Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29/07/2024, 20:23

General

  • Target

    5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe

  • Size

    338KB

  • MD5

    5ddc4cf0dad4b869b441a26e67444b73

  • SHA1

    5cba29927759776c9f1a7b10d5fec27c863035e3

  • SHA256

    839a5b4bc0c1e8d395e5b179a9e09dcbe9fb11d303595a1ade543c9873601312

  • SHA512

    cad6d15988b8b3c1921e6eab951812c4ed74f2956cdfaf666ccff9b35ddb34ed5d79fad9c49bfbaef09f87296861bedbc0f57be4f2d2a13937998c0b8a81f232

  • SSDEEP

    6144:DrMD6jcT15zUAVp4AE33eBQ4suHaxZ29eBRdN:3UgcTn5Vp4AxlQjBj

Malware Config

Extracted

Family

netwire

C2

dps5000.duckdns.org:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    C:\Users\Admin\AppData\Roaming\Filefox\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 1 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\SysWOW64\help.exe
      "C:\Users\Admin\AppData\Local\Temp\5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\GoogleInc\GoogleInc.exe

    Filesize

    5.1MB

    MD5

    77a32a7c56d30f2f639e8b6b778d7c04

    SHA1

    60d58804b95ff14e94e718e6939f5e029c096482

    SHA256

    91a0f626afce1ce240538ce830ecd20b03f529dff30f3c6f3c21e1322d41e82d

    SHA512

    0c2164dab0d177131738d32bef3c52ba785e3f5ee8eac6dfab1c209d3dda655eb6d91e993cf063230377b3d89a9add09f41e64e906298e39347d9766cebcbd10

  • memory/572-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/572-29-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2360-0-0x0000000000140000-0x0000000000144000-memory.dmp

    Filesize

    16KB

  • memory/2360-1-0x0000000000390000-0x00000000003EA000-memory.dmp

    Filesize

    360KB

  • memory/2360-2-0x0000000001FC0000-0x0000000002140000-memory.dmp

    Filesize

    1.5MB

  • memory/2360-4-0x00000000001B0000-0x00000000001F7000-memory.dmp

    Filesize

    284KB

  • memory/2360-3-0x00000000005C0000-0x00000000006D0000-memory.dmp

    Filesize

    1.1MB