Overview

overview

10

Static

static

3

acb2840b57...18.exe

windows7-x64

10

acb2840b57...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 03:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    acb2840b575bd538efdd76ada3a603a2_JaffaCakes118.exe

  • Size

    1022KB

  • MD5

    acb2840b575bd538efdd76ada3a603a2

  • SHA1

    e871d22c8443eb556e897d18d77e6e8ead667cce

  • SHA256

    c8f71c7078e8667e79d827762ad65bcbc311195da00e87df782a30424e6f93af

  • SHA512

    e938e85070bc9e30cb3a9690c35dea55da4389cb30621c163f35170570ee6a245f2b2b1376bcdfaf3e070b83a9cb3cd72cc5639e19bd12247903abd547109a75

  • SSDEEP

    1536:4Wp4doeVY9nzccb43+o/20t5Yrpq/nvR803E58XK5MhGJ/fYWCJzw8YeEvi7gaF3:rGoxzA3+o/20t5YIvHuImoP0vtuF4q

Score
10/10
netwirenjratbotnetevasionpersistenceratstealertrojan

Malware Config

Extracted

Family

netwire

C2

91.192.100.3:1199

Attributes
  • activex_autorun

    true

  • activex_key

    {0841AJ8U-8PI0-YXLN-18O6-2786QVLQ43VL}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    Bushbush

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    QKiFRiUe

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    Avast

  • use_mutex

    true

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\acb2840b575bd538efdd76ada3a603a2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\acb2840b575bd538efdd76ada3a603a2_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Users\Admin\AppData\Local\Temp\Host.exe
        "C:\Users\Admin\AppData\Local\Temp\Host.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1760
        • C:\Users\Admin\AppData\Roaming\Install\Host.exe
          "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
          4⤵
          • Modifies Installed Components in the registry
          • Executes dropped EXE
          • Adds Run key to start application
          PID:2708
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:1820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Host.exe
    Filesize

    132KB

    MD5

    e6816a314a4cb6ab308e9b8066e61baa

    SHA1

    86baae6075ddf7c05bb67788c3e4844385f5b5cc

    SHA256

    f6307bac4e2e5a5d006461bc0e614acb738c86cf0ea6a606c7c72fa72074e81e

    SHA512

    1bae0eed5177de9c828bc3d40889afe0eba064d49bd4830aa0c9ed234b0baa521fd62d30499eed4c64f2aafcb8dfb055042b0b5c7c1e1b761d68428b6bf6c648

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    23KB

    MD5

    728611dc09fdcba13bbcca5247956cd0

    SHA1

    7ffa8dd6838120a4e5fa0b6af25e71dfe9a5778a

    SHA256

    130281a00892bb6f5ed16c8c3ebf3b2a5105a475d914a3fa2c341586d427878b

    SHA512

    3ea67e97a558836f8ce696d6b4f67c14f581df810f13415b6dabc6e26ba9d9a79a1c8e6048faf16da99c52d2c7e261a25c8513e448154968c6d705956dafeb81

    Download Submit

  • memory/1536-6-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1536-9-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1760-28-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1768-32-0x0000000074B30000-0x0000000074BBD000-memory.dmp

    Filesize

    564KB

    Download

  • memory/1768-35-0x0000000074B30000-0x0000000074BBD000-memory.dmp

    Filesize

    564KB

    Download

  • memory/2708-33-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4004-0-0x0000000074B42000-0x0000000074B43000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4004-1-0x0000000074B40000-0x00000000750F1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4004-2-0x0000000074B40000-0x00000000750F1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4004-11-0x0000000074B40000-0x00000000750F1000-memory.dmp

    Filesize

    5.7MB

    Download