Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 15:14
Static task
static1
Behavioral task
behavioral1
Sample
6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe
-
Size
283KB
-
MD5
6b5a574c81822c806e598fde5aad93fc
-
SHA1
afbdd84b379d5c392674f2a54bedf01f6f7f9f2b
-
SHA256
fc69f372117af1a15837fd6a490ae821a91db40907f524d91d9003ea719fa8aa
-
SHA512
5ac96dc5046f8408575c6f620129d4d211be178633ba405e20a0a329780c816396bc8ec41a277c09928cb37778fbf6fcf574539d268269ac26261d7ae7ea3cff
-
SSDEEP
6144:AoMdUh1RXAi/q7KtrDTWXWQGaeyLl2HWYkgSEXMEV9p:AjwJWX55mk
Malware Config
Extracted
netwire
185.163.100.6:111
-
activex_autorun
true
-
activex_key
{446644VO-124I-732R-6QR3-BBYQ1W40UCW2}
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
YSxJvAQj
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
true
Signatures
-
NetWire RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2324-27-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2324-24-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2324-21-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2324-19-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2324-20-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2044-2-0x0000000000950000-0x000000000099A000-memory.dmp netwire -
Executes dropped EXE 2 IoCs
Processes:
file.exefile.exepid process 1988 file.exe 2324 file.exe -
Loads dropped DLL 9 IoCs
Processes:
cmd.exefile.exeWerFault.exepid process 2364 cmd.exe 1988 file.exe 872 WerFault.exe 872 WerFault.exe 872 WerFault.exe 872 WerFault.exe 872 WerFault.exe 872 WerFault.exe 872 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt | cmd" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 1988 set thread context of 2324 1988 file.exe file.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 872 2324 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exefile.exedescription pid process Token: SeDebugPrivilege 2044 6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe Token: SeDebugPrivilege 1988 file.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.execmd.exefile.execmd.exefile.exedescription pid process target process PID 2044 wrote to memory of 2364 2044 6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe cmd.exe PID 2044 wrote to memory of 2364 2044 6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe cmd.exe PID 2044 wrote to memory of 2364 2044 6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe cmd.exe PID 2044 wrote to memory of 2364 2044 6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe cmd.exe PID 2364 wrote to memory of 1988 2364 cmd.exe file.exe PID 2364 wrote to memory of 1988 2364 cmd.exe file.exe PID 2364 wrote to memory of 1988 2364 cmd.exe file.exe PID 2364 wrote to memory of 1988 2364 cmd.exe file.exe PID 1988 wrote to memory of 1416 1988 file.exe cmd.exe PID 1988 wrote to memory of 1416 1988 file.exe cmd.exe PID 1988 wrote to memory of 1416 1988 file.exe cmd.exe PID 1988 wrote to memory of 1416 1988 file.exe cmd.exe PID 1416 wrote to memory of 2248 1416 cmd.exe reg.exe PID 1416 wrote to memory of 2248 1416 cmd.exe reg.exe PID 1416 wrote to memory of 2248 1416 cmd.exe reg.exe PID 1416 wrote to memory of 2248 1416 cmd.exe reg.exe PID 1988 wrote to memory of 2324 1988 file.exe file.exe PID 1988 wrote to memory of 2324 1988 file.exe file.exe PID 1988 wrote to memory of 2324 1988 file.exe file.exe PID 1988 wrote to memory of 2324 1988 file.exe file.exe PID 1988 wrote to memory of 2324 1988 file.exe file.exe PID 1988 wrote to memory of 2324 1988 file.exe file.exe PID 1988 wrote to memory of 2324 1988 file.exe file.exe PID 1988 wrote to memory of 2324 1988 file.exe file.exe PID 1988 wrote to memory of 2324 1988 file.exe file.exe PID 1988 wrote to memory of 2324 1988 file.exe file.exe PID 1988 wrote to memory of 2324 1988 file.exe file.exe PID 2324 wrote to memory of 872 2324 file.exe WerFault.exe PID 2324 wrote to memory of 872 2324 file.exe WerFault.exe PID 2324 wrote to memory of 872 2324 file.exe WerFault.exe PID 2324 wrote to memory of 872 2324 file.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\file.exe"C:\Users\Admin\Desktop\file.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"5⤵
- Adds Run key to start application
-
C:\Users\Admin\Desktop\file.exe"C:\Users\Admin\Desktop\file.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1405⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\Desktop\file.exeFilesize
283KB
MD56b5a574c81822c806e598fde5aad93fc
SHA1afbdd84b379d5c392674f2a54bedf01f6f7f9f2b
SHA256fc69f372117af1a15837fd6a490ae821a91db40907f524d91d9003ea719fa8aa
SHA5125ac96dc5046f8408575c6f620129d4d211be178633ba405e20a0a329780c816396bc8ec41a277c09928cb37778fbf6fcf574539d268269ac26261d7ae7ea3cff
-
memory/1988-13-0x0000000074ED0000-0x00000000755BE000-memory.dmpFilesize
6.9MB
-
memory/1988-34-0x0000000074ED0000-0x00000000755BE000-memory.dmpFilesize
6.9MB
-
memory/1988-9-0x0000000000C90000-0x0000000000CDC000-memory.dmpFilesize
304KB
-
memory/1988-11-0x0000000074ED0000-0x00000000755BE000-memory.dmpFilesize
6.9MB
-
memory/2044-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmpFilesize
4KB
-
memory/2044-1-0x0000000001300000-0x000000000134C000-memory.dmpFilesize
304KB
-
memory/2044-2-0x0000000000950000-0x000000000099A000-memory.dmpFilesize
296KB
-
memory/2044-3-0x0000000000480000-0x000000000048A000-memory.dmpFilesize
40KB
-
memory/2044-4-0x0000000074ED0000-0x00000000755BE000-memory.dmpFilesize
6.9MB
-
memory/2044-10-0x0000000074ED0000-0x00000000755BE000-memory.dmpFilesize
6.9MB
-
memory/2324-21-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2324-17-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2324-18-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2324-20-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2324-15-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2324-19-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2324-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2324-24-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2324-27-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB