Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 12:54
Static task
static1
Behavioral task
behavioral1
Sample
47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
47ed26d0a0f4d8a98d743f23a6e36c22
-
SHA1
bfa384cb2680435f734eb1913611ebe19231a609
-
SHA256
40cbbf504a6af3b5ad0d25cb02f4dc9544596d6978468b708c9f2248953a4e6c
-
SHA512
2c54ccef260bf5dc24a81bfb0de7bc38f1f0308fc62f275ff839713d03e860619a3b491a6d2463b33d341d6a448df0bb3a62738c487c678d4557be496473f401
-
SSDEEP
24576:VAHnh+eWsN3skA4RV1Hom2KXFmIaYx0tZVO55:Eh+ZkldoPK1XaYxcZVc
Malware Config
Extracted
netwire
95.167.151.235:8973
-
activex_autorun
true
-
activex_key
{N0R5BAW8-0Q5K-W773-0566-88UJFGBT8MC5}
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
true
-
startup_name
windows
-
use_mutex
false
Signatures
-
NetWire RAT payload 2 IoCs
resource yara_rule behavioral2/memory/684-4-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/684-13-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N0R5BAW8-0Q5K-W773-0566-88UJFGBT8MC5} 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N0R5BAW8-0Q5K-W773-0566-88UJFGBT8MC5}\StubPath = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe\"" 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N0R5BAW8-0Q5K-W773-0566-88UJFGBT8MC5} Host.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N0R5BAW8-0Q5K-W773-0566-88UJFGBT8MC5}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\"" Host.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\manage-bde.url Host.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\manage-bde.url 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 3996 Host.exe 4692 Host.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe" 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x005200000002332b-16.dat autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 884 set thread context of 684 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 94 PID 884 set thread context of 3524 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 96 PID 3996 set thread context of 4692 3996 Host.exe 98 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Host.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Host.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 3996 Host.exe 3996 Host.exe 3996 Host.exe 3996 Host.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 3996 Host.exe 3996 Host.exe 3996 Host.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 3996 Host.exe 3996 Host.exe 3996 Host.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 884 wrote to memory of 684 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 94 PID 884 wrote to memory of 684 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 94 PID 884 wrote to memory of 684 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 94 PID 884 wrote to memory of 684 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 94 PID 884 wrote to memory of 684 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 94 PID 684 wrote to memory of 3996 684 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 95 PID 684 wrote to memory of 3996 684 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 95 PID 684 wrote to memory of 3996 684 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 95 PID 884 wrote to memory of 3524 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 96 PID 884 wrote to memory of 3524 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 96 PID 884 wrote to memory of 3524 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 96 PID 884 wrote to memory of 3524 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 96 PID 884 wrote to memory of 3524 884 47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe 96 PID 3996 wrote to memory of 4692 3996 Host.exe 98 PID 3996 wrote to memory of 4692 3996 Host.exe 98 PID 3996 wrote to memory of 4692 3996 Host.exe 98 PID 3996 wrote to memory of 4692 3996 Host.exe 98 PID 3996 wrote to memory of 4692 3996 Host.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4692
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\47ed26d0a0f4d8a98d743f23a6e36c22_JaffaCakes118.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD547ed26d0a0f4d8a98d743f23a6e36c22
SHA1bfa384cb2680435f734eb1913611ebe19231a609
SHA25640cbbf504a6af3b5ad0d25cb02f4dc9544596d6978468b708c9f2248953a4e6c
SHA5122c54ccef260bf5dc24a81bfb0de7bc38f1f0308fc62f275ff839713d03e860619a3b491a6d2463b33d341d6a448df0bb3a62738c487c678d4557be496473f401
-
Filesize
77B
MD52bc950d2636bbc190dd77672c1e15a84
SHA1320443a43c8b8c214b395ee77c235c014f36da96
SHA256caf506185b1378b2b4a856eb87943343b65ff59baf284c0ab8caa14630ea6b5c
SHA5128c993cbd5b7edcb83067017eace023d6659e99d5654e79e057d881fdb698eda2bfda506623aa41e562d6592fbce3fc8fa4f9b651f5482032cf776b3dd8dbe585
-
Filesize
105B
MD530b5c4918ac6f3f79d60c4cbccb66564
SHA162a4c67b3e56edb117f1382ee7cb805ed226ebc4
SHA256a107b661fde8b745b4b6e831b0fd7413dc39d628beec8e04e28e968c7e37fbda
SHA5128010b56dc271a50dae0e85d50d820dc8f74f662187cb5d9f5fffab02666619d2fe15daa5c86e9bcec0f2e3f331f57304f1ea0f995626483bd2d37fdd7f8f7c5d