Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 07:45
Behavioral task
behavioral1
Sample
ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe
-
Size
216KB
-
MD5
ea952e50775a0c698397e6ec5264efc3
-
SHA1
35573c9f02b72666de5bc3129e98dbe4e67043d1
-
SHA256
90b71a327684786c22c7a9f4e7b34c893d40ed0c2e14b49205d1d529857a7a06
-
SHA512
c075d047369269af168ae7888d46d0dfec885cf4cf38e576c6d2603af86132d53c62807ef9c5344e6afdff2f1c2896c96f55992aeee1f6ecd9920795d4e5c316
-
SSDEEP
6144:7DP0rJQH2vsWppq4llZVyaDtSECbGOW2eQRB4TPIbjy4IwZpow:7DclFpqcl/yaDtSECxJRB4TPGDp
Malware Config
Extracted
netwire
bnatf1.hopto.org:23235
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
fadi1
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2576-24-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral1/memory/2576-20-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral1/memory/2576-26-0x0000000000400000-0x0000000000420000-memory.dmp netwire behavioral1/memory/2576-30-0x0000000000400000-0x0000000000420000-memory.dmp netwire -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Settings.ini svchost.exe File created C:\Windows\SysWOW64\Settings.ini svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
helper.exedescription pid process target process PID 2888 set thread context of 2576 2888 helper.exe svchost.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exehelper.exepid process 2492 ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe 2492 ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe 2888 helper.exe 2888 helper.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exepid process 2492 ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exehelper.exedescription pid process Token: SeDebugPrivilege 2492 ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe Token: SeDebugPrivilege 2888 helper.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.execmd.exehelper.execmd.execmd.exedescription pid process target process PID 2492 wrote to memory of 2500 2492 ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe cmd.exe PID 2492 wrote to memory of 2500 2492 ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe cmd.exe PID 2492 wrote to memory of 2500 2492 ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe cmd.exe PID 2492 wrote to memory of 2500 2492 ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe cmd.exe PID 2500 wrote to memory of 2888 2500 cmd.exe helper.exe PID 2500 wrote to memory of 2888 2500 cmd.exe helper.exe PID 2500 wrote to memory of 2888 2500 cmd.exe helper.exe PID 2500 wrote to memory of 2888 2500 cmd.exe helper.exe PID 2888 wrote to memory of 2756 2888 helper.exe cmd.exe PID 2888 wrote to memory of 2756 2888 helper.exe cmd.exe PID 2888 wrote to memory of 2756 2888 helper.exe cmd.exe PID 2888 wrote to memory of 2756 2888 helper.exe cmd.exe PID 2756 wrote to memory of 2532 2756 cmd.exe schtasks.exe PID 2756 wrote to memory of 2532 2756 cmd.exe schtasks.exe PID 2756 wrote to memory of 2532 2756 cmd.exe schtasks.exe PID 2756 wrote to memory of 2532 2756 cmd.exe schtasks.exe PID 2888 wrote to memory of 2416 2888 helper.exe cmd.exe PID 2888 wrote to memory of 2416 2888 helper.exe cmd.exe PID 2888 wrote to memory of 2416 2888 helper.exe cmd.exe PID 2888 wrote to memory of 2416 2888 helper.exe cmd.exe PID 2416 wrote to memory of 2692 2416 cmd.exe schtasks.exe PID 2416 wrote to memory of 2692 2416 cmd.exe schtasks.exe PID 2416 wrote to memory of 2692 2416 cmd.exe schtasks.exe PID 2416 wrote to memory of 2692 2416 cmd.exe schtasks.exe PID 2888 wrote to memory of 2576 2888 helper.exe svchost.exe PID 2888 wrote to memory of 2576 2888 helper.exe svchost.exe PID 2888 wrote to memory of 2576 2888 helper.exe svchost.exe PID 2888 wrote to memory of 2576 2888 helper.exe svchost.exe PID 2888 wrote to memory of 2576 2888 helper.exe svchost.exe PID 2888 wrote to memory of 2576 2888 helper.exe svchost.exe PID 2888 wrote to memory of 2576 2888 helper.exe svchost.exe PID 2888 wrote to memory of 2576 2888 helper.exe svchost.exe PID 2888 wrote to memory of 2576 2888 helper.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Roaming\winapp\helper.exe"C:\Users\Admin\AppData\Roaming\winapp\helper.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Delete /TN "Update\webapp" /F5⤵PID:2532
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /TN "Update\webapp" /XML "C:\Users\Admin\AppData\Local\Temp\859987030.xml"5⤵
- Creates scheduled task(s)
PID:2692 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Roaming\winapp\helper.exe"4⤵
- Drops file in System32 directory
PID:2576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bc1bb08ef14ae9d8cd44d7e8202f4a19
SHA13463fa95716822a95fa5330c730659e26926483d
SHA25687c9cec9d422ec67d8c21a55c215823ec87df685b7009e76feeb827e5f8f331f
SHA512544a6560294f0c2f1c497aa19325c36d05b07fa1e4cccb2bb84ee41de234a673c9327c9d4e9b709b6c1e9465a2ebd4038d78fdbfb923ed8e8b32cd8c1e238858