Analysis Overview
SHA256
90b71a327684786c22c7a9f4e7b34c893d40ed0c2e14b49205d1d529857a7a06
Threat Level: Known bad
The file ea952e50775a0c698397e6ec5264efc3_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Netwire
NetWire RAT payload
Netwire family
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-10 07:45
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Netwire family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 07:45
Reported
2024-04-10 07:48
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Settings.ini | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\Settings.ini | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2888 set thread context of 2576 | N/A | C:\Users\Admin\AppData\Roaming\winapp\helper.exe | C:\Windows\SysWOW64\svchost.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winapp\helper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winapp\helper.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\winapp\helper.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\AppData\Roaming\winapp\helper.exe
"C:\Users\Admin\AppData\Roaming\winapp\helper.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\webapp" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\webapp" /XML "C:\Users\Admin\AppData\Local\Temp\859987030.xml"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Roaming\winapp\helper.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bnatf1.hopto.org | udp |
Files
memory/2492-0-0x00000000749A0000-0x0000000074F4B000-memory.dmp
memory/2492-1-0x00000000749A0000-0x0000000074F4B000-memory.dmp
memory/2492-2-0x0000000000490000-0x00000000004D0000-memory.dmp
memory/2492-3-0x0000000000520000-0x0000000000524000-memory.dmp
memory/2492-5-0x00000000749A0000-0x0000000074F4B000-memory.dmp
memory/2888-6-0x00000000749A0000-0x0000000074F4B000-memory.dmp
memory/2888-7-0x0000000000570000-0x00000000005B0000-memory.dmp
memory/2888-8-0x00000000749A0000-0x0000000074F4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\859987030.xml
| MD5 | bc1bb08ef14ae9d8cd44d7e8202f4a19 |
| SHA1 | 3463fa95716822a95fa5330c730659e26926483d |
| SHA256 | 87c9cec9d422ec67d8c21a55c215823ec87df685b7009e76feeb827e5f8f331f |
| SHA512 | 544a6560294f0c2f1c497aa19325c36d05b07fa1e4cccb2bb84ee41de234a673c9327c9d4e9b709b6c1e9465a2ebd4038d78fdbfb923ed8e8b32cd8c1e238858 |
memory/2576-14-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2576-16-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2576-18-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2576-24-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2576-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2576-20-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2888-27-0x00000000749A0000-0x0000000074F4B000-memory.dmp
memory/2576-26-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2576-30-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 07:45
Reported
2024-04-10 07:48
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Settings.ini | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Settings.ini | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3472 set thread context of 4152 | N/A | C:\Users\Admin\AppData\Roaming\winapp\helper.exe | C:\Windows\SysWOW64\svchost.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winapp\helper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winapp\helper.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\winapp\helper.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\AppData\Roaming\winapp\helper.exe
"C:\Users\Admin\AppData\Roaming\winapp\helper.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Delete /TN "Update\webapp" /F
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Update\webapp" /XML "C:\Users\Admin\AppData\Local\Temp\888799496.xml"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Roaming\winapp\helper.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bnatf1.hopto.org | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bnatf1.hopto.org | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
Files
memory/1884-0-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/1884-1-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/1884-2-0x0000000000F10000-0x0000000000F20000-memory.dmp
memory/1884-4-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/3472-5-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/3472-6-0x0000000001620000-0x0000000001630000-memory.dmp
memory/3472-9-0x0000000074830000-0x0000000074DE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\888799496.xml
| MD5 | 59c70dfa5d029b73c3eb32a03f3d056b |
| SHA1 | 2f9e1c5f5a418c67d97298a5b3d81a7831fbdd7c |
| SHA256 | b995a139b4fec78ac7d5d2f2accf3d91838f5c6f341aa2aaf73699f78d3e3256 |
| SHA512 | 652c864b809b3f8f068dc072680c470a72f3149bcad155c4722bd887b4652075886c8c380c5b1358712f7ea989ab376461737cd6ac5beb8e36844f2adbae7a05 |
memory/4152-11-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3472-14-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/4152-15-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4152-18-0x0000000000400000-0x0000000000420000-memory.dmp