavioral task
behavioral1
Sample
80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe
-
Size
7.6MB
-
MD5
80f528588d5e84152ecf6e25b8dad4dd
-
SHA1
80947aee4243d752b9c187caf01b3d864b7474c7
-
SHA256
cdfd2505408b2c422e018011e64500a241f149654435a7cd0e4d674a733c5bd6
-
SHA512
2e3ed889d636e45c52b65e8445dd6bf630f9117703cf98fcf95e6a129856d5c8b6bd0fa4f8812fe33eb52b8872194ff11222ffd9170e08c0f3d5934672aebcdc
-
SSDEEP
3072:QexSaR/D54T4ebgGZB8OOccgwM6G2Cgo5wUlkGkfCNrkdTOMJXIYOUHqlJN3Wpl:Qklr5kbg0B8VcnJcCg4jlkGp0T5i
Malware Config
Extracted
netwire
miikymouse1978.ooguy.com:5435
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
myRattyVin
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
glgSVnej
-
offline_keylogger
true
-
password
jamesnature
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 7 IoCs
resource yara_rule behavioral1/memory/2608-26-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2608-22-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2608-20-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2608-18-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2608-105-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2608-97-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2608-131015-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
pid Process 2608 svhost.exe -
Loads dropped DLL 1 IoCs
pid Process 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2232 set thread context of 2608 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 31 PID 2232 set thread context of 2608 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2516 timeout.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\mcromnvc\microndas.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe Token: 33 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2232 wrote to memory of 1680 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 28 PID 2232 wrote to memory of 1680 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 28 PID 2232 wrote to memory of 1680 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 28 PID 2232 wrote to memory of 1680 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 28 PID 1680 wrote to memory of 2596 1680 cmd.exe 30 PID 1680 wrote to memory of 2596 1680 cmd.exe 30 PID 1680 wrote to memory of 2596 1680 cmd.exe 30 PID 1680 wrote to memory of 2596 1680 cmd.exe 30 PID 2232 wrote to memory of 2608 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2608 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2608 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2608 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2608 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2608 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2608 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2608 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2608 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2608 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2608 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 31 PID 2232 wrote to memory of 2624 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 32 PID 2232 wrote to memory of 2624 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 32 PID 2232 wrote to memory of 2624 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 32 PID 2232 wrote to memory of 2624 2232 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 32 PID 2624 wrote to memory of 2516 2624 cmd.exe 34 PID 2624 wrote to memory of 2516 2624 cmd.exe 34 PID 2624 wrote to memory of 2516 2624 cmd.exe 34 PID 2624 wrote to memory of 2516 2624 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\mcromnvc\microndas.exe.lnk" /f3⤵PID:2596
-
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
PID:2608
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mcromnvc\microndas.exe.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
PID:2516
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.6MB
MD580f528588d5e84152ecf6e25b8dad4dd
SHA180947aee4243d752b9c187caf01b3d864b7474c7
SHA256cdfd2505408b2c422e018011e64500a241f149654435a7cd0e4d674a733c5bd6
SHA5122e3ed889d636e45c52b65e8445dd6bf630f9117703cf98fcf95e6a129856d5c8b6bd0fa4f8812fe33eb52b8872194ff11222ffd9170e08c0f3d5934672aebcdc
-
Filesize
210B
MD57308f4cb66944239f4b7e8f63b05da85
SHA1add86175090f50f69fa977dcf2cb9fda0fd00f51
SHA256c07c617fbb20c3e37db0bdd1da5807396c63754ceae9937c946805f266c0405c
SHA51204b1c403d5feb3ae2334fa507d675ec9922b3faabe403738faf6b15fd51502dbf185515f23f70decd8b55053fe30efae749be234998f1259def04493de427e2a
-
Filesize
85KB
MD52e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883