Overview

overview

10

Static

static

3

a38ad704ae...18.exe

windows7-x64

10

a38ad704ae...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 02:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe

  • Size

    475KB

  • MD5

    a38ad704ae67462e8890bbd7738c58e2

  • SHA1

    0345707df4df630de7520c6901a08a39332c7731

  • SHA256

    0f7061b3e130e6e74d13a7c11fe4d6fb210c0fc4d26ec98b576169cbe5527cd9

  • SHA512

    65236d0caa6b5307db81dd2b2cef139b8f653ee87d992a1cd29675c193f16206ed6e83d33c8bdff83057fa5d08502b8f8ec8929c4b7505dabc873c43a75abfbd

  • SSDEEP

    6144:Fr/BPeMTuxDmJh6YGdFWSSb/0zCPwFqz0JYnbN2FGU7pnMV2l0kEB1e:F9LIm76YG/WSSb/0QRbgF77pMcaB1

Score
10/10
netwirebotnetratstealer

Malware Config

Extracted

Family

netwire

C2

178.32.72.136:3361

193.124.0.151:3362
Attributes
  • activex_autorun

    true

  • activex_key

    {0QG8J5X8-8ATR-63E7-Y066-IIX78EN8O68E}

  • copy_executable

    true

  • delete_original

    true

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Skype.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    kgTjYgBY

  • offline_keylogger

    true

  • password

    ebefob44

  • registry_autorun

    true

  • startup_name

    TeamViewer

  • use_mutex

    true

Signatures

  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4072
    • C:\Users\Admin\AppData\Roaming\Install\Skype.exe
      -m "C:\Users\Admin\AppData\Local\Temp\a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe"
      2⤵
        PID:4764

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Install\Skype.exe
      Filesize

      475KB

      MD5

      a38ad704ae67462e8890bbd7738c58e2

      SHA1

      0345707df4df630de7520c6901a08a39332c7731

      SHA256

      0f7061b3e130e6e74d13a7c11fe4d6fb210c0fc4d26ec98b576169cbe5527cd9

      SHA512

      65236d0caa6b5307db81dd2b2cef139b8f653ee87d992a1cd29675c193f16206ed6e83d33c8bdff83057fa5d08502b8f8ec8929c4b7505dabc873c43a75abfbd

      Download Submit

    • memory/4072-1-0x0000000002460000-0x0000000002461000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4072-0-0x0000000002140000-0x000000000217A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4072-2-0x0000000002140000-0x000000000217A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4072-3-0x0000000000400000-0x000000000047C000-memory.dmp

      Filesize

      496KB

      Download

    • memory/4072-9-0x0000000000400000-0x000000000047C000-memory.dmp

      Filesize

      496KB

      Download