Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    95s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 13:50

General

  • Target

    80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe

  • Size

    7.6MB

  • MD5

    80f528588d5e84152ecf6e25b8dad4dd

  • SHA1

    80947aee4243d752b9c187caf01b3d864b7474c7

  • SHA256

    cdfd2505408b2c422e018011e64500a241f149654435a7cd0e4d674a733c5bd6

  • SHA512

    2e3ed889d636e45c52b65e8445dd6bf630f9117703cf98fcf95e6a129856d5c8b6bd0fa4f8812fe33eb52b8872194ff11222ffd9170e08c0f3d5934672aebcdc

  • SSDEEP

    3072:QexSaR/D54T4ebgGZB8OOccgwM6G2Cgo5wUlkGkfCNrkdTOMJXIYOUHqlJN3Wpl:Qklr5kbg0B8VcnJcCg4jlkGp0T5i

Malware Config

Extracted

Family

netwire

C2

miikymouse1978.ooguy.com:5435

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    myRattyVin

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    glgSVnej

  • offline_keylogger

    true

  • password

    jamesnature

  • registry_autorun

    false

  • use_mutex

    true

Signatures

  • NetWire RAT payload 1 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:3604
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\mcromnvc\microndas.exe.lnk" /f
        3⤵
          PID:1012
      • C:\Users\Admin\AppData\Local\Temp\svhost.exe
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        2⤵
        • Executes dropped EXE
        PID:3464
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 248
          3⤵
          • Program crash
          PID:5716
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcromnvc\microndas.exe.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4828
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 300
          3⤵
          • Delays execution with timeout.exe
          PID:3476
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3464 -ip 3464
      1⤵
        PID:5692

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\mcromnvc\microndas.exe

        Filesize

        7.6MB

        MD5

        80f528588d5e84152ecf6e25b8dad4dd

        SHA1

        80947aee4243d752b9c187caf01b3d864b7474c7

        SHA256

        cdfd2505408b2c422e018011e64500a241f149654435a7cd0e4d674a733c5bd6

        SHA512

        2e3ed889d636e45c52b65e8445dd6bf630f9117703cf98fcf95e6a129856d5c8b6bd0fa4f8812fe33eb52b8872194ff11222ffd9170e08c0f3d5934672aebcdc

      • C:\Users\Admin\AppData\Local\Temp\mcromnvc\microndas.exe.bat

        Filesize

        210B

        MD5

        7308f4cb66944239f4b7e8f63b05da85

        SHA1

        add86175090f50f69fa977dcf2cb9fda0fd00f51

        SHA256

        c07c617fbb20c3e37db0bdd1da5807396c63754ceae9937c946805f266c0405c

        SHA512

        04b1c403d5feb3ae2334fa507d675ec9922b3faabe403738faf6b15fd51502dbf185515f23f70decd8b55053fe30efae749be234998f1259def04493de427e2a

      • C:\Users\Admin\AppData\Local\Temp\svhost.exe

        Filesize

        89KB

        MD5

        84c42d0f2c1ae761bef884638bc1eacd

        SHA1

        4353881e7f4e9c7610f4e0489183b55bb58bb574

        SHA256

        331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

        SHA512

        43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

      • memory/1572-0-0x0000000074A92000-0x0000000074A93000-memory.dmp

        Filesize

        4KB

      • memory/1572-1-0x0000000074A90000-0x0000000075041000-memory.dmp

        Filesize

        5.7MB

      • memory/1572-2-0x0000000074A90000-0x0000000075041000-memory.dmp

        Filesize

        5.7MB

      • memory/1572-3-0x0000000074A92000-0x0000000074A93000-memory.dmp

        Filesize

        4KB

      • memory/1572-4-0x0000000074A90000-0x0000000075041000-memory.dmp

        Filesize

        5.7MB

      • memory/1572-1431-0x0000000074A90000-0x0000000075041000-memory.dmp

        Filesize

        5.7MB

      • memory/3464-14-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB