Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 13:50
Static task
static1
Behavioral task
behavioral1
Sample
80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe
-
Size
7.6MB
-
MD5
80f528588d5e84152ecf6e25b8dad4dd
-
SHA1
80947aee4243d752b9c187caf01b3d864b7474c7
-
SHA256
cdfd2505408b2c422e018011e64500a241f149654435a7cd0e4d674a733c5bd6
-
SHA512
2e3ed889d636e45c52b65e8445dd6bf630f9117703cf98fcf95e6a129856d5c8b6bd0fa4f8812fe33eb52b8872194ff11222ffd9170e08c0f3d5934672aebcdc
-
SSDEEP
3072:QexSaR/D54T4ebgGZB8OOccgwM6G2Cgo5wUlkGkfCNrkdTOMJXIYOUHqlJN3Wpl:Qklr5kbg0B8VcnJcCg4jlkGp0T5i
Malware Config
Extracted
netwire
miikymouse1978.ooguy.com:5435
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
myRattyVin
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
glgSVnej
-
offline_keylogger
true
-
password
jamesnature
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3464-14-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
pid Process 3464 svhost.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1572 set thread context of 3464 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 94 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe File created C:\Windows\assembly\Desktop.ini 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe File opened for modification C:\Windows\assembly\Desktop.ini 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5716 3464 WerFault.exe 94 -
Delays execution with timeout.exe 1 IoCs
pid Process 3476 timeout.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\mcromnvc\microndas.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe Token: 33 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1572 wrote to memory of 3604 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 91 PID 1572 wrote to memory of 3604 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 91 PID 1572 wrote to memory of 3604 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 91 PID 3604 wrote to memory of 1012 3604 cmd.exe 93 PID 3604 wrote to memory of 1012 3604 cmd.exe 93 PID 3604 wrote to memory of 1012 3604 cmd.exe 93 PID 1572 wrote to memory of 3464 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 94 PID 1572 wrote to memory of 3464 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 94 PID 1572 wrote to memory of 3464 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 94 PID 1572 wrote to memory of 3464 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 94 PID 1572 wrote to memory of 3464 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 94 PID 1572 wrote to memory of 3464 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 94 PID 1572 wrote to memory of 3464 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 94 PID 1572 wrote to memory of 3464 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 94 PID 1572 wrote to memory of 3464 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 94 PID 1572 wrote to memory of 3464 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 94 PID 1572 wrote to memory of 4828 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 95 PID 1572 wrote to memory of 4828 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 95 PID 1572 wrote to memory of 4828 1572 80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe 95 PID 4828 wrote to memory of 3476 4828 cmd.exe 97 PID 4828 wrote to memory of 3476 4828 cmd.exe 97 PID 4828 wrote to memory of 3476 4828 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\mcromnvc\microndas.exe.lnk" /f3⤵PID:1012
-
-
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
PID:3464 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 2483⤵
- Program crash
PID:5716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcromnvc\microndas.exe.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
PID:3476
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3464 -ip 34641⤵PID:5692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.6MB
MD580f528588d5e84152ecf6e25b8dad4dd
SHA180947aee4243d752b9c187caf01b3d864b7474c7
SHA256cdfd2505408b2c422e018011e64500a241f149654435a7cd0e4d674a733c5bd6
SHA5122e3ed889d636e45c52b65e8445dd6bf630f9117703cf98fcf95e6a129856d5c8b6bd0fa4f8812fe33eb52b8872194ff11222ffd9170e08c0f3d5934672aebcdc
-
Filesize
210B
MD57308f4cb66944239f4b7e8f63b05da85
SHA1add86175090f50f69fa977dcf2cb9fda0fd00f51
SHA256c07c617fbb20c3e37db0bdd1da5807396c63754ceae9937c946805f266c0405c
SHA51204b1c403d5feb3ae2334fa507d675ec9922b3faabe403738faf6b15fd51502dbf185515f23f70decd8b55053fe30efae749be234998f1259def04493de427e2a
-
Filesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87