Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/10/2024, 12:54

General

  • Target

    47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe

  • Size

    1.0MB

  • MD5

    47ed26d0a0f4d8a98d743f23a6e36c22

  • SHA1

    bfa384cb2680435f734eb1913611ebe19231a609

  • SHA256

    40cbbf504a6af3b5ad0d25cb02f4dc9544596d6978468b708c9f2248953a4e6c

  • SHA512

    2c54ccef260bf5dc24a81bfb0de7bc38f1f0308fc62f275ff839713d03e860619a3b491a6d2463b33d341d6a448df0bb3a62738c487c678d4557be496473f401

  • SSDEEP

    24576:VAHnh+eWsN3skA4RV1Hom2KXFmIaYx0tZVO55:Eh+ZkldoPK1XaYxcZVc

Malware Config

Extracted

Family

netwire

C2

95.167.151.235:8973

Attributes
  • activex_autorun

    true

  • activex_key

    {N0R5BAW8-0Q5K-W773-0566-88UJFGBT8MC5}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    true

  • startup_name

    windows

  • use_mutex

    false

Signatures

  • NetWire RAT payload 2 IoCs
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Users\Admin\AppData\Roaming\Install\Host.exe
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3996
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
          4⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:4692
    • C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:3524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe

    Filesize

    1.0MB

    MD5

    47ed26d0a0f4d8a98d743f23a6e36c22

    SHA1

    bfa384cb2680435f734eb1913611ebe19231a609

    SHA256

    40cbbf504a6af3b5ad0d25cb02f4dc9544596d6978468b708c9f2248953a4e6c

    SHA512

    2c54ccef260bf5dc24a81bfb0de7bc38f1f0308fc62f275ff839713d03e860619a3b491a6d2463b33d341d6a448df0bb3a62738c487c678d4557be496473f401

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\manage-bde.url

    Filesize

    77B

    MD5

    2bc950d2636bbc190dd77672c1e15a84

    SHA1

    320443a43c8b8c214b395ee77c235c014f36da96

    SHA256

    caf506185b1378b2b4a856eb87943343b65ff59baf284c0ab8caa14630ea6b5c

    SHA512

    8c993cbd5b7edcb83067017eace023d6659e99d5654e79e057d881fdb698eda2bfda506623aa41e562d6592fbce3fc8fa4f9b651f5482032cf776b3dd8dbe585

  • C:\Users\Admin\AppData\Roaming\manage-bde.vbs

    Filesize

    105B

    MD5

    30b5c4918ac6f3f79d60c4cbccb66564

    SHA1

    62a4c67b3e56edb117f1382ee7cb805ed226ebc4

    SHA256

    a107b661fde8b745b4b6e831b0fd7413dc39d628beec8e04e28e968c7e37fbda

    SHA512

    8010b56dc271a50dae0e85d50d820dc8f74f662187cb5d9f5fffab02666619d2fe15daa5c86e9bcec0f2e3f331f57304f1ea0f995626483bd2d37fdd7f8f7c5d

  • memory/684-4-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/684-13-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/884-3-0x0000000000550000-0x0000000000551000-memory.dmp

    Filesize

    4KB

  • memory/884-31-0x0000000000550000-0x0000000000551000-memory.dmp

    Filesize

    4KB

  • memory/3996-43-0x0000000003870000-0x0000000003871000-memory.dmp

    Filesize

    4KB