General
-
Target
1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118
-
Size
1.3MB
-
Sample
240701-21clwaygjr
-
MD5
1cd6e77a4650155c54c0dc02b7ac8830
-
SHA1
2806bda7ff96b1a020400e69fb74773baff36b0a
-
SHA256
7ba0b6ce1beabf5437752c8dbe851e1af8bbc74154c1ce318cd4241acf4c763f
-
SHA512
28dd6bde9cd2d6ce063b7142b1b9bf0f5bcb34c702882c7c167e985863c5b1720c4eba25e92b12ee34c00f3651edae355a64b1681b51a9e3bbc325c04907af14
-
SSDEEP
24576:uAHnh+eWsN3skA4RV1Hom2KXMmHaJnhlHsMkyigucCg/fFq1t5:Zh+ZkldoPK8YahhlHsMksunyfsR
Malware Config
Extracted
netwire
79.134.225.35:8687
-
activex_autorun
true
-
activex_key
{TK1A7HT7-DQYO-67A2-ANU2-MW11C1A1UU6E}
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
true
-
startup_name
windows
-
use_mutex
false
Targets
-
-
Target
1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118
-
Size
1.3MB
-
MD5
1cd6e77a4650155c54c0dc02b7ac8830
-
SHA1
2806bda7ff96b1a020400e69fb74773baff36b0a
-
SHA256
7ba0b6ce1beabf5437752c8dbe851e1af8bbc74154c1ce318cd4241acf4c763f
-
SHA512
28dd6bde9cd2d6ce063b7142b1b9bf0f5bcb34c702882c7c167e985863c5b1720c4eba25e92b12ee34c00f3651edae355a64b1681b51a9e3bbc325c04907af14
-
SSDEEP
24576:uAHnh+eWsN3skA4RV1Hom2KXMmHaJnhlHsMkyigucCg/fFq1t5:Zh+ZkldoPK8YahhlHsMksunyfsR
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-