stealthworker | e251bbef2c33494c43462511bda36339cf2e8b1be5aa30bb77fdc5d168d28db4

General

Target

c4dea1d39e7c009a8dd333e5e84a0486_JaffaCakes118.exe
Size

3.9MB
MD5

c4dea1d39e7c009a8dd333e5e84a0486
SHA1

fbfaa875ffd294b407d038439f8cb561c033cbe1
SHA256

e251bbef2c33494c43462511bda36339cf2e8b1be5aa30bb77fdc5d168d28db4
SHA512

377f196ea88f26f90610fa91543f264c7a710e348695580254458b47ef6f7f930d4adacf85c86eb6aa9461c4edaaa83fe65e0ce8f2b7371e8d54b3c7c2de8da6
SSDEEP

98304:HKIr+ZQqjWg00mSvAbQ05eKz4U0BAyHkVTFl:qI6Sg2vQ9KzDFFl

Score

10^/10

stealthworker botnet discovery upx

Malware Config

Extracted

Family

stealthworker

Version

3.06

C2

http://190.97.167.130:8081

Signatures

StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2696-4-0x0000000000400000-0x0000000000AE4000-memory.dmp	upx
behavioral1/memory/2696-9-0x0000000000400000-0x0000000000AE4000-memory.dmp	upx
behavioral1/memory/2696-10-0x0000000000400000-0x0000000000AE4000-memory.dmp	upx
behavioral1/memory/2696-11-0x0000000000400000-0x0000000000AE4000-memory.dmp	upx
behavioral1/memory/2696-12-0x0000000000400000-0x0000000000AE4000-memory.dmp	upx
behavioral1/memory/2696-13-0x0000000000400000-0x0000000000AE4000-memory.dmp	upx
behavioral1/memory/2696-14-0x0000000000400000-0x0000000000AE4000-memory.dmp	upx
behavioral1/memory/2696-15-0x0000000000400000-0x0000000000AE4000-memory.dmp	upx
behavioral1/memory/2696-16-0x0000000000400000-0x0000000000AE4000-memory.dmp	upx
behavioral1/memory/2696-17-0x0000000000400000-0x0000000000AE4000-memory.dmp	upx
behavioral1/memory/2696-18-0x0000000000400000-0x0000000000AE4000-memory.dmp	upx
behavioral1/memory/2696-19-0x0000000000400000-0x0000000000AE4000-memory.dmp	upx
behavioral1/memory/2696-20-0x0000000000400000-0x0000000000AE4000-memory.dmp	upx
behavioral1/memory/2696-21-0x0000000000400000-0x0000000000AE4000-memory.dmp	upx
behavioral1/memory/2696-22-0x0000000000400000-0x0000000000AE4000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4dea1d39e7c009a8dd333e5e84a0486_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2412	2696	c4dea1d39e7c009a8dd333e5e84a0486_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2412	2696	c4dea1d39e7c009a8dd333e5e84a0486_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2412	2696	c4dea1d39e7c009a8dd333e5e84a0486_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2412	2696	c4dea1d39e7c009a8dd333e5e84a0486_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\c4dea1d39e7c009a8dd333e5e84a0486_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c4dea1d39e7c009a8dd333e5e84a0486_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s.bat

Filesize
305B

MD5
a4e5715616214549c582e93674d046a5

SHA1
34a403cdb1e2ba2a59c8699c82a2a3ff5889e4ff

SHA256
4dc6e93aea3095c86be9e8b2e41c1dd23829482a9c0994268147289c3e4ee7aa

SHA512
9b23b2cd09dfbffe17d2638abb51b5bde892e515d52ea2e88610bc7d4d7f4eba2ed5ada7c704bf3cdf4ccc824052ac64c7ba914ac9586196a24d3be1916011a1

Download Submit
memory/2696-12-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/2696-15-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/2696-4-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/2696-1-0x0000000002800000-0x0000000002BB7000-memory.dmp

Filesize
3.7MB

Download
memory/2696-9-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/2696-10-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/2696-11-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/2696-0-0x0000000002800000-0x0000000002BB7000-memory.dmp

Filesize
3.7MB

Download
memory/2696-2-0x0000000002BC0000-0x0000000002E85000-memory.dmp

Filesize
2.8MB

Download
memory/2696-13-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/2696-14-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/2696-16-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/2696-17-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/2696-18-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/2696-19-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/2696-20-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/2696-21-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/2696-22-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing