Overview

overview

10

Static

static

5

3e9467442e...18.exe

windows7-x64

10

3e9467442e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 08:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e9467442e5d328b1e6e4f23672e5f5b_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    3e9467442e5d328b1e6e4f23672e5f5b

  • SHA1

    c38c50d58063658b3d428e9e8dd9c501416d98cf

  • SHA256

    918e7e4a7aa12b74a559bff1813122430a87e3d132ae8c394bf919928d529c2c

  • SHA512

    29d27bff96569b42a8cbfb2bf9e50ed14fc0983bc58c684e0922e81fd940e2e0cfeabdaaa4fa14ac7abdb1241047c6afda0da8e4b688b2e56ddf2f3d1efa7d97

  • SSDEEP

    24576:hu6J33O0c+JY5UZ+XC0kGso6FaQTwzhnpAWY:zu0c++OCvkGs9FahPY

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

77.48.28.195:1969

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    n2

  • lock_executable

    false

  • mutex

    JquNADho

  • offline_keylogger

    false

  • password

    Kimbolsapoq!P13

  • registry_autorun

    false

  • use_mutex

    true

Signatures

  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e9467442e5d328b1e6e4f23672e5f5b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3e9467442e5d328b1e6e4f23672e5f5b_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\Users\Admin\AppData\Local\Temp\3e9467442e5d328b1e6e4f23672e5f5b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3e9467442e5d328b1e6e4f23672e5f5b_JaffaCakes118.exe"
      2⤵
        PID:3268
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn DPTopologyAppv2_0 /tr "C:\Users\Admin\AppData\Roaming\diskperf\ntoskrnl.exe" /sc minute /mo 1 /F
        2⤵
        • Creates scheduled task(s)
        PID:3532
    • C:\Users\Admin\AppData\Roaming\diskperf\ntoskrnl.exe
      C:\Users\Admin\AppData\Roaming\diskperf\ntoskrnl.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Users\Admin\AppData\Roaming\diskperf\ntoskrnl.exe
        "C:\Users\Admin\AppData\Roaming\diskperf\ntoskrnl.exe"
        2⤵
        • Executes dropped EXE
        PID:3512
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn DPTopologyAppv2_0 /tr "C:\Users\Admin\AppData\Roaming\diskperf\ntoskrnl.exe" /sc minute /mo 1 /F
        2⤵
        • Creates scheduled task(s)
        PID:468
    • C:\Users\Admin\AppData\Roaming\diskperf\ntoskrnl.exe
      C:\Users\Admin\AppData\Roaming\diskperf\ntoskrnl.exe
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Users\Admin\AppData\Roaming\diskperf\ntoskrnl.exe
        "C:\Users\Admin\AppData\Roaming\diskperf\ntoskrnl.exe"
        2⤵
        • Executes dropped EXE
        PID:1088
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn DPTopologyAppv2_0 /tr "C:\Users\Admin\AppData\Roaming\diskperf\ntoskrnl.exe" /sc minute /mo 1 /F
        2⤵
        • Creates scheduled task(s)
        PID:4496

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\diskperf\ntoskrnl.exe
      Filesize

      1.1MB

      MD5

      3e9467442e5d328b1e6e4f23672e5f5b

      SHA1

      c38c50d58063658b3d428e9e8dd9c501416d98cf

      SHA256

      918e7e4a7aa12b74a559bff1813122430a87e3d132ae8c394bf919928d529c2c

      SHA512

      29d27bff96569b42a8cbfb2bf9e50ed14fc0983bc58c684e0922e81fd940e2e0cfeabdaaa4fa14ac7abdb1241047c6afda0da8e4b688b2e56ddf2f3d1efa7d97

      Download Submit

    • memory/3268-0-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/3268-10-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/3540-23-0x0000000000E80000-0x0000000000E81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4680-8-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

      Filesize

      4KB

      Download