stealthworker | ee94dab8f780d5f87bdfc4d5ecac1746a16a695f2bfb07c4eb75da46fe0c6bca

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06cd85dd1d8b4ac380b6121de069ef87_JaffaCakes118.exe
Size

3.9MB
MD5

06cd85dd1d8b4ac380b6121de069ef87
SHA1

5044b5313925a123d0e1e9115464f3e968d5e900
SHA256

ee94dab8f780d5f87bdfc4d5ecac1746a16a695f2bfb07c4eb75da46fe0c6bca
SHA512

da8d2603a1e492e0af9f88b7c58b08f62252fa33bd34daa5227d2a4961cddfd9ee4ceeb28cd34ef89a59ee411e13b92f23238f804571ea57c07fa011aa507cff
SSDEEP

98304:WmBLLppdvJidROcELaIKiGAFotV35t0kc7NELnI8uxc:HBLLppdcDxViGftV35tEsI8o

Score

10^/10

stealthworker botnet upx

Malware Config

Extracted

Family

stealthworker

Version

2.26

http://hardyqeeens.com:8081

Signatures

StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1864-2-0x0000000000400000-0x0000000000ADC000-memory.dmp	upx
behavioral2/memory/1864-8-0x0000000000400000-0x0000000000ADC000-memory.dmp	upx
behavioral2/memory/1864-10-0x0000000000400000-0x0000000000ADC000-memory.dmp	upx
behavioral2/memory/1864-11-0x0000000000400000-0x0000000000ADC000-memory.dmp	upx
behavioral2/memory/1864-12-0x0000000000400000-0x0000000000ADC000-memory.dmp	upx
behavioral2/memory/1864-13-0x0000000000400000-0x0000000000ADC000-memory.dmp	upx
behavioral2/memory/1864-14-0x0000000000400000-0x0000000000ADC000-memory.dmp	upx
behavioral2/memory/1864-15-0x0000000000400000-0x0000000000ADC000-memory.dmp	upx
behavioral2/memory/1864-16-0x0000000000400000-0x0000000000ADC000-memory.dmp	upx
behavioral2/memory/1864-17-0x0000000000400000-0x0000000000ADC000-memory.dmp	upx
behavioral2/memory/1864-19-0x0000000000400000-0x0000000000ADC000-memory.dmp	upx
behavioral2/memory/1864-20-0x0000000000400000-0x0000000000ADC000-memory.dmp	upx
behavioral2/memory/1864-21-0x0000000000400000-0x0000000000ADC000-memory.dmp	upx
behavioral2/memory/1864-22-0x0000000000400000-0x0000000000ADC000-memory.dmp	upx

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 2228	1864	06cd85dd1d8b4ac380b6121de069ef87_JaffaCakes118.exe	85
PID 1864 wrote to memory of 2228	1864	06cd85dd1d8b4ac380b6121de069ef87_JaffaCakes118.exe	85
PID 1864 wrote to memory of 2228	1864	06cd85dd1d8b4ac380b6121de069ef87_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\06cd85dd1d8b4ac380b6121de069ef87_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06cd85dd1d8b4ac380b6121de069ef87_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
  2⤵
  - Drops startup file
  PID:2228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s.bat

Filesize
305B

MD5
bad2fd40da7a3abd37e2ee9b94c5fe75

SHA1
087c2d26f08471769a308ed1e756a5aa3fdf8a73

SHA256
1152dc1faa7f434c41f187513e98878f97ca00f567bcc15208230b5e23627133

SHA512
687471196936856c037335306dbf6b405a60881c234dbc8e1e38a199b648609adfb5f7db615d095bd7c540c29a092b474d2e00e4e150ad8acfbfcc064ecda333

Download Submit
memory/1864-13-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/1864-15-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/1864-8-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/1864-9-0x0000000002BB0000-0x0000000002F6B000-memory.dmp

Filesize
3.7MB

Download
memory/1864-10-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/1864-11-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/1864-2-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/1864-12-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/1864-14-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/1864-1-0x0000000002BB0000-0x0000000002F6B000-memory.dmp

Filesize
3.7MB

Download
memory/1864-16-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/1864-17-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/1864-19-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/1864-20-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/1864-21-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download
memory/1864-22-0x0000000000400000-0x0000000000ADC000-memory.dmp

Filesize
6.9MB

Download