Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29/07/2024, 20:23
Static task
static1
Behavioral task
behavioral1
Sample
5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe
-
Size
338KB
-
MD5
5ddc4cf0dad4b869b441a26e67444b73
-
SHA1
5cba29927759776c9f1a7b10d5fec27c863035e3
-
SHA256
839a5b4bc0c1e8d395e5b179a9e09dcbe9fb11d303595a1ade543c9873601312
-
SHA512
cad6d15988b8b3c1921e6eab951812c4ed74f2956cdfaf666ccff9b35ddb34ed5d79fad9c49bfbaef09f87296861bedbc0f57be4f2d2a13937998c0b8a81f232
-
SSDEEP
6144:DrMD6jcT15zUAVp4AE33eBQ4suHaxZ29eBRdN:3UgcTn5Vp4AxlQjBj
Malware Config
Extracted
netwire
dps5000.duckdns.org:3360
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
C:\Users\Admin\AppData\Roaming\Filefox\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 1 IoCs
resource yara_rule behavioral1/memory/572-29-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\GoogleInc.lnk 5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\GoogleInc.lnk 5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe -
Loads dropped DLL 1 IoCs
pid Process 2360 5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language help.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2360 wrote to memory of 572 2360 5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe 31 PID 2360 wrote to memory of 572 2360 5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe 31 PID 2360 wrote to memory of 572 2360 5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe 31 PID 2360 wrote to memory of 572 2360 5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe 31 PID 2360 wrote to memory of 572 2360 5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe 31 PID 2360 wrote to memory of 572 2360 5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\help.exe"C:\Users\Admin\AppData\Local\Temp\5ddc4cf0dad4b869b441a26e67444b73_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
PID:572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.1MB
MD577a32a7c56d30f2f639e8b6b778d7c04
SHA160d58804b95ff14e94e718e6939f5e029c096482
SHA25691a0f626afce1ce240538ce830ecd20b03f529dff30f3c6f3c21e1322d41e82d
SHA5120c2164dab0d177131738d32bef3c52ba785e3f5ee8eac6dfab1c209d3dda655eb6d91e993cf063230377b3d89a9add09f41e64e906298e39347d9766cebcbd10