Overview

overview

10

Static

static

3

50a652b219...18.exe

windows7-x64

10

50a652b219...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2024 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50a652b21941da40d9fca80d12bd35f8_JaffaCakes118.exe

  • Size

    324KB

  • MD5

    50a652b21941da40d9fca80d12bd35f8

  • SHA1

    b7cf2f941503dcb9167e9fcaf8a159c741161fbd

  • SHA256

    666a8dbc172bcf7cd698bf95e5b58de17535121fed7de5ce1349db4446a1fa5c

  • SHA512

    6ba80cc4748213b4c83e17c852414bc7815fa7345ff70caf44744d1a94eccec2ca40c37b464cebd4c946d41ecaa6c2e475fc0d00adda15b18f223be8053ad79e

  • SSDEEP

    6144:8Pb+JB1nuNURlRBOipj5W01NSVsJipfBDNcjat9w44ml5:pYMjF+V7hBDm+934Y

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

88.150.189.103:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 4 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50a652b21941da40d9fca80d12bd35f8_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\50a652b21941da40d9fca80d12bd35f8_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4388
    • C:\Users\Admin\AppData\Roaming\tesst.exe
      "C:\Users\Admin\AppData\Roaming\tesst.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Users\Admin\AppData\Roaming\tesst.exe
        "C:\Users\Admin\AppData\Roaming\tesst.exe"
        3⤵
        • Executes dropped EXE
        PID:3872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\tesst.exe
    Filesize

    324KB

    MD5

    50a652b21941da40d9fca80d12bd35f8

    SHA1

    b7cf2f941503dcb9167e9fcaf8a159c741161fbd

    SHA256

    666a8dbc172bcf7cd698bf95e5b58de17535121fed7de5ce1349db4446a1fa5c

    SHA512

    6ba80cc4748213b4c83e17c852414bc7815fa7345ff70caf44744d1a94eccec2ca40c37b464cebd4c946d41ecaa6c2e475fc0d00adda15b18f223be8053ad79e

    Download Submit

  • memory/2228-21-0x0000000074AA0000-0x0000000075051000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2228-19-0x0000000074AA0000-0x0000000075051000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2228-30-0x0000000074AA0000-0x0000000075051000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2228-17-0x0000000074AA0000-0x0000000075051000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2228-20-0x0000000074AA0000-0x0000000075051000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3872-22-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3872-25-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3872-26-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3872-31-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4388-1-0x0000000074AA0000-0x0000000075051000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4388-18-0x0000000074AA0000-0x0000000075051000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4388-2-0x0000000074AA0000-0x0000000075051000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4388-0-0x0000000074AA2000-0x0000000074AA3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4388-3-0x0000000074AA0000-0x0000000075051000-memory.dmp

    Filesize

    5.7MB

    Download