Overview

overview

10

Static

static

1

jdks.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    17s
  • max time network
    19s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-02-2023 10:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jdks.exe

  • Size

    3.3MB

  • MD5

    1ab9fdceab1dc5b1e1f13c24a98fdb93

  • SHA1

    890fa430810fecdb9d782959ca3d59be2bed25f6

  • SHA256

    6d7d8799da7b16c8422dc43558d3df61030443b8a5532947159d7f45a66023ba

  • SHA512

    ee885aba3a94e39e0d3494a58f82bd89d080777d41abd21c97b8d19cdb29133e7c2302b5981211a26406519d8ed370ba80f2613100db7cf9c2bd1f1037857565

  • SSDEEP

    49152:lFAZOskMJnefYZ3AXGIrShvBTA1CkYp3NJ9:6ONuUI8GbvBTA1ypr

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

asorock0011.ddns.net:5389

wcbradley.duckdns.org:5389
Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    LAST CRYPT 0918

  • install_path

    %AppData%\Install\jdks.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    FWbuMAeG

  • offline_keylogger

    true

  • password

    teamoluwa1

  • registry_autorun

    true

  • startup_name

    oskd

  • use_mutex

    true

Signatures

  • NetWire RAT payload 1 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\jdks.exe
    "C:\Users\Admin\AppData\Local\Temp\jdks.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Users\Admin\AppData\Local\Temp\jdks.exe
      "C:\Users\Admin\AppData\Local\Temp\jdks.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1000
      • C:\Users\Admin\rigigi.exe
        "C:\Users\Admin\rigigi.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4172
        • C:\Users\Admin\rigigi.exe
          "C:\Users\Admin\rigigi.exe"
          4⤵
          • Executes dropped EXE
          PID:4884
      • C:\Users\Admin\AppData\Roaming\Install\jdks.exe
        "C:\Users\Admin\AppData\Roaming\Install\jdks.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Install\jdks.exe
    Filesize

    3.3MB

    MD5

    1ab9fdceab1dc5b1e1f13c24a98fdb93

    SHA1

    890fa430810fecdb9d782959ca3d59be2bed25f6

    SHA256

    6d7d8799da7b16c8422dc43558d3df61030443b8a5532947159d7f45a66023ba

    SHA512

    ee885aba3a94e39e0d3494a58f82bd89d080777d41abd21c97b8d19cdb29133e7c2302b5981211a26406519d8ed370ba80f2613100db7cf9c2bd1f1037857565

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Install\jdks.exe
    Filesize

    3.3MB

    MD5

    1ab9fdceab1dc5b1e1f13c24a98fdb93

    SHA1

    890fa430810fecdb9d782959ca3d59be2bed25f6

    SHA256

    6d7d8799da7b16c8422dc43558d3df61030443b8a5532947159d7f45a66023ba

    SHA512

    ee885aba3a94e39e0d3494a58f82bd89d080777d41abd21c97b8d19cdb29133e7c2302b5981211a26406519d8ed370ba80f2613100db7cf9c2bd1f1037857565

    Download Submit
  • C:\Users\Admin\rigigi.exe
    Filesize

    1.1MB

    MD5

    83d11d267bab479ef602635cf573f975

    SHA1

    2e05b91b2a9332caf814971cfbd57e06be5fb30c

    SHA256

    525325c8999dc6db546598f71fc8952eef6b022e8b072b39d255c225d1887a02

    SHA512

    90acf4e9c88706639b1b51eb7d2ba166d7aaeda1319834af1192b032be98d09f6c09d6ddf15a17d85754cae897c05e5232cc975460a04f6be499b4b6319a1bb4

    Download Submit
  • C:\Users\Admin\rigigi.exe
    Filesize

    1.1MB

    MD5

    83d11d267bab479ef602635cf573f975

    SHA1

    2e05b91b2a9332caf814971cfbd57e06be5fb30c

    SHA256

    525325c8999dc6db546598f71fc8952eef6b022e8b072b39d255c225d1887a02

    SHA512

    90acf4e9c88706639b1b51eb7d2ba166d7aaeda1319834af1192b032be98d09f6c09d6ddf15a17d85754cae897c05e5232cc975460a04f6be499b4b6319a1bb4

    Download Submit
  • C:\Users\Admin\rigigi.exe
    Filesize

    1.1MB

    MD5

    83d11d267bab479ef602635cf573f975

    SHA1

    2e05b91b2a9332caf814971cfbd57e06be5fb30c

    SHA256

    525325c8999dc6db546598f71fc8952eef6b022e8b072b39d255c225d1887a02

    SHA512

    90acf4e9c88706639b1b51eb7d2ba166d7aaeda1319834af1192b032be98d09f6c09d6ddf15a17d85754cae897c05e5232cc975460a04f6be499b4b6319a1bb4

    Download Submit
  • C:\Windows\win.ini
    Filesize

    123B

    MD5

    6bf517432f65eb7f0d18d574bf14124c

    SHA1

    5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

    SHA256

    6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

    SHA512

    7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

    Download Submit
  • C:\Windows\win.ini
    Filesize

    123B

    MD5

    6bf517432f65eb7f0d18d574bf14124c

    SHA1

    5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

    SHA256

    6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

    SHA512

    7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

    Download Submit
  • memory/1000-189-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1000-185-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1000-237-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1000-233-0x00007FFBD3450000-0x00007FFBD362B000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1000-235-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1000-232-0x00000000008A0000-0x00000000009EA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1000-278-0x0000000000400000-0x000000000074B000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/1000-174-0x0000000000000000-mapping.dmp
    Download
  • memory/1000-188-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1000-186-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1000-187-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1000-275-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1000-184-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1000-182-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1000-183-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1000-181-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1000-180-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1000-179-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1000-178-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1000-176-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1000-175-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-141-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-177-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-152-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-153-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-154-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-156-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-157-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-155-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-158-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-159-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-160-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-161-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-162-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-163-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-164-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-165-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-166-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-167-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-168-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-169-0x0000000002DB0000-0x0000000002DBA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2832-171-0x00007FFBD3450000-0x00007FFBD362B000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/2832-172-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-170-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-173-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-149-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-147-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-146-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-150-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-145-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-144-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-143-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-142-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-120-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-140-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-139-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-138-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-137-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-136-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-135-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-134-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-133-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-132-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-131-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-130-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-129-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-128-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-121-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-127-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-122-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-126-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-125-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-124-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2832-123-0x00000000772F0000-0x000000007747E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3580-267-0x0000000000000000-mapping.dmp
    Download
  • memory/4172-240-0x0000000000000000-mapping.dmp
    Download
  • memory/4884-354-0x0000000000000000-mapping.dmp
    Download