Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
9ddf9a29e4e7a26ade32ba492ad12851_JaffaCakes118
-
Size
1.4MB
-
Sample
240611-mjy18atdmd
-
MD5
9ddf9a29e4e7a26ade32ba492ad12851
-
SHA1
ee86814c37343e5385231fd3bccc686222c178b3
-
SHA256
6480317220b83a20606f5f8e835254fd66984024fb9f3f358a9aee33bb9b387a
-
SHA512
5f23c86d58389e223006a653b49e29c99a07a9754e92edc0d2f2993ce94e3f11018759ec7d0a3598425d873bd85d5cf6a108643067fa3fc9938994a4062e841b
-
SSDEEP
24576:8UQK3C0RdSRKQ428hCst8Pd1lhkVOhjRbLH/RFalSZLZhIJ4FZwS:8URndUKl18lvhsI1L/aeo4
Static task
static1
Behavioral task
behavioral1
Sample
9ddf9a29e4e7a26ade32ba492ad12851_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9ddf9a29e4e7a26ade32ba492ad12851_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
lokibot
http://lallahome2.ru/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
netwire
181.215.247.253:20881
-
activex_autorun
true
-
activex_key
{W17VSAE7-MM7D-VKP1-T6CH-ASC0300H32OY}
-
copy_executable
true
-
delete_original
true
-
host_id
HostIdwadja
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
QtK37ulUUZ
-
registry_autorun
true
-
startup_name
chrome
-
use_mutex
false
Targets
-
-
Target
9ddf9a29e4e7a26ade32ba492ad12851_JaffaCakes118
-
Size
1.4MB
-
MD5
9ddf9a29e4e7a26ade32ba492ad12851
-
SHA1
ee86814c37343e5385231fd3bccc686222c178b3
-
SHA256
6480317220b83a20606f5f8e835254fd66984024fb9f3f358a9aee33bb9b387a
-
SHA512
5f23c86d58389e223006a653b49e29c99a07a9754e92edc0d2f2993ce94e3f11018759ec7d0a3598425d873bd85d5cf6a108643067fa3fc9938994a4062e841b
-
SSDEEP
24576:8UQK3C0RdSRKQ428hCst8Pd1lhkVOhjRbLH/RFalSZLZhIJ4FZwS:8URndUKl18lvhsI1L/aeo4
-
NetWire RAT payload
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-