Analysis
-
max time kernel
138s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 21:19
Static task
static1
Behavioral task
behavioral1
Sample
5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe
-
Size
389KB
-
MD5
5187f0ae3fc7ecd5b247cd1414c38400
-
SHA1
36f96baef19fe58e3ce8b11638ff080658cd4390
-
SHA256
667c10a7b4f2f2804e25c238318f9b1861c968950bda3c13245570ad06c44bda
-
SHA512
4bbdbf59ed4000b04ee4519b18cf78c4affa4b226168deb4041fa4a06ae205d95189b4a26baa97a4941fa388c0c5ac8ec95dc3645949032b71460e9f5aa6d0be
-
SSDEEP
6144:NjOgBFDO7SlyYpVYNwKWy/8E4R9j/T/I2IAoC1RdTwHxQXP8Ryk6lBpVX9y:lrO2PjdHc8ES9j/mDqRdM6xk6Tv
Malware Config
Extracted
netwire
99.38.102.122:3364
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
14438136789D
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2572-24-0x0000000000080000-0x00000000000AC000-memory.dmp netwire behavioral1/memory/2572-25-0x0000000000080000-0x00000000000AC000-memory.dmp netwire behavioral1/memory/2572-27-0x0000000000080000-0x00000000000AC000-memory.dmp netwire behavioral1/memory/2572-32-0x0000000000080000-0x00000000000AC000-memory.dmp netwire behavioral1/memory/2572-38-0x0000000000080000-0x00000000000AC000-memory.dmp netwire behavioral1/memory/2572-35-0x0000000000080000-0x00000000000AC000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
javaw.exejavaw.exepid process 2836 javaw.exe 2572 javaw.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exejavaw.exepid process 2460 cmd.exe 2836 javaw.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2836-15-0x0000000000700000-0x000000000070A000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
javaw.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java(TM) platform SE b = "C:\\Users\\Admin\\AppData\\Local\\javaw.exe -boot" javaw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
javaw.exedescription pid process target process PID 2836 set thread context of 2572 2836 javaw.exe javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exejavaw.exedescription pid process Token: SeDebugPrivilege 1368 5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe Token: 33 1368 5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1368 5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe Token: SeDebugPrivilege 2836 javaw.exe Token: 33 2836 javaw.exe Token: SeIncBasePriorityPrivilege 2836 javaw.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.execmd.exejavaw.exedescription pid process target process PID 1368 wrote to memory of 2564 1368 5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe cmd.exe PID 1368 wrote to memory of 2564 1368 5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe cmd.exe PID 1368 wrote to memory of 2564 1368 5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe cmd.exe PID 1368 wrote to memory of 2564 1368 5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe cmd.exe PID 1368 wrote to memory of 2460 1368 5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe cmd.exe PID 1368 wrote to memory of 2460 1368 5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe cmd.exe PID 1368 wrote to memory of 2460 1368 5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe cmd.exe PID 1368 wrote to memory of 2460 1368 5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe cmd.exe PID 2460 wrote to memory of 2836 2460 cmd.exe javaw.exe PID 2460 wrote to memory of 2836 2460 cmd.exe javaw.exe PID 2460 wrote to memory of 2836 2460 cmd.exe javaw.exe PID 2460 wrote to memory of 2836 2460 cmd.exe javaw.exe PID 2836 wrote to memory of 2572 2836 javaw.exe javaw.exe PID 2836 wrote to memory of 2572 2836 javaw.exe javaw.exe PID 2836 wrote to memory of 2572 2836 javaw.exe javaw.exe PID 2836 wrote to memory of 2572 2836 javaw.exe javaw.exe PID 2836 wrote to memory of 2572 2836 javaw.exe javaw.exe PID 2836 wrote to memory of 2572 2836 javaw.exe javaw.exe PID 2836 wrote to memory of 2572 2836 javaw.exe javaw.exe PID 2836 wrote to memory of 2572 2836 javaw.exe javaw.exe PID 2836 wrote to memory of 2572 2836 javaw.exe javaw.exe PID 2836 wrote to memory of 2572 2836 javaw.exe javaw.exe PID 2836 wrote to memory of 2572 2836 javaw.exe javaw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\javaw.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\javaw.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\javaw.exe"C:\Users\Admin\AppData\Local\javaw.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\javaw.exe"C:\Users\Admin\AppData\Local\javaw.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\javaw.exeFilesize
389KB
MD55187f0ae3fc7ecd5b247cd1414c38400
SHA136f96baef19fe58e3ce8b11638ff080658cd4390
SHA256667c10a7b4f2f2804e25c238318f9b1861c968950bda3c13245570ad06c44bda
SHA5124bbdbf59ed4000b04ee4519b18cf78c4affa4b226168deb4041fa4a06ae205d95189b4a26baa97a4941fa388c0c5ac8ec95dc3645949032b71460e9f5aa6d0be
-
memory/1368-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmpFilesize
4KB
-
memory/1368-1-0x0000000000820000-0x0000000000888000-memory.dmpFilesize
416KB
-
memory/1368-2-0x00000000002C0000-0x00000000002F0000-memory.dmpFilesize
192KB
-
memory/1368-3-0x0000000074A40000-0x000000007512E000-memory.dmpFilesize
6.9MB
-
memory/1368-4-0x0000000000410000-0x000000000041A000-memory.dmpFilesize
40KB
-
memory/1368-5-0x0000000000430000-0x000000000043E000-memory.dmpFilesize
56KB
-
memory/1368-6-0x0000000074A4E000-0x0000000074A4F000-memory.dmpFilesize
4KB
-
memory/1368-7-0x0000000074A40000-0x000000007512E000-memory.dmpFilesize
6.9MB
-
memory/1368-12-0x0000000074A40000-0x000000007512E000-memory.dmpFilesize
6.9MB
-
memory/2572-24-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/2572-18-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/2572-19-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/2572-21-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/2572-25-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/2572-27-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/2572-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2572-32-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/2572-38-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/2572-35-0x0000000000080000-0x00000000000AC000-memory.dmpFilesize
176KB
-
memory/2836-15-0x0000000000700000-0x000000000070A000-memory.dmpFilesize
40KB
-
memory/2836-14-0x0000000000180000-0x00000000001E8000-memory.dmpFilesize
416KB