Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 04:05
Static task
static1
Behavioral task
behavioral1
Sample
76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
76fcd0ec1860da706c04b38659b4b0db
-
SHA1
5a969284724e72d9dc472caf958daf42c5e49e4e
-
SHA256
fc7cbece268d5d03cc1bf2575125c1152eb0649b2448db9f591ad1cd2ef384c9
-
SHA512
bbe18435ec9243dc7d6df08f040daed701835f5c6cbadf3cd37c3c8d5d560d726aa819732c55968c4246b2d71c64df41a0cb7540d10f622ae8ada05d616be950
-
SSDEEP
24576:BAHnh+eWsN3skA4RV1Hom2KXMmHaGwdE2tqhvMZpByD0gzINj5:Yh+ZkldoPK8YaHE2tqhUFyDF4
Malware Config
Extracted
netwire
45.32.184.40:1968
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
pd1n8
-
lock_executable
false
-
mutex
hiMcnjUn
-
offline_keylogger
false
-
password
Kimbolsapoq!P13
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 3 IoCs
resource yara_rule behavioral1/memory/2020-1-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2020-4-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2020-5-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\0x433A5C55736572735C41646D696E5C417070446174615C77696E726573756D65 = "C:\\Users\\Admin\\AppData\\winresume\\adhsvc.bat" 76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2496 set thread context of 2020 2496 76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2496 76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2496 76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe 2496 76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe 2496 76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2496 76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe 2496 76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe 2496 76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2020 2496 76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe 31 PID 2496 wrote to memory of 2020 2496 76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe 31 PID 2496 wrote to memory of 2020 2496 76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe 31 PID 2496 wrote to memory of 2020 2496 76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe 31 PID 2496 wrote to memory of 2020 2496 76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\76fcd0ec1860da706c04b38659b4b0db_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2020
-