Overview

overview

10

Static

static

3

5187f0ae3f...18.exe

windows7-x64

10

5187f0ae3f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2024 21:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe

  • Size

    389KB

  • MD5

    5187f0ae3fc7ecd5b247cd1414c38400

  • SHA1

    36f96baef19fe58e3ce8b11638ff080658cd4390

  • SHA256

    667c10a7b4f2f2804e25c238318f9b1861c968950bda3c13245570ad06c44bda

  • SHA512

    4bbdbf59ed4000b04ee4519b18cf78c4affa4b226168deb4041fa4a06ae205d95189b4a26baa97a4941fa388c0c5ac8ec95dc3645949032b71460e9f5aa6d0be

  • SSDEEP

    6144:NjOgBFDO7SlyYpVYNwKWy/8E4R9j/T/I2IAoC1RdTwHxQXP8Ryk6lBpVX9y:lrO2PjdHc8ES9j/mDqRdM6xk6Tv

Score
10/10
netwireagilenetbotnetpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

99.38.102.122:3364

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    14438136789D

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\javaw.exe"
      2⤵
        PID:4952
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\javaw.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Users\Admin\AppData\Local\javaw.exe
          "C:\Users\Admin\AppData\Local\javaw.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4196
          • C:\Users\Admin\AppData\Local\javaw.exe
            "C:\Users\Admin\AppData\Local\javaw.exe"
            4⤵
            • Executes dropped EXE
            PID:2320
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 316
              5⤵
              • Program crash
              PID:4128
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2320 -ip 2320
      1⤵
        PID:1848

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\javaw.exe
        Filesize

        389KB

        MD5

        5187f0ae3fc7ecd5b247cd1414c38400

        SHA1

        36f96baef19fe58e3ce8b11638ff080658cd4390

        SHA256

        667c10a7b4f2f2804e25c238318f9b1861c968950bda3c13245570ad06c44bda

        SHA512

        4bbdbf59ed4000b04ee4519b18cf78c4affa4b226168deb4041fa4a06ae205d95189b4a26baa97a4941fa388c0c5ac8ec95dc3645949032b71460e9f5aa6d0be

        Download Submit
      • memory/900-5-0x0000000074830000-0x0000000074FE0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/900-12-0x0000000074830000-0x0000000074FE0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/900-4-0x0000000004F60000-0x0000000004FF2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/900-0-0x000000007483E000-0x000000007483F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/900-6-0x0000000004EA0000-0x0000000004EAA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/900-7-0x0000000004EE0000-0x0000000004EEE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/900-8-0x0000000074830000-0x0000000074FE0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/900-3-0x0000000005470000-0x0000000005A14000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/900-2-0x0000000004E00000-0x0000000004E30000-memory.dmp
        Filesize

        192KB

        Download
      • memory/900-1-0x0000000000590000-0x00000000005F8000-memory.dmp
        Filesize

        416KB

        Download
      • memory/2320-27-0x0000000000390000-0x00000000003BC000-memory.dmp
        Filesize

        176KB

        Download
      • memory/2320-24-0x0000000000390000-0x00000000003BC000-memory.dmp
        Filesize

        176KB

        Download
      • memory/2320-31-0x0000000000390000-0x00000000003BC000-memory.dmp
        Filesize

        176KB

        Download
      • memory/4196-32-0x0000000074830000-0x0000000074FE0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4196-20-0x0000000005DD0000-0x0000000005E6C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4196-19-0x0000000005560000-0x000000000556A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4196-18-0x0000000074830000-0x0000000074FE0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4196-16-0x0000000074830000-0x0000000074FE0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4196-17-0x0000000074830000-0x0000000074FE0000-memory.dmp
        Filesize

        7.7MB

        Download