Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 08:27
Static task
static1
Behavioral task
behavioral1
Sample
4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
-
Size
685KB
-
MD5
4a345ff1d667f3fd5d76178149e97861
-
SHA1
1b0636c3d65c906bea35daccfe8b124faae02249
-
SHA256
593030d6a46702b5577e982f4c00c427766629211d85c88cbc4b5d17de639b7b
-
SHA512
d93f02548e2eb2cd0dc1a25a0a6e78f66b190b0dffa772f53ee1bd2c6725c41eaddb90a8e19bcfb1beff07b3b0c780904817f77f8802018440e7a132176f9fab
-
SSDEEP
12288:AVkUO8yIy581Qv8yIy581QfOjJ+AUdFG:aYn8m/n8m8Udw
Malware Config
Extracted
netwire
watsonly.ddns.net:1191
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\WiaLogs\
-
lock_executable
false
-
mutex
NCPblmjG
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
Windows Defender
-
use_mutex
true
Signatures
-
NetWire RAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2364-8-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/2364-12-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/2364-14-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/2592-28-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/2592-29-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
Host.exeHost.exepid process 4764 Host.exe 2592 Host.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4852-2-0x00000000056B0000-0x00000000056D8000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Host.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" Host.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exeHost.exedescription pid process target process PID 4852 set thread context of 2364 4852 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe PID 4764 set thread context of 2592 4764 Host.exe Host.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exeHost.exedescription pid process Token: SeDebugPrivilege 4852 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe Token: SeDebugPrivilege 4764 Host.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exeHost.exedescription pid process target process PID 4852 wrote to memory of 2364 4852 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe PID 4852 wrote to memory of 2364 4852 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe PID 4852 wrote to memory of 2364 4852 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe PID 4852 wrote to memory of 2364 4852 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe PID 4852 wrote to memory of 2364 4852 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe PID 4852 wrote to memory of 2364 4852 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe PID 4852 wrote to memory of 2364 4852 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe PID 4852 wrote to memory of 2364 4852 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe PID 4852 wrote to memory of 2364 4852 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe PID 4852 wrote to memory of 2364 4852 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe PID 2364 wrote to memory of 4764 2364 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe Host.exe PID 2364 wrote to memory of 4764 2364 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe Host.exe PID 2364 wrote to memory of 4764 2364 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe Host.exe PID 4764 wrote to memory of 2592 4764 Host.exe Host.exe PID 4764 wrote to memory of 2592 4764 Host.exe Host.exe PID 4764 wrote to memory of 2592 4764 Host.exe Host.exe PID 4764 wrote to memory of 2592 4764 Host.exe Host.exe PID 4764 wrote to memory of 2592 4764 Host.exe Host.exe PID 4764 wrote to memory of 2592 4764 Host.exe Host.exe PID 4764 wrote to memory of 2592 4764 Host.exe Host.exe PID 4764 wrote to memory of 2592 4764 Host.exe Host.exe PID 4764 wrote to memory of 2592 4764 Host.exe Host.exe PID 4764 wrote to memory of 2592 4764 Host.exe Host.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe"C:\Users\Admin\AppData\Roaming\Install\Host.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Install\Host.exeFilesize
685KB
MD54a345ff1d667f3fd5d76178149e97861
SHA11b0636c3d65c906bea35daccfe8b124faae02249
SHA256593030d6a46702b5577e982f4c00c427766629211d85c88cbc4b5d17de639b7b
SHA512d93f02548e2eb2cd0dc1a25a0a6e78f66b190b0dffa772f53ee1bd2c6725c41eaddb90a8e19bcfb1beff07b3b0c780904817f77f8802018440e7a132176f9fab
-
memory/2364-8-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2364-14-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2364-12-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2592-29-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2592-28-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4764-20-0x0000000074EB0000-0x0000000075660000-memory.dmpFilesize
7.7MB
-
memory/4764-18-0x0000000074EBE000-0x0000000074EBF000-memory.dmpFilesize
4KB
-
memory/4764-27-0x0000000074EB0000-0x0000000075660000-memory.dmpFilesize
7.7MB
-
memory/4764-21-0x0000000074EBE000-0x0000000074EBF000-memory.dmpFilesize
4KB
-
memory/4852-3-0x0000000008220000-0x00000000087C4000-memory.dmpFilesize
5.6MB
-
memory/4852-5-0x0000000007C70000-0x0000000007D02000-memory.dmpFilesize
584KB
-
memory/4852-7-0x0000000074EBE000-0x0000000074EBF000-memory.dmpFilesize
4KB
-
memory/4852-19-0x0000000074EB0000-0x0000000075660000-memory.dmpFilesize
7.7MB
-
memory/4852-4-0x0000000074EB0000-0x0000000075660000-memory.dmpFilesize
7.7MB
-
memory/4852-0-0x0000000074EBE000-0x0000000074EBF000-memory.dmpFilesize
4KB
-
memory/4852-9-0x0000000074EB0000-0x0000000075660000-memory.dmpFilesize
7.7MB
-
memory/4852-2-0x00000000056B0000-0x00000000056D8000-memory.dmpFilesize
160KB
-
memory/4852-6-0x00000000080A0000-0x000000000813C000-memory.dmpFilesize
624KB
-
memory/4852-1-0x0000000000C70000-0x0000000000D24000-memory.dmpFilesize
720KB