Overview

overview

10

Static

static

1

cdacadda6a...18.exe

windows7-x64

10

cdacadda6a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-08-2024 21:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cdacadda6a7ecfb449310a3f92bbd6de_JaffaCakes118.exe

  • Size

    427KB

  • MD5

    cdacadda6a7ecfb449310a3f92bbd6de

  • SHA1

    ae7520c09469cce70d9495d9092c49f176dac67c

  • SHA256

    709461e5e465b5b776ceb72a7fa69772cb97460ad5daf8dbe756e0614678d2e3

  • SHA512

    9314a3e2b69f9bdd6f208e9d3e3647baa640d26e20ffa60db7ce1e027b0af4380a7b8a63b8b477119f5fb2596e218843bcf6387d75dd31eab64b637d3515711e

  • SSDEEP

    6144:ojbei8D7JNEeHfZEW6GH5W288Lhvb5HEGa+00bivT0HdibcIAKZ0:ou7tzgGH5W28UvbeGrZOhcc0

Score
10/10
netwirebotnetdiscoverypersistenceratstealerupx

Malware Config

Extracted

Family

netwire

C2

qualitytrade12.hopto.org:3194

Attributes
  • activex_autorun

    true

  • activex_key

    {48X0572Q-0821-53L8-APT1-5H6W1WP21L7V}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    NEWCLIENT

  • install_path

    %AppData%\Install\word.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    IAqepjWi

  • offline_keylogger

    true

  • password

    master45

  • registry_autorun

    true

  • startup_name

    Mozila

  • use_mutex

    true

Signatures

  • NetWire RAT payload 5 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cdacadda6a7ecfb449310a3f92bbd6de_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cdacadda6a7ecfb449310a3f92bbd6de_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        3⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:2276
      • C:\Windows\SysWOW64\cmd.exe
        /c net stop MpsSvc
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\Windows\SysWOW64\net.exe
          net stop MpsSvc
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3060
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop MpsSvc
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4700
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2164
        • C:\Users\Admin\AppData\Roaming\Install\word.exe
          "C:\Users\Admin\AppData\Roaming\Install\word.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4908
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Roaming\Install\word.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
            5⤵
            • Drops startup file
            • System Location Discovery: System Language Discovery
            PID:632
          • C:\Windows\SysWOW64\cmd.exe
            /c net stop MpsSvc
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5104
            • C:\Windows\SysWOW64\net.exe
              net stop MpsSvc
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1716
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop MpsSvc
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4024
          • C:\Users\Admin\AppData\Roaming\Install\word.exe
            "C:\Users\Admin\AppData\Roaming\Install\word.exe"
            5⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:1380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xy_
    Filesize

    132KB

    MD5

    890001245d7da1fb3ff511443c74be01

    SHA1

    c54489f248a5767530e427fe7eee77755d2678d1

    SHA256

    e3dc49602ba099c79c88238efecdb7b7cd7b3b6c8381eaf1bcd6e886bd6500b3

    SHA512

    ef6b3c8a72b3dbcf769037a748074e447c8f57636d9ea168c2d0796b5b2be2dfdad5f5f562b24ef9fd353405cbc5e3a1a0ff4f3330b5f9a513904867d402301b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.xyz
    Filesize

    212KB

    MD5

    b2af3b332d92fc09b79c4bf85263fd22

    SHA1

    cbb3c3a4b17ba2888cfd0b96f59a5bc454d4ef32

    SHA256

    b9dd8dfdb9a3fd61b2acffe0018cdf99b02c97025ae0d41a7aac7c9d76647b58

    SHA512

    b6d7271b1b0e7285bff25b8edb0f31cc7076bbbf611a4bfa9a457463c38ba7d0f5694f89b18a5b26b0f793e76dc0a0e5279dbf4cf976a6b52787157523e17932

    Download Submit

  • memory/1380-42-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2164-15-0x0000000000400000-0x0000000001080000-memory.dmp

    Filesize

    12.5MB

    Download

  • memory/2164-17-0x0000000000400000-0x0000000001080000-memory.dmp

    Filesize

    12.5MB

    Download

  • memory/2164-19-0x0000000000400000-0x0000000001080000-memory.dmp

    Filesize

    12.5MB

    Download

  • memory/2164-24-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3656-40-0x0000000000400000-0x0000000001400000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/4908-41-0x0000000000400000-0x0000000001400000-memory.dmp

    Filesize

    16.0MB

    Download