Overview

overview

10

Static

static

3

1509be8b83...18.exe

windows7-x64

10

1509be8b83...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-05-2024 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1509be8b831e34db5e755411d428f1f7_JaffaCakes118.exe

  • Size

    481KB

  • MD5

    1509be8b831e34db5e755411d428f1f7

  • SHA1

    4051dfffd811641c83005b544304903c12e5adad

  • SHA256

    6aeaedcb42aa687cff2ac5efc4bf1bd4eff67b978950e5ad3cf5f4732a933c57

  • SHA512

    c60210835bc20f792c0e0df75899a4cdccfe5018b1ee1fb611168092c625657f472f58bcf2c51e082a1b60b9c4676056d9ba805018706ac444ef01452b1a4b73

  • SSDEEP

    6144:BViaVbev1CJ5INoZrBZT+kCuzEX2lSKXtg7enKPRo2bOmP4Q2:riOrIoBx++zoK9g6WR

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

manuel3.publicvm.com:3366

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    Mine Netwire

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    njEXYhRS

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    true

Signatures

  • NetWire RAT payload 7 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1509be8b831e34db5e755411d428f1f7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1509be8b831e34db5e755411d428f1f7_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "EGBLCAP\EGBLCAP" /XML "C:\Users\Admin\AppData\Roaming\EGBLCAP\aWWWWW.xml"
      2⤵
      • Creates scheduled task(s)
      PID:312
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\System32\svchost.exe"
      2⤵
        PID:2308

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\EGBLCAP\aWWWWW.xml
      Filesize

      1KB

      MD5

      30874f90132bc7ea2b9e149dd6809b21

      SHA1

      35554407a7900331a6a90f74da062da0d94bb6f2

      SHA256

      c27f8e15ac4b21276e615c1fbc662a358ded16ec128bb72ba77754f1db0eb1fc

      SHA512

      56064c2d39ff62709e886e569558a262538f1ba8d9d3475d8a25ae0526829cfa5000b49ad1b27ff0a2771df8077be16a9c43485be28ee31dd599ceae8d431056

      Download Submit

    • memory/1796-28-0x0000000074200000-0x00000000747AB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1796-1-0x0000000074200000-0x00000000747AB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1796-2-0x0000000074200000-0x00000000747AB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1796-0-0x0000000074201000-0x0000000074202000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-29-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2308-23-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2308-30-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2308-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2308-20-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2308-17-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2308-13-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2308-10-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2308-8-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2308-6-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2308-31-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download