General

  • Target

    72a4dd4d9b65aeefd23116793b1e04b2_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240525-vh2pqabb81

  • MD5

    72a4dd4d9b65aeefd23116793b1e04b2

  • SHA1

    bbf05e5d0a3bdbb909266fd4b74764a578e7dfc0

  • SHA256

    e5e08a97973474e281d2f869760812bf31e80554a7bfaa28a35547e7b484fef6

  • SHA512

    f0cee93b72db2ecda12912116913cfafe12f9d8e5b4ca74defb128249111e6904494ae5c32a24235ea284cac0e957feba895580391de0fcb33be5b0b45069cdc

  • SSDEEP

    24576:xLLYxIyvSxt9uatW2t7zmqrVS3rzPKfmty+CTycckVDirHzQY/hmvGi:xLYzQbZmOV8zK+CG3eEzQY/hmvGi

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

zicopele2018.sytes.net:3584

zicopele2018backup.sytes.net:3584

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    YbcwLUQv

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    true

Extracted

Family

pony

C2

http://tekinkgroup.com/rector/gate.php

Attributes
  • payload_url

    http://tekinkgroup.com/rector/shit.exe

Targets

    • Target

      24.exe

    • Size

      231KB

    • MD5

      260b768a03390af34cf4d91ced33fb0e

    • SHA1

      19022cee29e978d9e56af5931421c115c522ee31

    • SHA256

      d4103e933d33c9257967b632f9c4cedc5f57e15abd2c0357ce7e9966881cc97d

    • SHA512

      05fd9b1eba3f4217b49b4b7eed58634eb7cf944dfa367a0e868c15862a3399e6e874754ab9ffda785a47a7b850d6e24bc777ba55fe47c1405cd28534869841c3

    • SSDEEP

      3072:2xfqOcLw3jpU6+NAs9ejLSxKy2jSb/DCKvNSs7ZAHS6vYAdz7QgRrYEaFxuAc2:wqOPzpU6+NCLSK8GBcZAHStYXRrYHc2

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Drops startup file

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • Target

      4.exe

    • Size

      233KB

    • MD5

      8acb1a113d20530f501fc371622ff0db

    • SHA1

      3e3996eac73c8c5b100e578bf8794f61fb47d255

    • SHA256

      08a1633161123a511f98004bda97d5ada42bf34a58e2e598fb321c1fe7a1d1a8

    • SHA512

      4ad5c92a299457c8674b76ecf5cd8388fd0b658ef9441c8952d63ac63e8f7404551dc590dedf0c3896f5accbdd60fc365605acab424c42f48be65d1d080877ee

    • SSDEEP

      6144:jxQxWRPYIA/fSU9Ja2da7MgpveTvmdhzh3+BPBZbzUE:jxQxWRPYIIfSUVaMmveTHBRR

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Drops startup file

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • Target

      7.exe

    • Size

      216KB

    • MD5

      2a02f52b64bb0b2ffce4fb81b4517c7c

    • SHA1

      b3a46bb392a8b40c12ac046dfdc3572132155aab

    • SHA256

      c5b7e21f19493fed30675f86df39c69fbc3a8a4617d1d85ac3dda90d97d14d6c

    • SHA512

      4814e9064e9ed6c4cdc6e514e7a7e73c227fe598904d654cadb98ef1acee51ba987d937547f80e0aeb1972cda86ae3f22addfaf83490a906ec1927f3980be786

    • SSDEEP

      6144:59nNMa2B9x4UmQrrYfZUgWKZtFivagH8mlE:DNMaA9x4hdWqtAVHv

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Drops startup file

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • Target

      Order.exe

    • Size

      222KB

    • MD5

      28ddb3f1013592bb1b4413ee39009a57

    • SHA1

      17f9ae6d47506306352f9670c8dfed99322a3337

    • SHA256

      c552c6df4bc0a5aff777c0d4c3b3aec0f2c042d68c17ecd316bfd58b04477698

    • SHA512

      e96ab074f89cdd9e5ed94f279884eb4fbf44a1f9ca6da0e1507e0029df45c2f3c5b5ea9be62dc758f783d3ed26f0a98e15a67b5e2592cc872731739b0da05424

    • SSDEEP

      6144:kdufqYEGgI+/bHmLpmTvnwM2mksSFwKQ:hqYEGgI+ymvwM29F

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • Target

      load2.exe

    • Size

      97KB

    • MD5

      af85c6152e9e4882333a27c4b6c76bf8

    • SHA1

      e83fc5346e51bf7404101f704dcad8f00ed4e3e2

    • SHA256

      36c019c0a66b919aee1e096129b447e0113a1978e7c01333eb6ac02a89adc7e1

    • SHA512

      52b69c94c9663b9db2b3e7753a23c10a63d010d91813ae0217acfdb7ffc1b52886da64d16b2caa4c198c1e8161626353664931e1b16d713df50392c1c8af5af5

    • SSDEEP

      1536:KLz6RibFmySB2T6ktH/mjh6XVFC8HVqXNpgItaYkza3+KD3960pZV5TmytRSzQ:KLmqF08Oktf5FFfVqXNCZNKD38YkCQzQ

    Score
    1/10
    • Target

      spart.exe

    • Size

      268KB

    • MD5

      6faadd4018893fb1402df8f2693a4fb1

    • SHA1

      e223d93bc1cc7f41b72f2c1ca9cadf0e4c3abd26

    • SHA256

      b3aba8475a844540f9acb081574b2c83f1cb954cb09f3e8b03660881e501ec53

    • SHA512

      9498a96f452d4c176218961559bc27aa1f1ce42b953211d19805618c74ceb6da8571f587c018e6971d077f9e0fe17a1695f080c7da866542e825f521c6eeef74

    • SSDEEP

      3072:jWNVz+FX2UXCQh1pGE8IiGS3AegXNzS5f88LmdwrmKcw3MpODAmuAbeuozIrO1qP:66FX2wF8IidKXNKidw6KlUAiuokrGqP

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      swift.exe

    • Size

      227KB

    • MD5

      21c0027924a5a4a70cd1e61220716224

    • SHA1

      5546ef57a890ca54ee59f52a39d86ea3f24ffe0e

    • SHA256

      cd309ad77ef0180c2c59bab487e90dc967fd0781ec10a4f5196a0fda75cac36d

    • SHA512

      2571b525c8a9ac2abbe09fee720cbc1a4deb9aff288f75f9729475ae3497bcc4853e680015d7ea32d5f09b66425973fa564c0e51b7d10eeff91e369d3ed1ddf0

    • SSDEEP

      6144:JpTfdT/KELr+ILii5Ea8NplE8AOcWRaIF2nYMg:JpTfp/KE3+ILkTplNUWkxYT

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Drops startup file

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

4
T1064

Defense Evasion

Scripting

4
T1064

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Email Collection

2
T1114

Tasks