stealthworker | f13b822a76e800b7591000e93616685cf05f528ff52fcd9a9372e50629fbd734

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5cf11dda7176e2123bdbd5e184c24e7_JaffaCakes118.exe
Size

2.4MB
MD5

d5cf11dda7176e2123bdbd5e184c24e7
SHA1

0609e5ca0011bbbd5e75ce1e73909a8cbc23880c
SHA256

f13b822a76e800b7591000e93616685cf05f528ff52fcd9a9372e50629fbd734
SHA512

b187871247af997d14acbf0de3a313b3b63b9428a61ffe8dbd36020f4077d212974c8f5208bf077c02986f1ab8bc6503c3aa2da7e7b364d27b1856fdc817c54e
SSDEEP

49152:pInY06bvoFZCtOQ0IfBsyOnZsszhrcVUONLxwC7WTUIhIpt4ptKF1yMI5n:pi5yvorUfqvzhkmC7F87KqVn

Score

10^/10

stealthworker botnet discovery

Malware Config

Extracted

Family

stealthworker

Version

3.06

http://teemsystems.info:8888

Signatures

StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5cf11dda7176e2123bdbd5e184c24e7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 4260	956	d5cf11dda7176e2123bdbd5e184c24e7_JaffaCakes118.exe	83
PID 956 wrote to memory of 4260	956	d5cf11dda7176e2123bdbd5e184c24e7_JaffaCakes118.exe	83
PID 956 wrote to memory of 4260	956	d5cf11dda7176e2123bdbd5e184c24e7_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\d5cf11dda7176e2123bdbd5e184c24e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5cf11dda7176e2123bdbd5e184c24e7_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\cmd.exe
  cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s.bat

Filesize
305B

MD5
79f5cf076ab71c636f922909bde864e8

SHA1
3de2bdd6eba9383dc7e872f4f2c6f821a6c9a4cb

SHA256
e9610b5a136b8fcac4d8f0f70da86e5eaceab3cba613e757773ab5e92aeaa77a

SHA512
d6d149af39554fc0de1d928e715e6f5137acc5b311a63e51382f4ff5006d0ced5978ceacbdde9730428994b300e91cf6e5bceb47573e4787990ee78fc5d3e3b4

Download Submit
memory/956-12-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/956-14-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/956-7-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/956-8-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/956-9-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/956-10-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/956-6-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/956-11-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/956-13-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/956-0-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/956-15-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/956-16-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/956-17-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/956-18-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/956-19-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download
memory/956-20-0x0000000000400000-0x0000000000AE4000-memory.dmp

Filesize
6.9MB

Download