Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-04-2024 08:39
Static task
static1
Behavioral task
behavioral1
Sample
e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe
-
Size
873KB
-
MD5
e9978425a024bee8daf9b6ae88d1d967
-
SHA1
8bb64106e14c7ece0e6478a73169d7cc520c18ef
-
SHA256
e4b66d8eccf8e0ec2f33afb880b23e1a5dc131028bf91a4c5cbbbd883331fa65
-
SHA512
95cdc852ad5f8c5a4943ef963259d10c7aa8f22760e29388af67199ff8e3a8912194524a15d8e8350dcfb202c35a02267ee593533ba234f36f3fab44f397f0dd
-
SSDEEP
12288:bwaCSZ//mZ11r/JJ7q40+eUe5JtgFUIanV:jCC/ulqzjflgFUxV
Malware Config
Extracted
netwire
harold.ns01.info:3606
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
prim
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
eApkLVIW
-
offline_keylogger
true
-
password
master12
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/3576-16-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/3576-19-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/3576-32-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2404-34-0x0000000004ED0000-0x0000000004EE0000-memory.dmp netwire behavioral2/memory/4588-43-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4588-45-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/4588-47-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exee9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exeHost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation Host.exe -
Executes dropped EXE 3 IoCs
Processes:
Host.exeHost.exeHost.exepid process 2404 Host.exe 5084 Host.exe 4588 Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exeHost.exedescription pid process target process PID 4664 set thread context of 3576 4664 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe PID 2404 set thread context of 4588 2404 Host.exe Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3004 schtasks.exe 3568 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Host.exepid process 2404 Host.exe 2404 Host.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Host.exedescription pid process Token: SeDebugPrivilege 2404 Host.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exee9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exeHost.exedescription pid process target process PID 4664 wrote to memory of 3004 4664 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe schtasks.exe PID 4664 wrote to memory of 3004 4664 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe schtasks.exe PID 4664 wrote to memory of 3004 4664 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe schtasks.exe PID 4664 wrote to memory of 3576 4664 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe PID 4664 wrote to memory of 3576 4664 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe PID 4664 wrote to memory of 3576 4664 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe PID 4664 wrote to memory of 3576 4664 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe PID 4664 wrote to memory of 3576 4664 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe PID 4664 wrote to memory of 3576 4664 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe PID 4664 wrote to memory of 3576 4664 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe PID 4664 wrote to memory of 3576 4664 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe PID 4664 wrote to memory of 3576 4664 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe PID 4664 wrote to memory of 3576 4664 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe PID 4664 wrote to memory of 3576 4664 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe PID 3576 wrote to memory of 2404 3576 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe Host.exe PID 3576 wrote to memory of 2404 3576 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe Host.exe PID 3576 wrote to memory of 2404 3576 e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe Host.exe PID 2404 wrote to memory of 3568 2404 Host.exe schtasks.exe PID 2404 wrote to memory of 3568 2404 Host.exe schtasks.exe PID 2404 wrote to memory of 3568 2404 Host.exe schtasks.exe PID 2404 wrote to memory of 5084 2404 Host.exe Host.exe PID 2404 wrote to memory of 5084 2404 Host.exe Host.exe PID 2404 wrote to memory of 5084 2404 Host.exe Host.exe PID 2404 wrote to memory of 4588 2404 Host.exe Host.exe PID 2404 wrote to memory of 4588 2404 Host.exe Host.exe PID 2404 wrote to memory of 4588 2404 Host.exe Host.exe PID 2404 wrote to memory of 4588 2404 Host.exe Host.exe PID 2404 wrote to memory of 4588 2404 Host.exe Host.exe PID 2404 wrote to memory of 4588 2404 Host.exe Host.exe PID 2404 wrote to memory of 4588 2404 Host.exe Host.exe PID 2404 wrote to memory of 4588 2404 Host.exe Host.exe PID 2404 wrote to memory of 4588 2404 Host.exe Host.exe PID 2404 wrote to memory of 4588 2404 Host.exe Host.exe PID 2404 wrote to memory of 4588 2404 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DDnKWUYLNm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE455.tmp"2⤵
- Creates scheduled task(s)
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e9978425a024bee8daf9b6ae88d1d967_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DDnKWUYLNm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp"4⤵
- Creates scheduled task(s)
PID:3568 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
PID:5084 -
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
PID:4588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
873KB
MD5e9978425a024bee8daf9b6ae88d1d967
SHA18bb64106e14c7ece0e6478a73169d7cc520c18ef
SHA256e4b66d8eccf8e0ec2f33afb880b23e1a5dc131028bf91a4c5cbbbd883331fa65
SHA51295cdc852ad5f8c5a4943ef963259d10c7aa8f22760e29388af67199ff8e3a8912194524a15d8e8350dcfb202c35a02267ee593533ba234f36f3fab44f397f0dd