Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    27/08/2024, 03:01

General

  • Target

    c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe

  • Size

    540KB

  • MD5

    c43f9a6bbb9ae4e618d4a72c626259d4

  • SHA1

    b0d56df59de23d693e9d2bcfde5569c683895715

  • SHA256

    d05b01de0d1bd816e1024cb47ba0b5c2205cc3aa274e466d59a39052ad945c36

  • SHA512

    9b237dbcb32e0e5cba0d15c954c6bd830cee42d0235083a3d6dff49e6b25968ae797006fe432a264ee59b3e2139b0b40fd6479dfb14c2912df1cf91abb3a6fb6

  • SSDEEP

    3072:lYFzyxPM+ETS8wwyd+Z9vZ9hiCeZI9rliT/qyqms1XIfnEL08kRk60RjH:lYJyxPML/OwFhiu9rlqa71MEL0P7uj

Malware Config

Extracted

Family

netwire

C2

cowboyz.climatechangeawareness.uk:31256

Attributes
  • activex_autorun

    true

  • activex_key

    {3BGD0153-4IDF-FT00-RY63-XFA4O7NRPM6W}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    pbNlVBON

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    true

Signatures

  • NetWire RAT payload 3 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 276
        3⤵
        • Program crash
        PID:1504
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:1984
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1996
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 276
          3⤵
          • Program crash
          PID:760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1720-6-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

    • memory/1996-14-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

    • memory/1996-10-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

    • memory/3016-12-0x0000000074AA0000-0x000000007518E000-memory.dmp

      Filesize

      6.9MB

    • memory/3016-5-0x0000000074AA0000-0x000000007518E000-memory.dmp

      Filesize

      6.9MB

    • memory/3016-4-0x0000000074AA0000-0x000000007518E000-memory.dmp

      Filesize

      6.9MB

    • memory/3016-3-0x00000000020C0000-0x00000000020F0000-memory.dmp

      Filesize

      192KB

    • memory/3016-2-0x0000000000200000-0x0000000000208000-memory.dmp

      Filesize

      32KB

    • memory/3016-1-0x0000000000950000-0x00000000009DC000-memory.dmp

      Filesize

      560KB

    • memory/3016-0-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

      Filesize

      4KB