Malware Analysis Report

2024-10-19 10:29

Sample ID 240409-pshfyafa63
Target ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118
SHA256 508363ac23d75a1e265f6ba9dc64f3fe227ec361f8ebfa21d03bbed7a2c878c0
Tags
netwire botnet persistence rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

508363ac23d75a1e265f6ba9dc64f3fe227ec361f8ebfa21d03bbed7a2c878c0

Threat Level: Known bad

The file ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

netwire botnet persistence rat stealer

NetWire RAT payload

Netwire

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-09 12:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-09 12:35

Reported

2024-04-09 12:37

Platform

win7-20240215-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\60498075\otruv.pif N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\60498075\\otruv.pif C:\\Users\\Admin\\60498075\\IQWNGE~1.USC" C:\Users\Admin\60498075\otruv.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2268 set thread context of 2612 N/A C:\Users\Admin\60498075\otruv.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe C:\Users\Admin\60498075\otruv.pif
PID 1304 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe C:\Users\Admin\60498075\otruv.pif
PID 1304 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe C:\Users\Admin\60498075\otruv.pif
PID 1304 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe C:\Users\Admin\60498075\otruv.pif
PID 2268 wrote to memory of 2612 N/A C:\Users\Admin\60498075\otruv.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2268 wrote to memory of 2612 N/A C:\Users\Admin\60498075\otruv.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2268 wrote to memory of 2612 N/A C:\Users\Admin\60498075\otruv.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2268 wrote to memory of 2612 N/A C:\Users\Admin\60498075\otruv.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2268 wrote to memory of 2612 N/A C:\Users\Admin\60498075\otruv.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2268 wrote to memory of 2612 N/A C:\Users\Admin\60498075\otruv.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2268 wrote to memory of 2612 N/A C:\Users\Admin\60498075\otruv.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2268 wrote to memory of 2612 N/A C:\Users\Admin\60498075\otruv.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2268 wrote to memory of 2612 N/A C:\Users\Admin\60498075\otruv.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe"

C:\Users\Admin\60498075\otruv.pif

"C:\Users\Admin\60498075\otruv.pif" iqwngegkog.usc

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 harold.ns01.info udp
NL 79.110.62.22:3606 harold.ns01.info tcp
US 8.8.8.8:53 harold.ns01.info udp
NL 79.110.62.22:3606 harold.ns01.info tcp

Files

\Users\Admin\60498075\otruv.pif

MD5 208b6eb9bd9304bb409265cb3c924da4
SHA1 f08040e503a022319bb2cccd39867629211568c9
SHA256 b6f7607ed1866b34da77cbf481b8da0156122565b04ba3d5678d1b9b50eb1e1e
SHA512 d79fb196beafeba5e578b6584d5f47583425a2a3b150f690a17f20a0860288f170c6ade94d6f76ed85e9e0259e3878ba1bf830283f36e20c9cf9d370597799c8

C:\Users\Admin\60498075\iqwngegkog.usc

MD5 803bb85e4681c4c97188ea251be186a5
SHA1 f4268e3fbc25c6af75ad2ce7f024aa5d07f3786f
SHA256 268d50b171ec5d2d642537d97bef2b1e2c22d6d110c745fc8cd78208f71c88c8
SHA512 d4723846d08c220d2256382cb37db705d00be9a0706b8d184c47251b0067f98457e9f6c507118fe6d21c16cc3ff87f9a1b1eefd29b19bf63e2a95a9f1e412b64

C:\Users\Admin\60498075\rcvqk.xls

MD5 179c3d4b1802089203155707d273018a
SHA1 5a9ad9a6ba0f3a5e027a8ee2b8fc816a773c3aab
SHA256 9f086611ed37523b44c5e451c3e1e5a1f5744076e88b271bc2b9c4c036efbccd
SHA512 4989e0860d1911254bc63815eff34b617421c6894d67eb1f2d08a8fcc53e5e192a77a62a713988b7119529027a6b2779ab6e14f62c11d5895f09b5f73ffd758e

memory/2612-55-0x0000000000400000-0x00000000009FC000-memory.dmp

memory/2612-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2612-57-0x0000000000400000-0x00000000009FC000-memory.dmp

memory/2612-59-0x0000000000400000-0x00000000009FC000-memory.dmp

memory/2612-60-0x0000000000400000-0x00000000009FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-09 12:35

Reported

2024-04-09 12:38

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\60498075\otruv.pif N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\60498075\\otruv.pif C:\\Users\\Admin\\60498075\\IQWNGE~1.USC" C:\Users\Admin\60498075\otruv.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2308 set thread context of 4624 N/A C:\Users\Admin\60498075\otruv.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe"

C:\Users\Admin\60498075\otruv.pif

"C:\Users\Admin\60498075\otruv.pif" iqwngegkog.usc

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 harold.ns01.info udp
NL 79.110.62.22:3606 harold.ns01.info tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 harold.ns01.info udp
NL 79.110.62.22:3606 harold.ns01.info tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\60498075\otruv.pif

MD5 208b6eb9bd9304bb409265cb3c924da4
SHA1 f08040e503a022319bb2cccd39867629211568c9
SHA256 b6f7607ed1866b34da77cbf481b8da0156122565b04ba3d5678d1b9b50eb1e1e
SHA512 d79fb196beafeba5e578b6584d5f47583425a2a3b150f690a17f20a0860288f170c6ade94d6f76ed85e9e0259e3878ba1bf830283f36e20c9cf9d370597799c8

C:\Users\Admin\60498075\iqwngegkog.usc

MD5 803bb85e4681c4c97188ea251be186a5
SHA1 f4268e3fbc25c6af75ad2ce7f024aa5d07f3786f
SHA256 268d50b171ec5d2d642537d97bef2b1e2c22d6d110c745fc8cd78208f71c88c8
SHA512 d4723846d08c220d2256382cb37db705d00be9a0706b8d184c47251b0067f98457e9f6c507118fe6d21c16cc3ff87f9a1b1eefd29b19bf63e2a95a9f1e412b64

C:\Users\Admin\60498075\rcvqk.xls

MD5 179c3d4b1802089203155707d273018a
SHA1 5a9ad9a6ba0f3a5e027a8ee2b8fc816a773c3aab
SHA256 9f086611ed37523b44c5e451c3e1e5a1f5744076e88b271bc2b9c4c036efbccd
SHA512 4989e0860d1911254bc63815eff34b617421c6894d67eb1f2d08a8fcc53e5e192a77a62a713988b7119529027a6b2779ab6e14f62c11d5895f09b5f73ffd758e

memory/4624-46-0x0000000000960000-0x0000000000E60000-memory.dmp

memory/4624-48-0x0000000000960000-0x0000000000E60000-memory.dmp

memory/4624-49-0x0000000000960000-0x0000000000E60000-memory.dmp

memory/4624-50-0x0000000000960000-0x0000000000E60000-memory.dmp