Overview

overview

10

Static

static

10

6df0096cf0...18.exe

windows7-x64

10

6df0096cf0...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6df0096cf0c1f91b398a7ff67d935f65_JaffaCakes118

  • Size

    160KB

  • Sample

    240524-kqrjlsbf6v

  • MD5

    6df0096cf0c1f91b398a7ff67d935f65

  • SHA1

    1de4c4714d279418196c9654a3926d35bd85976f

  • SHA256

    8392cbbda680d84a0c5a48763fa1e5e1d28506a5fd53e2814a99047a6b7062a4

  • SHA512

    02c52f334777498d45886cc9d5160dd5d064f1cb1d3d861a2d512a35a2264bf39c784e5d03473e0e2a1afbc9d7f63ee70d3572291e2bec9d7688e120abb08452

  • SSDEEP

    3072:6Lp3qvhn9VI8VjCX1I43fAwegLM6rFDBSxEnSM78ChPr9T4gQNlyAVrhkt24:6LQvhnDIBSilL3DDnSM78C1r9TwbXs7

Score
10/10
netwiresalitybackdoorbotnetevasionratstealertrojanupx

Malware Config

Extracted

Family

netwire

C2

cb4.noip.me:3360

fuxxer.myvnc.com:3360
Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    true

  • host_id

    AppleINC-%Rand%

  • install_path

    %AppData%\WindowUpdate\sys32.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    TUbvRjPs

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    true

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      6df0096cf0c1f91b398a7ff67d935f65_JaffaCakes118

    • Size

      160KB

    • MD5

      6df0096cf0c1f91b398a7ff67d935f65

    • SHA1

      1de4c4714d279418196c9654a3926d35bd85976f

    • SHA256

      8392cbbda680d84a0c5a48763fa1e5e1d28506a5fd53e2814a99047a6b7062a4

    • SHA512

      02c52f334777498d45886cc9d5160dd5d064f1cb1d3d861a2d512a35a2264bf39c784e5d03473e0e2a1afbc9d7f63ee70d3572291e2bec9d7688e120abb08452

    • SSDEEP

      3072:6Lp3qvhn9VI8VjCX1I43fAwegLM6rFDBSxEnSM78ChPr9T4gQNlyAVrhkt24:6LQvhnDIBSilL3DDnSM78C1r9TwbXs7

    Score
    10/10
    netwiresalitybackdoorbotnetevasionratstealertrojanupx

    • Modifies firewall policy service

      evasion

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks