Overview

overview

10

Static

static

10

1b8d28587d...18.exe

windows7-x64

10

1b8d28587d...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1b8d28587d6fa9e70e596785d20d823b_JaffaCakes118

  • Size

    106KB

  • Sample

    240506-j1msqseb5s

  • MD5

    1b8d28587d6fa9e70e596785d20d823b

  • SHA1

    8bff5ea0706c2d79fa858554189d3aee436d4691

  • SHA256

    2c073927c214d071178bb4d3fbfb01fa0340a0c927bd0f11eee9ab2c0ee0b9d9

  • SHA512

    7755cb47c35a90e0c5c2a703e0f1555946b5003b152ce436eb4627182fdf384f6357514fab3387c452cf89d5ad08b7c85cd0d2f59a7549f0e13f1222c80462cb

  • SSDEEP

    3072:995Dyk7LnihwBv8WewMcdTtqIRIjQ4Q5d02//eRX:9f3nihwBkWegdTt9RIjQ4Q5ya/eR

Score
10/10
netwirebotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

havemercy.mooo.com:3367

Attributes
  • activex_autorun

    true

  • activex_key

    {G8448241-80YR-8VL8-2CPD-7WD2AP61UB6C}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    Tuesday

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    UuSgJgwm

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    stuo

  • use_mutex

    true

Targets

    • Target

      1b8d28587d6fa9e70e596785d20d823b_JaffaCakes118

    • Size

      106KB

    • MD5

      1b8d28587d6fa9e70e596785d20d823b

    • SHA1

      8bff5ea0706c2d79fa858554189d3aee436d4691

    • SHA256

      2c073927c214d071178bb4d3fbfb01fa0340a0c927bd0f11eee9ab2c0ee0b9d9

    • SHA512

      7755cb47c35a90e0c5c2a703e0f1555946b5003b152ce436eb4627182fdf384f6357514fab3387c452cf89d5ad08b7c85cd0d2f59a7549f0e13f1222c80462cb

    • SSDEEP

      3072:995Dyk7LnihwBv8WewMcdTtqIRIjQ4Q5d02//eRX:9f3nihwBkWegdTt9RIjQ4Q5ya/eR

    Score
    10/10
    netwirebotnetpersistenceratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Modifies Installed Components in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks