General
-
Target
c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118
-
Size
705KB
-
Sample
240827-qpnzzsvblm
-
MD5
c515a556d7cc1fb7a476fb0fb1aadaaa
-
SHA1
c5690d2abee36e06c2c40dceba693bc7eeeda7be
-
SHA256
4ba67a000526a4abcf098ab1671fae28996f0db56a67bdeb36d2ef653e34c35b
-
SHA512
ceb6047816345ad1767698982d448d48accc1e9b22f0fb7ca9c9233444523531b9ef672041dc73ce6a6b6f22fd7263ca882d6fb19288d0dd726cb7c0eb94a1a2
-
SSDEEP
12288:0J0unggMGIwHJo8spfSPFWHw2Y8ZKk8mZfurZB+n3mfYBkU4f5YNmmh8o:luoG9priSPFWHw2Y8ZK5d22fYBkU4f5q
Static task
static1
Behavioral task
behavioral1
Sample
c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
yoqmiiwhxyjcorck
Extracted
netwire
greatking.freeddns.org:3362
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
false
Targets
-
-
Target
c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118
-
Size
705KB
-
MD5
c515a556d7cc1fb7a476fb0fb1aadaaa
-
SHA1
c5690d2abee36e06c2c40dceba693bc7eeeda7be
-
SHA256
4ba67a000526a4abcf098ab1671fae28996f0db56a67bdeb36d2ef653e34c35b
-
SHA512
ceb6047816345ad1767698982d448d48accc1e9b22f0fb7ca9c9233444523531b9ef672041dc73ce6a6b6f22fd7263ca882d6fb19288d0dd726cb7c0eb94a1a2
-
SSDEEP
12288:0J0unggMGIwHJo8spfSPFWHw2Y8ZKk8mZfurZB+n3mfYBkU4f5YNmmh8o:luoG9priSPFWHw2Y8ZK5d22fYBkU4f5q
-
NetWire RAT payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1