Overview

overview

10

Static

static

7

fae427a28c...18.exe

windows7-x64

10

fae427a28c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-04-2024 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fae427a28c3af269c0cf71d7ba46844c_JaffaCakes118.exe

  • Size

    648KB

  • MD5

    fae427a28c3af269c0cf71d7ba46844c

  • SHA1

    d5e0b9a1b831cad05d800f7567e1d521666c47d8

  • SHA256

    c96fa60d5e36b647c770f6b4f6100616a3cbe6cd447cc23e2c70554bd481ce93

  • SHA512

    58390bad18cf0a537fb76d22e0eb8bf7e39d0fe5121c5a0a5d22480324826ebab699d01a7e94e39a7f4df0c9d6a4a5df980c3d32f6ae4304eff648e39fe2d31b

  • SSDEEP

    12288:mc9VYM7klPqRLgTRZkdOVrPEBXDXI1KOHVVwPzQlhWDp0aaryS37s:maVYMQyL4RZkds7aTXiKOHVWPWEDyaUs

Score
10/10
netwirebotnetpersistenceratstealerupx

Malware Config

Extracted

Family

netwire

C2

155.94.198.169:9112

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    Corona-Virus

  • install_path

    %AppData%\Install\offiice365.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Pounds

  • registry_autorun

    true

  • startup_name

    officeii365

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fae427a28c3af269c0cf71d7ba46844c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fae427a28c3af269c0cf71d7ba46844c_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c test.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Users\Admin\AppData\Local\Temp\test.exe
        test.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Users\Admin\AppData\Roaming\Install\offiice365.exe
          "C:\Users\Admin\AppData\Roaming\Install\offiice365.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          PID:2484

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\test.exe
    Filesize

    148KB

    MD5

    14ca6b976efad4a82c1e6210f30c36d4

    SHA1

    6e7532693c6f980f997e4d2a8c18c6229b38350f

    SHA256

    b7523c7c9f49080a9f807bbf4fde548cb78ccc1143fb43d3beb64dd19e3feb2e

    SHA512

    0fad931a5c1d6ce22a7b6b474f7cfedb0a2cb1d7ad06831e97ef9c0196bb95c5a9a064b449a3cd67c20e29c1e89d75c92e56471c4dd4cfca70aebbe6bb2eb26f

    Download Submit

  • memory/2484-17-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2872-0-0x0000000000400000-0x0000000000586000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2872-16-0x0000000000400000-0x0000000000586000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3036-14-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download