Overview

overview

10

Static

static

3

d02593c2d1...18.exe

windows7-x64

10

d02593c2d1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06-09-2024 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d02593c2d119e8b68052587cb446943a_JaffaCakes118.exe

  • Size

    834KB

  • MD5

    d02593c2d119e8b68052587cb446943a

  • SHA1

    dcf444435c05a2b324c418dbc8550c901ac1643c

  • SHA256

    0400cef226621ad00d51b8880025664e3a916c0c3c3207f3525b8423af52a5f6

  • SHA512

    e0c63ee38271acdbbd8eb42ec7d5e7bd460dfdd22a2865f4e31eee4b5dda65f68c915ebb8527c600f51e4838877b5a3c977a4c5c165e4ea092ed0a8e4d2f53cd

  • SSDEEP

    24576:nN+R2WtRz9mp8Kzx9SLhmf2zHQvPTQtP/:NKhrKzx0Lk0wXTAP/

Score
10/10
netwirebotnetdiscoveryexecutionpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

tracyll.ddns.net:9003

nybenlord.duckdns.org:1972
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    hOpOCYBj

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    true

Signatures

  • NetWire RAT payload 12 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d02593c2d119e8b68052587cb446943a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d02593c2d119e8b68052587cb446943a_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'vlc.exe' -Value '"C:\Users\Admin\AppData\Roaming\Videolan\vlc.exe"' -PropertyType 'String' -Force
      2⤵
      • Adds Run key to start application
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2616
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp22DC.tmp.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\SysWOW64\timeout.exe
        timeout 5
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:1760
    • C:\Users\Admin\AppData\Local\Temp\firefox.exe
      "C:\Users\Admin\AppData\Local\Temp\firefox.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'firefox.exe' -Value '"C:\Users\Admin\AppData\Roaming\Mozilla\firefox.exe"' -PropertyType 'String' -Force
        3⤵
        • Adds Run key to start application
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1036
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC19A.tmp.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:536
        • C:\Windows\SysWOW64\timeout.exe
          timeout 5
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:1352
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:600
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp22DC.tmp.bat
    Filesize

    198B

    MD5

    491596e35202b4e2298ab341fc17a92d

    SHA1

    f817832093e6527c36686e1687ba0e5e8537cd49

    SHA256

    ceda2545743c03b1faa3775719e2f549428d9def4ccb3845d6179046d3312bfd

    SHA512

    2be5da8c2570eb472461ae4a2c3db363610736e8f23cbdeb0600908784aa4063b2f49bd151259af3ac440ac0a6e417dd8beb195418dd14a1c294776d16559ad5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpC19A.tmp.bat
    Filesize

    159B

    MD5

    2d6a231a9316cfafd9897de656c8e831

    SHA1

    6dd196336ef9f174423af2e04c23526865c1f205

    SHA256

    23b8ace90097b121a5ca79557b9880d4cbb8ce14277a4fdc27ae7330afb41a01

    SHA512

    21ad94af27884ff361ca544c08aed6f92c3c0da0154179f4c890700ac14d2348fd9a829d06a87052df9e31c5342e2439f4352dedb085676eb580c53bdafc1996

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    429e8c295876d5b45af0bbc03506c5ad

    SHA1

    c4517fbc3181d63517fb57cc58f66190d1e62aae

    SHA256

    9cfecc10e733c129c4d0767b125fcba2fa2b8336bca36b82df215e65544480ad

    SHA512

    e9d140a32424aa5412878a4e32eec930c8e3e4905d2260ba18c951dac652333922bae16b564878de0d49bc87682d2bdbdbb7bb17700b2a7b18f7f9f8a2cba173

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Mozilla\firefox.exe
    Filesize

    31.0MB

    MD5

    215ed4463d4c5c5fa19446295d3be4d6

    SHA1

    b3b06fb42b144a543c2fddbf5af8f03f5e84dbb6

    SHA256

    6ce9ddd7e33651d629918d9a28d04e7178e1d9121287901389b59e90ee2f8edb

    SHA512

    ad96c451a1e4cf700efafba4efd61657d31622f2d87a477e84062aa623c0846ded390c77f9f24b321b467ff6737c351219b05f11b74f33d45774e037a47d3002

    Download Submit

  • \Users\Admin\AppData\Local\Temp\firefox.exe
    Filesize

    466KB

    MD5

    4a9ca14c5b711f3b09d52d6ddaf54b4c

    SHA1

    92b3955e6b96418f0c404c23f87192ac01990e3d

    SHA256

    0ca7a365b20014122144d6c389855a0393b9295c94d751866381f29160b9deb4

    SHA512

    8827ef565ca8f1cb638d0c5acb7195ad4c9ba72c05b827570278eac42f0a3a6122d35f70847feaf7dce474c4d1bf54e8f8ea08ea0f490ad05b592ee34e7dbace

    Download Submit

  • memory/600-67-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/600-65-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/600-72-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/600-73-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/600-75-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/600-69-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1620-32-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1620-28-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1620-39-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1620-40-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1620-36-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1620-34-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1620-31-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1620-26-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1620-43-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1620-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2280-3-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2280-2-0x0000000073F90000-0x000000007467E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2280-1-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/2280-41-0x0000000073F90000-0x000000007467E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2280-5-0x0000000005040000-0x00000000050EA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2280-0-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2280-4-0x0000000073F90000-0x000000007467E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2664-44-0x00000000048B0000-0x00000000048E8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2664-24-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download