Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
23-05-2024 15:14
General
-
Target
6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe
-
Size
283KB
-
MD5
6b5a574c81822c806e598fde5aad93fc
-
SHA1
afbdd84b379d5c392674f2a54bedf01f6f7f9f2b
-
SHA256
fc69f372117af1a15837fd6a490ae821a91db40907f524d91d9003ea719fa8aa
-
SHA512
5ac96dc5046f8408575c6f620129d4d211be178633ba405e20a0a329780c816396bc8ec41a277c09928cb37778fbf6fcf574539d268269ac26261d7ae7ea3cff
-
SSDEEP
6144:AoMdUh1RXAi/q7KtrDTWXWQGaeyLl2HWYkgSEXMEV9p:AjwJWX55mk
Malware Config
Extracted
netwire
185.163.100.6:111
-
activex_autorun
true
-
activex_key
{446644VO-124I-732R-6QR3-BBYQ1W40UCW2}
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
YSxJvAQj
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
true
Signatures
-
NetWire RAT payload 6 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 9 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\file.exe"C:\Users\Admin\Desktop\file.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"5⤵
- Adds Run key to start application
-
-
-
C:\Users\Admin\Desktop\file.exe"C:\Users\Admin\Desktop\file.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1405⤵
- Loads dropped DLL
- Program crash
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
283KB
MD56b5a574c81822c806e598fde5aad93fc
SHA1afbdd84b379d5c392674f2a54bedf01f6f7f9f2b
SHA256fc69f372117af1a15837fd6a490ae821a91db40907f524d91d9003ea719fa8aa
SHA5125ac96dc5046f8408575c6f620129d4d211be178633ba405e20a0a329780c816396bc8ec41a277c09928cb37778fbf6fcf574539d268269ac26261d7ae7ea3cff
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
304KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
296KB
-
Filesize
40KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
176KB
-
Filesize
176KB