General

  • Target

    69935bc27fe70192f8d8978057e66aff_JaffaCakes118

  • Size

    428KB

  • Sample

    240523-dxyg6scc38

  • MD5

    69935bc27fe70192f8d8978057e66aff

  • SHA1

    39ef96e0781b4a4d54c4c6ce55aabbd9b4cfb3de

  • SHA256

    a754ba970ae05659445f39a3c858ed52f8fa6d3dee37b58f480f5d481a9b8131

  • SHA512

    9cd2f70a74cbf1e7aa4c65f2eac23934b75799ce3cb0d39decae806624a1c4fdd8d43a3711ae72c6be784baeb02a42bcc84903ced84062cf288b5a800e92b17d

  • SSDEEP

    12288:huWszgGH5W28mmhNQz+GYULCogYAX1uXO2:hozgGZoBogYAMp

Malware Config

Extracted

Family

netwire

C2

glotin.zapto.org:4722

Attributes
  • activex_autorun

    true

  • activex_key

    {2T04X7P3-16C4-8520-6G14-244YTD2A2040}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    MONEY1

  • install_path

    %AppData%\Install\excel.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    pigWTCXD

  • offline_keylogger

    true

  • password

    Hunter45

  • registry_autorun

    true

  • startup_name

    Microsoft

  • use_mutex

    true

Targets

    • Target

      69935bc27fe70192f8d8978057e66aff_JaffaCakes118

    • Size

      428KB

    • MD5

      69935bc27fe70192f8d8978057e66aff

    • SHA1

      39ef96e0781b4a4d54c4c6ce55aabbd9b4cfb3de

    • SHA256

      a754ba970ae05659445f39a3c858ed52f8fa6d3dee37b58f480f5d481a9b8131

    • SHA512

      9cd2f70a74cbf1e7aa4c65f2eac23934b75799ce3cb0d39decae806624a1c4fdd8d43a3711ae72c6be784baeb02a42bcc84903ced84062cf288b5a800e92b17d

    • SSDEEP

      12288:huWszgGH5W28mmhNQz+GYULCogYAX1uXO2:hozgGZoBogYAMp

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks