Malware Analysis Report

2024-10-19 10:24

Sample ID 240906-z3cnjsyamm
Target d076f5ede332d4f5bd3146a179ac9e7b_JaffaCakes118
SHA256 033ce6f96b137b9d18e2033b847c6718bee3beb197bc2ca2627cb7344f99b989
Tags
rat netwire botnet discovery persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

033ce6f96b137b9d18e2033b847c6718bee3beb197bc2ca2627cb7344f99b989

Threat Level: Known bad

The file d076f5ede332d4f5bd3146a179ac9e7b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

rat netwire botnet discovery persistence stealer

Netwire

NetWire RAT payload

Netwire family

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-06 21:14

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-06 21:14

Reported

2024-09-06 21:16

Platform

win7-20240903-en

Max time kernel

140s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d076f5ede332d4f5bd3146a179ac9e7b_JaffaCakes118.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Install\Host.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" C:\Users\Admin\AppData\Roaming\Install\Host.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d076f5ede332d4f5bd3146a179ac9e7b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Install\Host.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d076f5ede332d4f5bd3146a179ac9e7b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d076f5ede332d4f5bd3146a179ac9e7b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Install\Host.exe

"C:\Users\Admin\AppData\Roaming\Install\Host.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 automan.duckdns.org udp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 8.8.8.8:53 automan.duckdns.org udp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 192.169.69.26:3382 automan.duckdns.org tcp

Files

\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 d076f5ede332d4f5bd3146a179ac9e7b
SHA1 fb3d1f2d5e5a48947397a74ff03301f5e25d4495
SHA256 033ce6f96b137b9d18e2033b847c6718bee3beb197bc2ca2627cb7344f99b989
SHA512 25f5c21f123885d2b76de706e8f7b4b1f52d7a9338b0c6062ae281b51f6d20f63d3539b59db24ad2f99428db6c9d404849817d5bc78103a50d8701e8e89b572c

memory/780-9-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2456-10-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2456-12-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2456-13-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2456-15-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2456-18-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2456-19-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2456-23-0x0000000000400000-0x000000000042B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-06 21:14

Reported

2024-09-06 21:16

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d076f5ede332d4f5bd3146a179ac9e7b_JaffaCakes118.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d076f5ede332d4f5bd3146a179ac9e7b_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Install\Host.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe" C:\Users\Admin\AppData\Roaming\Install\Host.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d076f5ede332d4f5bd3146a179ac9e7b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Install\Host.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d076f5ede332d4f5bd3146a179ac9e7b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d076f5ede332d4f5bd3146a179ac9e7b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Install\Host.exe

"C:\Users\Admin\AppData\Roaming\Install\Host.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 automan.duckdns.org udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 automan.duckdns.org udp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 automan.duckdns.org udp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 192.169.69.26:3382 automan.duckdns.org tcp
US 192.169.69.26:3382 automan.duckdns.org tcp

Files

C:\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 d076f5ede332d4f5bd3146a179ac9e7b
SHA1 fb3d1f2d5e5a48947397a74ff03301f5e25d4495
SHA256 033ce6f96b137b9d18e2033b847c6718bee3beb197bc2ca2627cb7344f99b989
SHA512 25f5c21f123885d2b76de706e8f7b4b1f52d7a9338b0c6062ae281b51f6d20f63d3539b59db24ad2f99428db6c9d404849817d5bc78103a50d8701e8e89b572c

memory/740-8-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3584-9-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3584-11-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3584-12-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3584-13-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3584-14-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3584-15-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3584-16-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3584-17-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3584-18-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3584-19-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3584-20-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3584-21-0x0000000000400000-0x000000000042B000-memory.dmp