Analysis
-
max time kernel
146s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
03-06-2024 15:00
General
-
Target
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
-
Size
11.3MB
-
MD5
9232b6170f9de848c09d42c7f1eb5f4c
-
SHA1
accb42982aee08d653885af850c4c47454b3a8d8
-
SHA256
bfb0dce9969d9b345e32c9e78c7c1160014274fd9b192b321de06165c7297c31
-
SHA512
4ecc116f704992f317addab60aaf32c203b0e7447c3ce3b275f68660db30322080135cb214f534a078ed496283db3ecae99bd142d1cce104da56765e40cd664b
-
SSDEEP
196608:FRhX3VojgFA1yqyBRzIyLVHsbGaSnDzMOt:FDcgK1yqqpxAGa+zbt
Malware Config
Extracted
azorult
http://abnmz.akrn12.com/index.php
Extracted
netwire
ptmk2.ddns.net:8906
-
activex_autorun
true
-
activex_key
{2BH726K8-04UQ-82YA-EVO8-RCTPBP542701}
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Skyype.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
DkDoPqeJ
-
offline_keylogger
true
-
password
Ratrat123$
-
registry_autorun
true
-
startup_name
NetW
-
use_mutex
true
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
NetWire RAT payload 2 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nwd.exe"C:\Users\Admin\AppData\Local\Temp\nwd.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Skyype.exe-m "C:\Users\Admin\AppData\Local\Temp\nwd.exe"3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD53752304d7b6071f70916fe001fee8d53
SHA1f6a225e7dfae7c614542c3253ca29444c1e697ae
SHA2569141c98540da1c4716b0a48ef166272c317c59345de8b581534aae606c5ff812
SHA512e9651f4eb5ceb2a1591a295308fafd8fcd8053943a8810373f34f5f01b372c3ce6db2dc6d0efaa990b7981b0175c0e3f603f479fa0f6575e7f18d5a7cb7da2cc
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
1.1MB
-
Filesize
11.3MB
-
Filesize
11.3MB