Analysis

  • max time kernel
    143s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-06-2023 12:23

General

  • Target

    jollykeys2.1.exe

  • Size

    290KB

  • MD5

    f35c9fa6756cbc5e791367d675cd5791

  • SHA1

    5c1b25e3eb653e39dff6969ac64b24ebca2646a5

  • SHA256

    b1f7c395aa293abc666ae5548a3d36c683e24917c190bef16f1d11add0cf5fea

  • SHA512

    199d431ad076528b39d1c37d2bc5cd505de4bf5cf5e953a5075a419fc70c221e897c4e3a4ce389bd2e08e93add10a5979432573cde420adbd8f2aea7267a2797

  • SSDEEP

    6144:3Ya6U3Pc/eEvhW0ZPmRlfwL8FUq+snr9PAM20OAURe7pfI:3Yi0GEvh0R5BbhBP20OAU4+

Malware Config

Extracted

Family

netwire

C2

rabusk.duckdns.org:1992

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    Common

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    golddigger

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\jollykeys2.1.exe
    "C:\Users\Admin\AppData\Local\Temp\jollykeys2.1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4276
    • C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe
      "C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe" C:\Users\Admin\AppData\Local\Temp\odjijv.tbg
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe
        "C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe"
        3⤵
        • Executes dropped EXE
        PID:852

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\curkuafio.mem

    Filesize

    163KB

    MD5

    e0c57b8c9ba09a4b0aa65afbd11e469c

    SHA1

    a5dfa5d1c90b2d156141efd38d5eaae5bc0b9a48

    SHA256

    f5c8430f51e5ef9dabaaa9a5d2d639acb80b2ce73f0be70525422359a77ff290

    SHA512

    ae6656a90e499f155decb22309c682be7ee65d1c26db60429c6f20a7badcc16538fa052118f647a81f9a54b31dc0cc88d337cb06be31ea466369bd04600b1078

  • C:\Users\Admin\AppData\Local\Temp\odjijv.tbg

    Filesize

    7KB

    MD5

    ea332bbdc840616772e64f9dfc9b7dbb

    SHA1

    d725c525fe778650f6c2b2908a6516e9f1d52c4d

    SHA256

    170e624f2595fc1d23c974c8694fb2fe32ca6247296aabfedfc5ed5ac7805821

    SHA512

    76d7ea129e09a5a93f025f16455b5fb694b59872b79f74c5f3d3216eb473083092b58ba0fef801cac0059844bf4f924db5876ad5bf05aaf4c514f72f0f8eb655

  • C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

    Filesize

    75KB

    MD5

    d4f3b16f83bcfbfa9627a4342adce47c

    SHA1

    4950e83f0a121c4ffc429ff6e19642fed810053c

    SHA256

    3f8a677b416125ad847db147db45bab6b82b59cb8cfe2d44fb752a86d98b8cc9

    SHA512

    c424a63374b121980df518041b6bb73a410ac3a26a8842f7fa326b452812f7c2b520361082a43015bdc9ce8f6fc550059e29be2648c96841a7a627b06060a5c4

  • C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

    Filesize

    75KB

    MD5

    d4f3b16f83bcfbfa9627a4342adce47c

    SHA1

    4950e83f0a121c4ffc429ff6e19642fed810053c

    SHA256

    3f8a677b416125ad847db147db45bab6b82b59cb8cfe2d44fb752a86d98b8cc9

    SHA512

    c424a63374b121980df518041b6bb73a410ac3a26a8842f7fa326b452812f7c2b520361082a43015bdc9ce8f6fc550059e29be2648c96841a7a627b06060a5c4

  • C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

    Filesize

    75KB

    MD5

    d4f3b16f83bcfbfa9627a4342adce47c

    SHA1

    4950e83f0a121c4ffc429ff6e19642fed810053c

    SHA256

    3f8a677b416125ad847db147db45bab6b82b59cb8cfe2d44fb752a86d98b8cc9

    SHA512

    c424a63374b121980df518041b6bb73a410ac3a26a8842f7fa326b452812f7c2b520361082a43015bdc9ce8f6fc550059e29be2648c96841a7a627b06060a5c4

  • memory/852-142-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/852-144-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/852-145-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

  • memory/852-147-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB