netwire | 3b1ae6021b84138920670f125a1f76cf2625fc1ea104e7228a59cce91d899b83

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
30-04-2024 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0914657239a3497433c1777e60d761e1_JaffaCakes118.exe
Size

390KB
MD5

0914657239a3497433c1777e60d761e1
SHA1

c7d6bca47753362f40e18d44935c75ecd990df2a
SHA256

3b1ae6021b84138920670f125a1f76cf2625fc1ea104e7228a59cce91d899b83
SHA512

e4bf46e5939f399143b41aa4d880bcddb5f0559703691ba968a87d4893d450b689dc8ba002279d238dfbbccbb6844cb982aa21ac60e37e454c0eb48740334efd
SSDEEP

12288:cdq4BnAn7gOsqs3sVYXjRpv2ZPbNpINABZ9JKrT0NJmB:q6vszcKFoVD0ezJQ

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

pustios.ug:6971

testingskapss.ru:6971

papapamels.ru:6971

testingskapss.su:6971

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
mutex
JTbRfkgY
offline_keylogger
false
password
ppF7"oRyqm
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/352-126-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/352-128-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/352-129-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/352-132-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/352-133-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
1808	svsr.exe

Loads dropped DLL 1 IoCs

pid	Process
1640	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\svss = "C:\\Users\\Admin\\AppData\\Local\\svsr.exe -boot"	svsr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 352	1808	svsr.exe	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\SystemCertificates\CA\Certificates\007790F6561DAD89B0BCD85585762495E358F8A5	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	svsr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\SystemCertificates\CA\Certificates\007790F6561DAD89B0BCD85585762495E358F8A5\Blob = 030000000100000014000000007790f6561dad89b0bcd85585762495e358f8a5140000000100000014000000963b53f0793397af7d83ef2e2bcccab7861e7266040000000100000010000000197460a709d4f4c8fac4b9e3322054340f0000000100000020000000a08e79c386083d875014c409c13d144e0a24386132980df11ff59737c8489eb11900000001000000100000008c94d3a163ad461aff343c0b830a90ce180000000100000010000000d8b5fb368468620275d142ffd2aade374b0000000100000044000000430034003600450037004200300046003900340032003600360033004100310045004400430038004400390044003600440037003800360039003100370033005f00000020000000010000005d0500003082055930820441a00302010202103d78d7f9764960b2617df4f01eca862a300d06092a864886f70d01010b05003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3133313231303030303030305a170d3233313230393233353935395a307f310b3009060355040613025553311d301b060355040a131453796d616e74656320436f72706f726174696f6e311f301d060355040b131653796d616e746563205472757374204e6574776f726b3130302e0603550403132753796d616e74656320436c61737320332053484132353620436f6465205369676e696e6720434130820122300d06092a864886f70d01010105000382010f003082010a028201010097831e0016af2cb1d208c4d7689351601e71f6e247b4db584d23626ab4bf5a1b51f7a30d187768bbd836ab2f2150da9ef3e75f274e0bc297c8097093a9da5c0d4ea40d91a0b4ec14ce9172542ecea3db44e9521b3f413cca4ae4aac0e839ab53cc21d0cccf7f9be6c2cc586a8215ee3d36cf1cc59707248ef17bbe312d3d6edcb599429f4b61955f1c70ee177ddb8be5618978c7681baf11781a98aec4554753d9b332d6a10e4640c597928ad153a7995b853557d3ea936261200ac7307724114d6283b6ba7b688231ee65cadff9d58db235dc8c2b6f6a725c60849cf20c945ec056520048ccd3f8a57dde2fd713e438a884d546b81386c21b9dea5a38dd9bdb0203010001a38201833082017f302f06082b0601050507010104233021301f06082b060105050730018613687474703a2f2f73322e73796d63622e636f6d30120603551d130101ff040830060101ff020100306c0603551d20046530633061060b6086480186f845010717033052302606082b06010505070201161a687474703a2f2f7777772e73796d617574682e636f6d2f637073302806082b06010505070202301c1a1a687474703a2f2f7777772e73796d617574682e636f6d2f72706130300603551d1f042930273025a023a021861f687474703a2f2f73312e73796d63622e636f6d2f706361332d67352e63726c301d0603551d250416301406082b0601050507030206082b06010505070303300e0603551d0f0101ff04040302010630290603551d1104223020a41e301c311a30180603550403131153796d616e746563504b492d312d353637301d0603551d0e04160414963b53f0793397af7d83ef2e2bcccab7861e7266301f0603551d230418301680147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d01010b0500038201010013851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	svsr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	svsr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	svsr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	svsr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	svsr.exe

NTFS ADS 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\0914657239a3497433c1777e60d761e1_JaffaCakes118.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\0914657239a3497433c1777e60d761e1_JaffaCakes118.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\svsr.exe\:Zone.Identifier:$DATA	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\svsr.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\svsr.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe
Token: SeDebugPrivilege	1808	svsr.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2876	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe	28
PID 2952 wrote to memory of 2876	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe	28
PID 2952 wrote to memory of 2876	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe	28
PID 2952 wrote to memory of 2876	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe	28
PID 2952 wrote to memory of 2996	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe	30
PID 2952 wrote to memory of 2996	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe	30
PID 2952 wrote to memory of 2996	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe	30
PID 2952 wrote to memory of 2996	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe	30
PID 2952 wrote to memory of 1248	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe	32
PID 2952 wrote to memory of 1248	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe	32
PID 2952 wrote to memory of 1248	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe	32
PID 2952 wrote to memory of 1248	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe	32
PID 2952 wrote to memory of 1640	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe	36
PID 2952 wrote to memory of 1640	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe	36
PID 2952 wrote to memory of 1640	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe	36
PID 2952 wrote to memory of 1640	2952	0914657239a3497433c1777e60d761e1_JaffaCakes118.exe	36
PID 1640 wrote to memory of 1808	1640	cmd.exe	38
PID 1640 wrote to memory of 1808	1640	cmd.exe	38
PID 1640 wrote to memory of 1808	1640	cmd.exe	38
PID 1640 wrote to memory of 1808	1640	cmd.exe	38
PID 1808 wrote to memory of 1176	1808	svsr.exe	39
PID 1808 wrote to memory of 1176	1808	svsr.exe	39
PID 1808 wrote to memory of 1176	1808	svsr.exe	39
PID 1808 wrote to memory of 1176	1808	svsr.exe	39
PID 1808 wrote to memory of 1500	1808	svsr.exe	41
PID 1808 wrote to memory of 1500	1808	svsr.exe	41
PID 1808 wrote to memory of 1500	1808	svsr.exe	41
PID 1808 wrote to memory of 1500	1808	svsr.exe	41
PID 1808 wrote to memory of 352	1808	svsr.exe	43
PID 1808 wrote to memory of 352	1808	svsr.exe	43
PID 1808 wrote to memory of 352	1808	svsr.exe	43
PID 1808 wrote to memory of 352	1808	svsr.exe	43
PID 1808 wrote to memory of 352	1808	svsr.exe	43
PID 1808 wrote to memory of 352	1808	svsr.exe	43
PID 1808 wrote to memory of 352	1808	svsr.exe	43
PID 1808 wrote to memory of 352	1808	svsr.exe	43
PID 1808 wrote to memory of 352	1808	svsr.exe	43
PID 1808 wrote to memory of 352	1808	svsr.exe	43
PID 1808 wrote to memory of 352	1808	svsr.exe	43

C:\Users\Admin\AppData\Local\Temp\0914657239a3497433c1777e60d761e1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0914657239a3497433c1777e60d761e1_JaffaCakes118.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\0914657239a3497433c1777e60d761e1_JaffaCakes118.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:2876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\0914657239a3497433c1777e60d761e1_JaffaCakes118.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:2996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\0914657239a3497433c1777e60d761e1_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\svsr.exe"
  2⤵
  - NTFS ADS
  PID:1248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\svsr.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\AppData\Local\svsr.exe
    "C:\Users\Admin\AppData\Local\svsr.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\svsr.exe:Zone.Identifier"
      4⤵
      NTFS ADS
      PID:1176
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\svsr.exe:Zone.Identifier"
      4⤵
      NTFS ADS
      PID:1500
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
cbed24fd2b55aea95367efca5ee889de

SHA1
946f48b5c344fd57113845cd483fed5fb9fa3e54

SHA256
1dc8a0fcbe260b77adfe5ad9aaac543239b2a0d9f4e1f3c2657beee4376ffee4

SHA512
c504a11ea576f8ce14de26a0617e22e71e14db0f1dadefc187ce94e4a35a83743c743824e3629899c262aae4772bb86a0ee5bb643db20645483f0c376215ec6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_6BD1009EF4F09B1C85313EF547367694

Filesize
1KB

MD5
9904f2d1918787a8026365c8d0c1cd8d

SHA1
a53e7d834e535009e983cd78ee13e71f28a7c0b5

SHA256
dd8370aa7deb653694cc8866609a76a61ed11f1935b334d81f9d7a0d6e51046b

SHA512
81cee6eefb91edb95ee1526fa3e71f385b70f09f2f8901f1f649a2013469aa56fc0a7a526270fbd06e9f24c3aa8346d41c9545e45e0a522ca153167056aa037d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
94f64c34329be358e5a2bfb98619f676

SHA1
c77d75e1405dc85357a2e28e1dad46718ce38a9a

SHA256
208b361ceec31e5cb0da658b52aa9cbecb1c4ccc8d178739439ad40bc869db91

SHA512
bad27479fbc267d1c2ea19481fc2f8d1071c9f345324ed0a4e85553ec22f4f080d437ac920649d914d7dffe2533c40149091ba78f2ca38b797cb4b1d22b2c314

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c10a03e85dcd0f0dbe897641bc8324d0

SHA1
ab210a6079eedc252ded71ae82e5d7b3f55fa4a0

SHA256
9d3a3ab6fc9afd311510cf2716155d3217b2a1ef5a840a397b8b0df5d2813747

SHA512
9f8cebd9d577f20dffd764b2c806d20e43c262e7577fd93a370e62ff1c456c8aec35887a43e1a907213845b27d339e70029cf780af4da8cf2a7d41868f7ae43c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
e3bba6f6340d2f46eab9b61facbc4078

SHA1
7ae978762b728cccecfbe926290bf22142edf56d

SHA256
238a3570c79c3eda6e3d47f487daf03e4935e1d3e5e7105a38e5725185272051

SHA512
ac9467a552fec3702aba5877fc3a990b013165b1811c8c322f9b82d65d89b384a4155dac0ba25cb5ca449422bfccea59e6906487a2dd1af64cc97ef8b4405b28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_6BD1009EF4F09B1C85313EF547367694

Filesize
402B

MD5
11f2cd82595b412e24450292b1113237

SHA1
88f910fb7de6a923d91253da7ef656b6c73640b1

SHA256
715050a8d377e4ad30f2ef0f8bbb457dd3709cc9942cc17e200fcf1730b363ab

SHA512
151eb3a525f7c1aaadea4749c8fb4fb0656f47626f93b4358ac96c24e10b7845bdcf0305a743c9fee3b98e44cdcfd22d5b16f88973e9e7dd25bb9fad2aa178d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar11F2.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\svsr.exe

Filesize
390KB

MD5
0914657239a3497433c1777e60d761e1

SHA1
c7d6bca47753362f40e18d44935c75ecd990df2a

SHA256
3b1ae6021b84138920670f125a1f76cf2625fc1ea104e7228a59cce91d899b83

SHA512
e4bf46e5939f399143b41aa4d880bcddb5f0559703691ba968a87d4893d450b689dc8ba002279d238dfbbccbb6844cb982aa21ac60e37e454c0eb48740334efd

Download Submit
memory/352-119-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/352-121-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/352-133-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/352-132-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/352-131-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/352-129-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/352-128-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/352-126-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/352-123-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1808-97-0x0000000001270000-0x00000000012D6000-memory.dmp

Filesize
408KB

Download
memory/1808-118-0x0000000001230000-0x000000000123C000-memory.dmp

Filesize
48KB

Download
memory/2952-88-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/2952-0-0x00000000010E0000-0x0000000001146000-memory.dmp

Filesize
408KB

Download
memory/2952-1-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-85-0x00000000063E0000-0x0000000006420000-memory.dmp

Filesize
256KB

Download
memory/2952-86-0x00000000005C0000-0x00000000005EA000-memory.dmp

Filesize
168KB

Download
memory/2952-87-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/2952-89-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-93-0x00000000063E0000-0x0000000006420000-memory.dmp

Filesize
256KB

Download
memory/2952-98-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads