Malware Analysis Report

2025-01-18 16:52

Sample ID 230630-pkgvfabg8w
Target jollykeys2.1.exe
SHA256 b1f7c395aa293abc666ae5548a3d36c683e24917c190bef16f1d11add0cf5fea
Tags
netwire botnet persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b1f7c395aa293abc666ae5548a3d36c683e24917c190bef16f1d11add0cf5fea

Threat Level: Known bad

The file jollykeys2.1.exe was found to be: Known bad.

Malicious Activity Summary

netwire botnet persistence stealer

Netwire

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-30 12:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-30 12:23

Reported

2023-06-30 12:32

Platform

win7-20230621-en

Max time kernel

143s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\jollykeys2.1.exe"

Signatures

Netwire

botnet stealer netwire

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4102714285-680558483-2379744688-1000\Software\Microsoft\Windows\CurrentVersion\Run\ngmpnjgwgdgcsg = "C:\\Users\\Admin\\AppData\\Roaming\\mkymydmx\\riwagraq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\yltpnlljea.exe\" C:\\Users\\Admin\\AppData\\Loc" C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1716 set thread context of 576 N/A C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\jollykeys2.1.exe

"C:\Users\Admin\AppData\Local\Temp\jollykeys2.1.exe"

C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

"C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe" C:\Users\Admin\AppData\Local\Temp\odjijv.tbg

C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

"C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rabusk.duckdns.org udp
GB 193.31.30.138:1992 rabusk.duckdns.org tcp
US 8.8.8.8:53 rabusk.duckdns.org udp
GB 193.31.30.138:1992 rabusk.duckdns.org tcp

Files

\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

MD5 d4f3b16f83bcfbfa9627a4342adce47c
SHA1 4950e83f0a121c4ffc429ff6e19642fed810053c
SHA256 3f8a677b416125ad847db147db45bab6b82b59cb8cfe2d44fb752a86d98b8cc9
SHA512 c424a63374b121980df518041b6bb73a410ac3a26a8842f7fa326b452812f7c2b520361082a43015bdc9ce8f6fc550059e29be2648c96841a7a627b06060a5c4

\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

MD5 d4f3b16f83bcfbfa9627a4342adce47c
SHA1 4950e83f0a121c4ffc429ff6e19642fed810053c
SHA256 3f8a677b416125ad847db147db45bab6b82b59cb8cfe2d44fb752a86d98b8cc9
SHA512 c424a63374b121980df518041b6bb73a410ac3a26a8842f7fa326b452812f7c2b520361082a43015bdc9ce8f6fc550059e29be2648c96841a7a627b06060a5c4

C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

MD5 d4f3b16f83bcfbfa9627a4342adce47c
SHA1 4950e83f0a121c4ffc429ff6e19642fed810053c
SHA256 3f8a677b416125ad847db147db45bab6b82b59cb8cfe2d44fb752a86d98b8cc9
SHA512 c424a63374b121980df518041b6bb73a410ac3a26a8842f7fa326b452812f7c2b520361082a43015bdc9ce8f6fc550059e29be2648c96841a7a627b06060a5c4

C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

MD5 d4f3b16f83bcfbfa9627a4342adce47c
SHA1 4950e83f0a121c4ffc429ff6e19642fed810053c
SHA256 3f8a677b416125ad847db147db45bab6b82b59cb8cfe2d44fb752a86d98b8cc9
SHA512 c424a63374b121980df518041b6bb73a410ac3a26a8842f7fa326b452812f7c2b520361082a43015bdc9ce8f6fc550059e29be2648c96841a7a627b06060a5c4

C:\Users\Admin\AppData\Local\Temp\odjijv.tbg

MD5 ea332bbdc840616772e64f9dfc9b7dbb
SHA1 d725c525fe778650f6c2b2908a6516e9f1d52c4d
SHA256 170e624f2595fc1d23c974c8694fb2fe32ca6247296aabfedfc5ed5ac7805821
SHA512 76d7ea129e09a5a93f025f16455b5fb694b59872b79f74c5f3d3216eb473083092b58ba0fef801cac0059844bf4f924db5876ad5bf05aaf4c514f72f0f8eb655

\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

MD5 d4f3b16f83bcfbfa9627a4342adce47c
SHA1 4950e83f0a121c4ffc429ff6e19642fed810053c
SHA256 3f8a677b416125ad847db147db45bab6b82b59cb8cfe2d44fb752a86d98b8cc9
SHA512 c424a63374b121980df518041b6bb73a410ac3a26a8842f7fa326b452812f7c2b520361082a43015bdc9ce8f6fc550059e29be2648c96841a7a627b06060a5c4

C:\Users\Admin\AppData\Local\Temp\curkuafio.mem

MD5 e0c57b8c9ba09a4b0aa65afbd11e469c
SHA1 a5dfa5d1c90b2d156141efd38d5eaae5bc0b9a48
SHA256 f5c8430f51e5ef9dabaaa9a5d2d639acb80b2ce73f0be70525422359a77ff290
SHA512 ae6656a90e499f155decb22309c682be7ee65d1c26db60429c6f20a7badcc16538fa052118f647a81f9a54b31dc0cc88d337cb06be31ea466369bd04600b1078

C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

MD5 d4f3b16f83bcfbfa9627a4342adce47c
SHA1 4950e83f0a121c4ffc429ff6e19642fed810053c
SHA256 3f8a677b416125ad847db147db45bab6b82b59cb8cfe2d44fb752a86d98b8cc9
SHA512 c424a63374b121980df518041b6bb73a410ac3a26a8842f7fa326b452812f7c2b520361082a43015bdc9ce8f6fc550059e29be2648c96841a7a627b06060a5c4

memory/576-69-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

MD5 d4f3b16f83bcfbfa9627a4342adce47c
SHA1 4950e83f0a121c4ffc429ff6e19642fed810053c
SHA256 3f8a677b416125ad847db147db45bab6b82b59cb8cfe2d44fb752a86d98b8cc9
SHA512 c424a63374b121980df518041b6bb73a410ac3a26a8842f7fa326b452812f7c2b520361082a43015bdc9ce8f6fc550059e29be2648c96841a7a627b06060a5c4

memory/576-73-0x0000000000400000-0x000000000042B000-memory.dmp

memory/576-74-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-30 12:23

Reported

2023-06-30 12:32

Platform

win10v2004-20230621-en

Max time kernel

143s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\jollykeys2.1.exe"

Signatures

Netwire

botnet stealer netwire

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngmpnjgwgdgcsg = "C:\\Users\\Admin\\AppData\\Roaming\\mkymydmx\\riwagraq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\yltpnlljea.exe\" C:\\Users\\Admin\\AppData\\Loc" C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4352 set thread context of 852 N/A C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\jollykeys2.1.exe

"C:\Users\Admin\AppData\Local\Temp\jollykeys2.1.exe"

C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

"C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe" C:\Users\Admin\AppData\Local\Temp\odjijv.tbg

C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

"C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 rabusk.duckdns.org udp
GB 193.31.30.138:1992 rabusk.duckdns.org tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 20.42.65.89:443 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 rabusk.duckdns.org udp
GB 193.31.30.138:1992 rabusk.duckdns.org tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

MD5 d4f3b16f83bcfbfa9627a4342adce47c
SHA1 4950e83f0a121c4ffc429ff6e19642fed810053c
SHA256 3f8a677b416125ad847db147db45bab6b82b59cb8cfe2d44fb752a86d98b8cc9
SHA512 c424a63374b121980df518041b6bb73a410ac3a26a8842f7fa326b452812f7c2b520361082a43015bdc9ce8f6fc550059e29be2648c96841a7a627b06060a5c4

C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

MD5 d4f3b16f83bcfbfa9627a4342adce47c
SHA1 4950e83f0a121c4ffc429ff6e19642fed810053c
SHA256 3f8a677b416125ad847db147db45bab6b82b59cb8cfe2d44fb752a86d98b8cc9
SHA512 c424a63374b121980df518041b6bb73a410ac3a26a8842f7fa326b452812f7c2b520361082a43015bdc9ce8f6fc550059e29be2648c96841a7a627b06060a5c4

C:\Users\Admin\AppData\Local\Temp\odjijv.tbg

MD5 ea332bbdc840616772e64f9dfc9b7dbb
SHA1 d725c525fe778650f6c2b2908a6516e9f1d52c4d
SHA256 170e624f2595fc1d23c974c8694fb2fe32ca6247296aabfedfc5ed5ac7805821
SHA512 76d7ea129e09a5a93f025f16455b5fb694b59872b79f74c5f3d3216eb473083092b58ba0fef801cac0059844bf4f924db5876ad5bf05aaf4c514f72f0f8eb655

C:\Users\Admin\AppData\Local\Temp\curkuafio.mem

MD5 e0c57b8c9ba09a4b0aa65afbd11e469c
SHA1 a5dfa5d1c90b2d156141efd38d5eaae5bc0b9a48
SHA256 f5c8430f51e5ef9dabaaa9a5d2d639acb80b2ce73f0be70525422359a77ff290
SHA512 ae6656a90e499f155decb22309c682be7ee65d1c26db60429c6f20a7badcc16538fa052118f647a81f9a54b31dc0cc88d337cb06be31ea466369bd04600b1078

memory/852-142-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yltpnlljea.exe

MD5 d4f3b16f83bcfbfa9627a4342adce47c
SHA1 4950e83f0a121c4ffc429ff6e19642fed810053c
SHA256 3f8a677b416125ad847db147db45bab6b82b59cb8cfe2d44fb752a86d98b8cc9
SHA512 c424a63374b121980df518041b6bb73a410ac3a26a8842f7fa326b452812f7c2b520361082a43015bdc9ce8f6fc550059e29be2648c96841a7a627b06060a5c4

memory/852-144-0x0000000000400000-0x000000000042B000-memory.dmp

memory/852-145-0x0000000000400000-0x000000000042B000-memory.dmp

memory/852-147-0x0000000000400000-0x000000000042B000-memory.dmp