adwind | ed0ded65dc5d136c854016cb11989e7ca33b453fdf04596aa9e81242c103755e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2464b4f4778466af3de6f08818eb602_JaffaCakes118.exe
Size

932KB
MD5

a2464b4f4778466af3de6f08818eb602
SHA1

141ba4d2db10fe970ee728ac83ae9f63f161f6fb
SHA256

ed0ded65dc5d136c854016cb11989e7ca33b453fdf04596aa9e81242c103755e
SHA512

368fd63cfd6ea0099db79ee0bbb13d72630a943a136144810dffac82c776f4ef77dca2d059207dffdb33881ec24ec11991fdba47033c81cccf992f5b6e9f383d
SSDEEP

24576:IEAnRvATRmw1luw+JWNT+irshqTuSkXfw99Tdvvv:Ix6TIC+iT+icqTmAdvv

Score

10^/10

adwind netwire remcos botnet discovery rat stealer trojan

Malware Config

Extracted

Family

netwire

trustkemi.duckdns.org:8070

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
0x53F13A2E
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
lock_executable
false
offline_keylogger
true
password
231father@
registry_autorun
false
use_mutex
false

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind

Class file contains resources related to AdWind 1 IoCs

resource	yara_rule
sample	family_adwind5

NetWire RAT payload 9 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023504-15.dat	netwire
behavioral2/memory/3668-977-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3668-989-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3668-1000-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3668-1009-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3668-1017-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3668-1028-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3668-1039-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3668-1047-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	a2464b4f4778466af3de6f08818eb602_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
724	remcos_agent.exe
3668	Host.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2484	icacls.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\test.txt	java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	a2464b4f4778466af3de6f08818eb602_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	a2464b4f4778466af3de6f08818eb602_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
724	remcos_agent.exe
648	javaw.exe
4172	java.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 724	4748	a2464b4f4778466af3de6f08818eb602_JaffaCakes118.exe	83
PID 4748 wrote to memory of 724	4748	a2464b4f4778466af3de6f08818eb602_JaffaCakes118.exe	83
PID 4748 wrote to memory of 724	4748	a2464b4f4778466af3de6f08818eb602_JaffaCakes118.exe	83
PID 4748 wrote to memory of 3668	4748	a2464b4f4778466af3de6f08818eb602_JaffaCakes118.exe	84
PID 4748 wrote to memory of 3668	4748	a2464b4f4778466af3de6f08818eb602_JaffaCakes118.exe	84
PID 4748 wrote to memory of 3668	4748	a2464b4f4778466af3de6f08818eb602_JaffaCakes118.exe	84
PID 4748 wrote to memory of 648	4748	a2464b4f4778466af3de6f08818eb602_JaffaCakes118.exe	85
PID 4748 wrote to memory of 648	4748	a2464b4f4778466af3de6f08818eb602_JaffaCakes118.exe	85
PID 648 wrote to memory of 2484	648	javaw.exe	86
PID 648 wrote to memory of 2484	648	javaw.exe	86
PID 648 wrote to memory of 4172	648	javaw.exe	88
PID 648 wrote to memory of 4172	648	javaw.exe	88
PID 648 wrote to memory of 216	648	javaw.exe	90
PID 648 wrote to memory of 216	648	javaw.exe	90
PID 4172 wrote to memory of 3716	4172	java.exe	92
PID 4172 wrote to memory of 3716	4172	java.exe	92
PID 216 wrote to memory of 2192	216	cmd.exe	94
PID 216 wrote to memory of 2192	216	cmd.exe	94
PID 3716 wrote to memory of 2780	3716	cmd.exe	95
PID 3716 wrote to memory of 2780	3716	cmd.exe	95
PID 4172 wrote to memory of 3696	4172	java.exe	96
PID 4172 wrote to memory of 3696	4172	java.exe	96
PID 648 wrote to memory of 840	648	javaw.exe	97
PID 648 wrote to memory of 840	648	javaw.exe	97
PID 3696 wrote to memory of 400	3696	cmd.exe	100
PID 3696 wrote to memory of 400	3696	cmd.exe	100
PID 840 wrote to memory of 1116	840	cmd.exe	101
PID 840 wrote to memory of 1116	840	cmd.exe	101
PID 4172 wrote to memory of 5028	4172	java.exe	102
PID 4172 wrote to memory of 5028	4172	java.exe	102
PID 648 wrote to memory of 4984	648	javaw.exe	104
PID 648 wrote to memory of 4984	648	javaw.exe	104
PID 4172 wrote to memory of 3504	4172	java.exe	107
PID 4172 wrote to memory of 3504	4172	java.exe	107

C:\Users\Admin\AppData\Local\Temp\a2464b4f4778466af3de6f08818eb602_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a2464b4f4778466af3de6f08818eb602_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748
- C:\ProgramData\remcos_agent.exe
  "C:\ProgramData\remcos_agent.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:724
- C:\ProgramData\Host.exe
  "C:\ProgramData\Host.exe"
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\ProgramData\grace.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:2484
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.0136822717009903455337967662577930159.class
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4140626141580895438.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3716
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4140626141580895438.vbs
        5⤵
        
        PID:2780
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5937335001165204504.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3696
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5937335001165204504.vbs
        5⤵
        
        PID:400
  - - C:\Windows\SYSTEM32\xcopy.exe
      xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
      4⤵
      PID:5028
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe
      4⤵
      PID:3504
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4544086258155499773.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\system32\cscript.exe
      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4544086258155499773.vbs
      4⤵
      PID:2192
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5048186187970699682.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\system32\cscript.exe
      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5048186187970699682.vbs
      4⤵
      PID:1116
- - C:\Windows\SYSTEM32\xcopy.exe
    xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
    3⤵
    PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Host.exe

Filesize
132KB

MD5
1d25956a246b2e118423f9726c5077a3

SHA1
2abf70b1ced059d119610d0b58cd02797b28fab6

SHA256
963b1df3242acbbe1173175c8f0d0d7bc88377f42b6354011673282e515a0ed2

SHA512
d7af60bb1310718de15aa468c7f235e66bdafd57dde2711f7377bdc109993c4f21363ed22841045639b8a58b32695cb7d7ee75fa52628d8c91deaf564611c123

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
7b89ac37fae8a53e48d251dec60ac128

SHA1
cec491e9253c98ff1ebb1708475c851cad020679

SHA256
efdcc5c35b61f9f6a6763f8032d72dbfb47d730621a05010c84f2979d2954044

SHA512
4c606d2aaa1c5b9b17f21bb09c3d7694e7951f4711a2a8fa5aac1ba9974f42f0b7598f356f15e35ccb4cfe1d609dfbfb7465115bb644e3e41d4d310c1caa13ac

Download Submit
C:\ProgramData\grace.jar

Filesize
478KB

MD5
5743f28c07c9883b607f3fc713f6441a

SHA1
d9e11fa656705483b5ad6cce79f7c0253a32e101

SHA256
e8da125fac8c4ef0afcd0fcbb2bd0466c55413fa5472bbbfc0e18cace6bc1ee7

SHA512
35e079ff1d0db8ded983625e0b57e59db30113f62c7229440d5c8ba0c6ee06379d46175e78f7afee6edc82554ffb933d8e79de1f37b1dd1f77e1e088c6a1a160

Download Submit
C:\ProgramData\remcos_agent.exe

Filesize
124KB

MD5
1d5903c322dbc355d4acbab213322d52

SHA1
8990f9f01ae5a796e09965c697d2319f071d0cb9

SHA256
25087df9337fc02e285e4837ee6b39f05b616d7fa7b288a6eeda5a788721adc3

SHA512
c2a17a25bf4f8d872603ac4194c7dbd1f5db8d6095b9a515a7ddc76ddba8e914d3f43d51962c310eaf2555efb2ae3593b9e17acbc4e974c00722768b9eec7b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive4544086258155499773.vbs

Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive5937335001165204504.vbs

Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.0136822717009903455337967662577930159.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-200405930-3877336739-3533750831-1000\83aa4cc77f591dfc2374580bbd95f6ba_aa2c3450-affa-4182-91ec-fc04d80413bd

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll

Filesize
558KB

MD5
bf78c15068d6671693dfcdfa5770d705

SHA1
4418c03c3161706a4349dfe3f97278e7a5d8962a

SHA256
a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb

SHA512
5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140.dll

Filesize
95KB

MD5
7415c1cc63a0c46983e2a32581daefee

SHA1
5f8534d79c84ac45ad09b5a702c8c5c288eae240

SHA256
475ab98b7722e965bd38c8fa6ed23502309582ccf294ff1061cb290c7988f0d1

SHA512
3d4b24061f72c0e957c7b04a0c4098c94c8f1afb4a7e159850b9939c7210d73398be6f27b5ab85073b4e8c999816e7804fef0f6115c39cd061f4aaeb4dcda8cf

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140_1.dll

Filesize
36KB

MD5
fcda37abd3d9e9d8170cd1cd15bf9d3f

SHA1
b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2

SHA256
0579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6

SHA512
de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties

Filesize
3KB

MD5
880baacb176553deab39edbe4b74380d

SHA1
37a57aad121c14c25e149206179728fa62203bf0

SHA256
ff4a3a92bc92cb08d2c32c435810440fd264edd63e56efa39430e0240c835620

SHA512
3039315bb283198af9090bd3d31cfae68ee73bc2b118bbae0b32812d4e3fd0f11ce962068d4a17b065dab9a66ef651b9cb8404c0a2defce74bb6b2d1d93646d5

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\security\policy\unlimited\US_export_policy.jar

Filesize
7KB

MD5
12f971b6e65cbc7184701235469f0339

SHA1
06cb165157c5e0078b872c48707a1328b1dcba19

SHA256
84e035372ca8979bb4a387428a74942ffc7248a0e61988b7033b5b266cd187c8

SHA512
58646fc81de2e4750a3259d79a207a8cff2dc6692f178a63d92a453fc408c8d1088007ef4e93157d1017be706565716a0236039dbac848c40745a0ad89c4d0de

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
79B

MD5
ab1f14bfa29afbb409fcf65f59e8846c

SHA1
ddc2668f4ff9999a72007e53ca5e89b4a87d6dc6

SHA256
6be5b8d7c0c21efe88320da935f4f479dff1bb8f65c9069a77fe7476e74d1854

SHA512
8b2741e7857742a26d2290aa342866426621281fe673bdff79d216e68c60cc34ae7d165061962e1ee16f37f334f242256f7372453fd552e21f7701846be04617

Download Submit
memory/648-50-0x000001EC91870000-0x000001EC91871000-memory.dmp

Filesize
4KB

Download
memory/648-359-0x000001EC91870000-0x000001EC91871000-memory.dmp

Filesize
4KB

Download
memory/648-82-0x000001EC91870000-0x000001EC91871000-memory.dmp

Filesize
4KB

Download
memory/648-26-0x000001EC930F0000-0x000001EC93360000-memory.dmp

Filesize
2.4MB

Download
memory/648-992-0x000001EC930F0000-0x000001EC93360000-memory.dmp

Filesize
2.4MB

Download
memory/3668-989-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3668-1047-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3668-1039-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3668-1028-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3668-1017-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3668-1009-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3668-1000-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3668-977-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4172-986-0x000001B6436D0000-0x000001B6436D1000-memory.dmp

Filesize
4KB

Download
memory/4172-1006-0x000001B6436D0000-0x000001B6436D1000-memory.dmp

Filesize
4KB

Download
memory/4172-991-0x000001B6436D0000-0x000001B6436D1000-memory.dmp

Filesize
4KB

Download
memory/4172-979-0x000001B6436D0000-0x000001B6436D1000-memory.dmp

Filesize
4KB

Download
memory/4172-972-0x000001B6436D0000-0x000001B6436D1000-memory.dmp

Filesize
4KB

Download
memory/4172-1002-0x000001B6436D0000-0x000001B6436D1000-memory.dmp

Filesize
4KB

Download
memory/4172-1003-0x000001B6436D0000-0x000001B6436D1000-memory.dmp

Filesize
4KB

Download
memory/4172-86-0x000001B6436D0000-0x000001B6436D1000-memory.dmp

Filesize
4KB

Download
memory/4172-393-0x000001B6436D0000-0x000001B6436D1000-memory.dmp

Filesize
4KB

Download
memory/4172-73-0x000001B6436D0000-0x000001B6436D1000-memory.dmp

Filesize
4KB

Download
memory/4172-1032-0x000001B6436D0000-0x000001B6436D1000-memory.dmp

Filesize
4KB

Download
memory/4748-0-0x00000000752C2000-0x00000000752C3000-memory.dmp

Filesize
4KB

Download
memory/4748-25-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/4748-1-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/4748-2-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download