Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
09-04-2024 12:35
Static task
static1
Behavioral task
behavioral1
Sample
ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
ea0126d07ca352687cd80de06cbcb6f7
-
SHA1
12dab64dd13e2f6c02c9639e6d88deeadcedcccd
-
SHA256
508363ac23d75a1e265f6ba9dc64f3fe227ec361f8ebfa21d03bbed7a2c878c0
-
SHA512
46337c02e847cb6e0e3688d83396584cdad73636c95b8985522183dd0ae440ba4ef45eaa77e62de83c3c81ecc23366bcd58a575384776295932b0ba280663fb0
-
SSDEEP
24576:AAOcZwdf+OD0+Oxbuk8E33NtEFd9imt3fO+veij:efOxbuhs4zj
Malware Config
Extracted
netwire
harold.ns01.info:3606
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
Netwir
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
pHJVBoFH
-
offline_keylogger
true
-
password
master12
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2612-57-0x0000000000400000-0x00000000009FC000-memory.dmp netwire behavioral1/memory/2612-59-0x0000000000400000-0x00000000009FC000-memory.dmp netwire behavioral1/memory/2612-60-0x0000000000400000-0x00000000009FC000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
otruv.pifpid process 2268 otruv.pif -
Loads dropped DLL 4 IoCs
Processes:
ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exepid process 1304 ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe 1304 ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe 1304 ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe 1304 ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
otruv.pifdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\60498075\\otruv.pif C:\\Users\\Admin\\60498075\\IQWNGE~1.USC" otruv.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
otruv.pifdescription pid process target process PID 2268 set thread context of 2612 2268 otruv.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exeotruv.pifdescription pid process target process PID 1304 wrote to memory of 2268 1304 ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe otruv.pif PID 1304 wrote to memory of 2268 1304 ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe otruv.pif PID 1304 wrote to memory of 2268 1304 ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe otruv.pif PID 1304 wrote to memory of 2268 1304 ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe otruv.pif PID 2268 wrote to memory of 2612 2268 otruv.pif RegSvcs.exe PID 2268 wrote to memory of 2612 2268 otruv.pif RegSvcs.exe PID 2268 wrote to memory of 2612 2268 otruv.pif RegSvcs.exe PID 2268 wrote to memory of 2612 2268 otruv.pif RegSvcs.exe PID 2268 wrote to memory of 2612 2268 otruv.pif RegSvcs.exe PID 2268 wrote to memory of 2612 2268 otruv.pif RegSvcs.exe PID 2268 wrote to memory of 2612 2268 otruv.pif RegSvcs.exe PID 2268 wrote to memory of 2612 2268 otruv.pif RegSvcs.exe PID 2268 wrote to memory of 2612 2268 otruv.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\60498075\otruv.pif"C:\Users\Admin\60498075\otruv.pif" iqwngegkog.usc2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168.1MB
MD5803bb85e4681c4c97188ea251be186a5
SHA1f4268e3fbc25c6af75ad2ce7f024aa5d07f3786f
SHA256268d50b171ec5d2d642537d97bef2b1e2c22d6d110c745fc8cd78208f71c88c8
SHA512d4723846d08c220d2256382cb37db705d00be9a0706b8d184c47251b0067f98457e9f6c507118fe6d21c16cc3ff87f9a1b1eefd29b19bf63e2a95a9f1e412b64
-
Filesize
375KB
MD5179c3d4b1802089203155707d273018a
SHA15a9ad9a6ba0f3a5e027a8ee2b8fc816a773c3aab
SHA2569f086611ed37523b44c5e451c3e1e5a1f5744076e88b271bc2b9c4c036efbccd
SHA5124989e0860d1911254bc63815eff34b617421c6894d67eb1f2d08a8fcc53e5e192a77a62a713988b7119529027a6b2779ab6e14f62c11d5895f09b5f73ffd758e
-
Filesize
646KB
MD5208b6eb9bd9304bb409265cb3c924da4
SHA1f08040e503a022319bb2cccd39867629211568c9
SHA256b6f7607ed1866b34da77cbf481b8da0156122565b04ba3d5678d1b9b50eb1e1e
SHA512d79fb196beafeba5e578b6584d5f47583425a2a3b150f690a17f20a0860288f170c6ade94d6f76ed85e9e0259e3878ba1bf830283f36e20c9cf9d370597799c8