Resubmissions

26-09-2024 23:50

240926-3vls2avamn 10

27-08-2024 13:26

240827-qpnzzsvblm 10

General

  • Target

    c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118

  • Size

    705KB

  • Sample

    240827-qpnzzsvblm

  • MD5

    c515a556d7cc1fb7a476fb0fb1aadaaa

  • SHA1

    c5690d2abee36e06c2c40dceba693bc7eeeda7be

  • SHA256

    4ba67a000526a4abcf098ab1671fae28996f0db56a67bdeb36d2ef653e34c35b

  • SHA512

    ceb6047816345ad1767698982d448d48accc1e9b22f0fb7ca9c9233444523531b9ef672041dc73ce6a6b6f22fd7263ca882d6fb19288d0dd726cb7c0eb94a1a2

  • SSDEEP

    12288:0J0unggMGIwHJo8spfSPFWHw2Y8ZKk8mZfurZB+n3mfYBkU4f5YNmmh8o:luoG9priSPFWHw2Y8ZK5d22fYBkU4f5q

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    yoqmiiwhxyjcorck

Extracted

Family

netwire

C2

greatking.freeddns.org:3362

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    false

Targets

    • Target

      c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118

    • Size

      705KB

    • MD5

      c515a556d7cc1fb7a476fb0fb1aadaaa

    • SHA1

      c5690d2abee36e06c2c40dceba693bc7eeeda7be

    • SHA256

      4ba67a000526a4abcf098ab1671fae28996f0db56a67bdeb36d2ef653e34c35b

    • SHA512

      ceb6047816345ad1767698982d448d48accc1e9b22f0fb7ca9c9233444523531b9ef672041dc73ce6a6b6f22fd7263ca882d6fb19288d0dd726cb7c0eb94a1a2

    • SSDEEP

      12288:0J0unggMGIwHJo8spfSPFWHw2Y8ZKk8mZfurZB+n3mfYBkU4f5YNmmh8o:luoG9priSPFWHw2Y8ZK5d22fYBkU4f5q

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks