Overview

overview

10

Static

static

1

17432fd27e...18.vbs

windows7-x64

10

17432fd27e...18.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    05-05-2024 10:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17432fd27e8b58a37f0dc87f187fd187_JaffaCakes118.vbs

  • Size

    1.5MB

  • MD5

    17432fd27e8b58a37f0dc87f187fd187

  • SHA1

    d075ff4fa6d0eaa61bf39e909c60ccfa6cedf879

  • SHA256

    1143ff1525cde3881a8eece914059af66ce9f42da386d0ea586453cbfe33ac35

  • SHA512

    0a0e49dee8ca6955645726bcb05174f8641a9045632a3b012f8eeef1392d61604eb17f3fdc775a87c569800f2faf2f01d19efdd90a553347a689baaa61921b1c

  • SSDEEP

    24576:iGO83g+h1oWAYtrHbuN0ARrV4QQqxPF80Dz:VvuNVxGQPpOez

Score
10/10
netwirexpertratworkbotnetevasionratstealertrojan

Malware Config

Extracted

Family

netwire

C2

manuel3.publicvm.com:3366

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    Mine Netwire

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    TbSYfUnj

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    true

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Work

C2

127.0.0.1:666

manuel3.publicvm.com:1999
Mutex

E4R7O6I8-U116-J8G5-I0H0-K3H6U8T885I2

Signatures

  • NetWire RAT payload 5 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

    ratxpertrat
  • XpertRAT Core payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17432fd27e8b58a37f0dc87f187fd187_JaffaCakes118.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Local\Temp\file1name.exe
      "C:\Users\Admin\AppData\Local\Temp\file1name.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "PSUAQZG\PSUAQZG" /XML "C:\Users\Admin\AppData\Roaming\PSUAQZG\awwwww.xml"
        3⤵
        • Creates scheduled task(s)
        PID:2448
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        3⤵
          PID:2212
      • C:\Users\Admin\AppData\Local\Temp\file2name.exe
        "C:\Users\Admin\AppData\Local\Temp\file2name.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "JLKEZRY\JLKEZRY" /XML "C:\Users\Admin\AppData\Roaming\JLKEZRY\awwwww.xml"
          3⤵
          • Creates scheduled task(s)
          PID:2564
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\System32\svchost.exe"
          3⤵
          • UAC bypass
          • Windows security bypass
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2516
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Windows\SysWOW64\svchost.exe
            4⤵
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1460

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\file1name.exe
      Filesize

      528KB

      MD5

      f5dec089429d57a43bd4383d57a23cbf

      SHA1

      f4f53fd4c65420bde68857b9075ecc99545a4ab6

      SHA256

      21376229a9ae565cc2ad36dd6319f596d76adacea26003c69ae0c1f27fab0f90

      SHA512

      11bbde81e75cecd531101de3821f0caaccf0f04b8d64d19b117a8e81c71a6c9ea1dc74bf66640130673ef1e5f767f5929c7563b110d3c6dcbb405da697dc5b36

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\file2name.exe
      Filesize

      568KB

      MD5

      08247446b2266867802f5faa274c95f5

      SHA1

      e69db3678328de50fe9049fb38f3befab465d508

      SHA256

      89f7b08ac2ceeb80f78c9173e6f5b2ce16743b299402dcc82280e735b5f9b96d

      SHA512

      26a87f84de3bbb411af7515644ebeb5f7884d68bc7f8ca99ed5709c618e29f9c85d93c8d6558d68a4d429c9c7eed4123715aee2bf6a153073bb5edea71f71b11

      Download Submit

    • C:\Users\Admin\AppData\Roaming\JLKEZRY\awwwww.xml
      Filesize

      1KB

      MD5

      e6c596a03a16ba280d7740246dba3b08

      SHA1

      5c19cb7bd1c525460e7d04fc125f6f8b5afed958

      SHA256

      ed8aa1cf8119dfc92abbd8071d3bfb14ee2c73883e1bdca266c0d5ff84e85908

      SHA512

      9556fd6a1c02daff0a5797ba21246dba59576ee7172f707ffe8575f4b80d898d578b8a3df27dc4c130a86bffc58c764bc99bd68cc3097feb42f24875d50706d5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\PSUAQZG\awwwww.xml
      Filesize

      1KB

      MD5

      a4dd4ce822cb369b20760b362b347a02

      SHA1

      5afbae18100bc24a548e26ec3197c638ff9f73b0

      SHA256

      47c06f0419cdd97394f371fae73f49e41554ffff8a344fc4d5c87a4ae051c5a3

      SHA512

      b59f9eccd7d0c289757ac8054d4b948816877aa38e1f90dd0d9f80a51195efe11ef3ea8c8ad01ea3cddf7ec4ad0d835341d3ac753fdd7b0d764ae9feaa17b51d

      Download Submit

    • memory/1460-63-0x0000000000400000-0x0000000000443000-memory.dmp

      Filesize

      268KB

      Download

    • memory/2212-56-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2212-64-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2212-53-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2212-59-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2212-44-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2212-46-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2212-49-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2212-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2516-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2516-35-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2516-31-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2516-29-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2516-27-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/2536-62-0x00000000741A0000-0x000000007474B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2536-18-0x00000000741A0000-0x000000007474B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2536-16-0x00000000741A1000-0x00000000741A2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2636-41-0x00000000741A0000-0x000000007474B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2636-20-0x00000000741A0000-0x000000007474B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2636-19-0x00000000741A0000-0x000000007474B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2636-17-0x00000000741A0000-0x000000007474B000-memory.dmp

      Filesize

      5.7MB

      Download