Analysis Overview
SHA256
3fe1fdb32e7d31efa8846dc6d01c56a5ccf708a770aafedcadac875e8ce41f8e
Threat Level: Known bad
The file c60c89675f01d29fa7d51e7164f0b0bb_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
NetWire RAT payload
Netwire
Drops startup file
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-05 00:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-05 00:36
Reported
2024-04-05 00:38
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mm.exe.exe | C:\Windows\SysWOW64\DllHost.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\c60c89675f01d29fa7d51e7164f0b0bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c60c89675f01d29fa7d51e7164f0b0bb_JaffaCakes118.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
Network
| Country | Destination | Domain | Proto |
| CA | 173.209.48.226:3360 | tcp | |
| CA | 173.209.48.226:3360 | tcp |
Files
memory/2040-0-0x0000000000210000-0x000000000028B000-memory.dmp
memory/2040-1-0x000000007791F000-0x0000000077920000-memory.dmp
memory/2040-5-0x0000000003300000-0x0000000003333000-memory.dmp
memory/2040-4-0x0000000001FD0000-0x0000000002150000-memory.dmp
memory/2040-6-0x0000000000210000-0x000000000028B000-memory.dmp
memory/2040-7-0x0000000003300000-0x0000000003333000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-05 00:36
Reported
2024-04-05 00:39
Platform
win10v2004-20240226-en
Max time kernel
159s
Max time network
158s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mm.exe.exe | C:\Windows\SysWOW64\DllHost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mm.exe.exe | C:\Windows\SysWOW64\DllHost.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\c60c89675f01d29fa7d51e7164f0b0bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c60c89675f01d29fa7d51e7164f0b0bb_JaffaCakes118.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| CA | 173.209.48.226:3360 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.66.18.2.in-addr.arpa | udp |
| CA | 173.209.48.226:3360 | tcp | |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
memory/3888-0-0x0000000000AA0000-0x0000000000B1B000-memory.dmp
memory/3888-1-0x0000000077A62000-0x0000000077A63000-memory.dmp
memory/3888-4-0x0000000002630000-0x00000000027D3000-memory.dmp
memory/3888-5-0x00000000032D0000-0x0000000003303000-memory.dmp
memory/3888-6-0x00000000028E0000-0x00000000029D0000-memory.dmp
memory/3888-7-0x0000000000AA0000-0x0000000000B1B000-memory.dmp
memory/3888-9-0x00000000032D0000-0x0000000003303000-memory.dmp