Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
27/08/2024, 03:01
Static task
static1
Behavioral task
behavioral1
Sample
c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe
-
Size
540KB
-
MD5
c43f9a6bbb9ae4e618d4a72c626259d4
-
SHA1
b0d56df59de23d693e9d2bcfde5569c683895715
-
SHA256
d05b01de0d1bd816e1024cb47ba0b5c2205cc3aa274e466d59a39052ad945c36
-
SHA512
9b237dbcb32e0e5cba0d15c954c6bd830cee42d0235083a3d6dff49e6b25968ae797006fe432a264ee59b3e2139b0b40fd6479dfb14c2912df1cf91abb3a6fb6
-
SSDEEP
3072:lYFzyxPM+ETS8wwyd+Z9vZ9hiCeZI9rliT/qyqms1XIfnEL08kRk60RjH:lYJyxPML/OwFhiu9rlqa71MEL0P7uj
Malware Config
Extracted
netwire
cowboyz.climatechangeawareness.uk:31256
-
activex_autorun
true
-
activex_key
{3BGD0153-4IDF-FT00-RY63-XFA4O7NRPM6W}
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
pbNlVBON
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 3 IoCs
resource yara_rule behavioral1/memory/1996-14-0x0000000000400000-0x000000000042B000-memory.dmp netwire behavioral1/memory/1996-10-0x0000000000400000-0x000000000042B000-memory.dmp netwire behavioral1/memory/1720-6-0x0000000000400000-0x000000000042B000-memory.dmp netwire -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3016 set thread context of 1720 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 30 PID 3016 set thread context of 1996 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 32 -
Program crash 2 IoCs
pid pid_target Process 1504 1720 WerFault.exe 760 1996 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 3016 wrote to memory of 1720 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 30 PID 3016 wrote to memory of 1720 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 30 PID 3016 wrote to memory of 1720 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 30 PID 3016 wrote to memory of 1984 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 31 PID 3016 wrote to memory of 1984 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 31 PID 3016 wrote to memory of 1984 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 31 PID 3016 wrote to memory of 1720 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 30 PID 3016 wrote to memory of 1720 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 30 PID 3016 wrote to memory of 1720 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 30 PID 3016 wrote to memory of 1720 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 30 PID 3016 wrote to memory of 1984 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 31 PID 3016 wrote to memory of 1984 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 31 PID 3016 wrote to memory of 1984 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 31 PID 3016 wrote to memory of 1984 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 31 PID 3016 wrote to memory of 1720 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 30 PID 3016 wrote to memory of 1996 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 32 PID 3016 wrote to memory of 1996 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 32 PID 3016 wrote to memory of 1996 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 32 PID 3016 wrote to memory of 1996 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 32 PID 3016 wrote to memory of 1996 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 32 PID 3016 wrote to memory of 1996 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 32 PID 3016 wrote to memory of 1996 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 32 PID 3016 wrote to memory of 1996 3016 c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe 32 PID 1996 wrote to memory of 760 1996 RegAsm.exe 33 PID 1996 wrote to memory of 760 1996 RegAsm.exe 33 PID 1996 wrote to memory of 760 1996 RegAsm.exe 33 PID 1996 wrote to memory of 760 1996 RegAsm.exe 33 PID 1720 wrote to memory of 1504 1720 RegAsm.exe 34 PID 1720 wrote to memory of 1504 1720 RegAsm.exe 34 PID 1720 wrote to memory of 1504 1720 RegAsm.exe 34 PID 1720 wrote to memory of 1504 1720 RegAsm.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c43f9a6bbb9ae4e618d4a72c626259d4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 2763⤵
- Program crash
PID:1504
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:1984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 2763⤵
- Program crash
PID:760
-
-