Analysis Overview
SHA256
7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650
Threat Level: Known bad
The file d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
NetWire RAT payload
Netwire
Drops startup file
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-09 15:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-09 15:31
Reported
2024-09-09 15:33
Platform
win7-20240903-en
Max time kernel
141s
Max time network
119s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TVnkRn.url | C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2720 set thread context of 2608 | N/A | C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ylvjgbrd\ylvjgbrd.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4F9.tmp" "c:\Users\Admin\AppData\Local\Temp\ylvjgbrd\CSCC482708DAAAF4C1D87EA3686476BF663.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | extensions14718.sytes.net | udp |
| US | 8.8.8.8:53 | extensions14718sec.sytes.net | udp |
Files
memory/2720-0-0x00000000749CE000-0x00000000749CF000-memory.dmp
memory/2720-1-0x0000000000E70000-0x0000000000EB6000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ylvjgbrd\ylvjgbrd.cmdline
| MD5 | 11177b781f03b0761859c41b315b64b6 |
| SHA1 | f5335dfdce53da77c4912bd3c35895ee6045a82e |
| SHA256 | 44f7263d9e2f1d6ddaebb7bf1467e8e45679a1ba426e995497b0fbdd738098d8 |
| SHA512 | d64cd151bbb32a830e3230e2540969008b277555c24c09e0a49d459148809eca03369bc1465b8314b9568c5055d9dd5e14b6b4b8084733f5ece9df5b053f3377 |
memory/2720-5-0x00000000749C0000-0x00000000750AE000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ylvjgbrd\ylvjgbrd.0.cs
| MD5 | 9fafd44315a524486b84e23bedaec8bf |
| SHA1 | 0d2820c6a0d71d57200dccafa2c6fb421269f2ec |
| SHA256 | 549faa466584fa74103c11227ef0b811cf96bda2d27b5c1c53fc2f053e96db74 |
| SHA512 | e5f2023c15f49f7758d11972e4edf00731956cf69b0b52df6a1bed00dbe756ce87b1a76af9c7dacd3abdae374da8452d6c9790f5e1ebee4ceee9c74e23778280 |
\??\c:\Users\Admin\AppData\Local\Temp\ylvjgbrd\CSCC482708DAAAF4C1D87EA3686476BF663.TMP
| MD5 | d6007bac205a9a3a6dc6eb5f35877526 |
| SHA1 | ddc2f0053823449ac3b3891f3c9b0bc22a83073f |
| SHA256 | 751f4c51152069035c25846dab26a9e5ebee49ae3ca43543c40fed544f98915f |
| SHA512 | e2833447f9ebd8c80bc020b853565ed015af60558828969cd7769e89be55660e67173703118b717c732a14157b95b2312107621d24c1e33aece24fad71785b06 |
C:\Users\Admin\AppData\Local\Temp\RESF4F9.tmp
| MD5 | 71eb1c8a86fdbf92445016924cbac14c |
| SHA1 | bff575815e17c5424e6639fbd2806f8fe6471a3d |
| SHA256 | a528948ea0e1ae10f8361dec9606d6448272b289d9058815c2fc9c3616d80cc4 |
| SHA512 | 7454161d925305e5aaa949fd15bc4361237d35450f15f6b0ab8b6adfd344ca3e03c88fcb552b370040acfb61717cf3c1b76957a69f1ebd9f00084c72df9a898c |
C:\Users\Admin\AppData\Local\Temp\ylvjgbrd\ylvjgbrd.pdb
| MD5 | ee37d19534cb08c17cb0b17588ab92ef |
| SHA1 | be219a1e7fd49d14460f11141f9eba139afa5dae |
| SHA256 | 46ea0446d09b0bb2fe54854c5737c8b99c03e3f0d34c71a0127e00a2b07c9956 |
| SHA512 | 6741517ab0c400cb6e4fa87545eaf848b2fb455f4243953667a16e820d59e9a9ea7403daf2773898c8c71f58cbd62524a0d4d179532d22cef5bbeecb04dfd556 |
C:\Users\Admin\AppData\Local\Temp\ylvjgbrd\ylvjgbrd.dll
| MD5 | 9054d80aa07f7a998564cd332bf788bf |
| SHA1 | e5c4ab117eac903a531f28f4a2a8bf274f99a22c |
| SHA256 | 75c28e0242f3000015372de26bc6f56048ca41fe2f1cfb4b2c3bc1c0f5537f6c |
| SHA512 | 768d6e24aada4c4bb50add342ecebc1373a3f9281f34396c244dee9291976865fad16dd41cf4f06a32b3f77783287d8470d6cff5ab0145e18af31ecf08e89027 |
memory/2720-17-0x00000000003A0000-0x00000000003AA000-memory.dmp
memory/2720-19-0x0000000000860000-0x0000000000892000-memory.dmp
memory/2720-20-0x0000000000490000-0x000000000049C000-memory.dmp
memory/2720-23-0x0000000000890000-0x00000000008BC000-memory.dmp
memory/2608-34-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2608-38-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2608-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2608-32-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2608-30-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2608-26-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2608-28-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2608-24-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2608-40-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2720-41-0x00000000749C0000-0x00000000750AE000-memory.dmp
memory/2608-42-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2608-49-0x0000000000400000-0x000000000042C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-09 15:31
Reported
2024-09-09 15:33
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TVnkRn.url | C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3156 set thread context of 708 | N/A | C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wtdvwpgm\wtdvwpgm.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8702.tmp" "c:\Users\Admin\AppData\Local\Temp\wtdvwpgm\CSC436D0B4487CD4416A574D5DEA2CE508.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | extensions14718.sytes.net | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | extensions14718sec.sytes.net | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/3156-0-0x000000007442E000-0x000000007442F000-memory.dmp
memory/3156-1-0x00000000005F0000-0x0000000000636000-memory.dmp
memory/3156-5-0x0000000074420000-0x0000000074BD0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\wtdvwpgm\wtdvwpgm.cmdline
| MD5 | 8d7473375381ef41de8ac2a722845ece |
| SHA1 | 6d3602d8f7072e14e3575dbdaff87039289ea7cd |
| SHA256 | d3964d7904e05c174531fe052a915e86d1ec64cf2f47c6f17747daab8318e3e7 |
| SHA512 | 2e7e481358b868bb3b73aaaea5f1fc2e4164a2b545072e73488c06502d2c828737a95d8042df154c054fdedf2cc4c084eb83e8a2c324a4e17330d3eb25fffa6e |
\??\c:\Users\Admin\AppData\Local\Temp\wtdvwpgm\wtdvwpgm.0.cs
| MD5 | 9fafd44315a524486b84e23bedaec8bf |
| SHA1 | 0d2820c6a0d71d57200dccafa2c6fb421269f2ec |
| SHA256 | 549faa466584fa74103c11227ef0b811cf96bda2d27b5c1c53fc2f053e96db74 |
| SHA512 | e5f2023c15f49f7758d11972e4edf00731956cf69b0b52df6a1bed00dbe756ce87b1a76af9c7dacd3abdae374da8452d6c9790f5e1ebee4ceee9c74e23778280 |
\??\c:\Users\Admin\AppData\Local\Temp\wtdvwpgm\CSC436D0B4487CD4416A574D5DEA2CE508.TMP
| MD5 | c75e52af1e9dbbe5b5214e74d86e81ff |
| SHA1 | 8cbfa7491740703292aa74555e332af8e8d511aa |
| SHA256 | 323dda5f5e09dd206b0783aab1d98c2edf4f09dad51a5a80a32da1c4fc4ea219 |
| SHA512 | a4a6651bcabe6a60288649d7de75123e9e8a0e04ee71ce5d835cd98291b9d6880f641c24216a316a98ccf2ef68cacbb9096dbeda99505a2bb3d2d5b25803014b |
C:\Users\Admin\AppData\Local\Temp\RES8702.tmp
| MD5 | fac0403a5765ecca79f2e12ad6decdcd |
| SHA1 | e2e6c6a169898041cc660750406c846bff6d600d |
| SHA256 | eff2c9ec7e78513e73446825e1fc9c02f84e75e02911b575274dc5380ab61d8a |
| SHA512 | 1c4db78d7ea4d3259078f3cb179c72ec70b8d72a5718e0e5d2f64259a80be370af10c0f002bc15fd78a4b2913a55d664dbcf898a221286f74a55b61afcac83ad |
C:\Users\Admin\AppData\Local\Temp\wtdvwpgm\wtdvwpgm.pdb
| MD5 | 73a49a7618521b0a60b6bb95ef17a7ea |
| SHA1 | edc395797476c61e98c65781633bfb5485f09076 |
| SHA256 | 893f3e83aa95eb0776fa293446fc41ab1496a1221be4a17e1908ea2ab5b8ffc3 |
| SHA512 | c4381da83b3cc26e9dce270f62b277deea5805568e7fcaab35169e1ee029b3a87f8fa4586b5dc33a87374ddc61c223a9f6a875b75a67cfe8df9acbccaf73e545 |
C:\Users\Admin\AppData\Local\Temp\wtdvwpgm\wtdvwpgm.dll
| MD5 | dbdd9916aa96ca0ad4e17debd86b5f79 |
| SHA1 | c5b441a65afa8b0ad2293253c30dca23dd1b803a |
| SHA256 | 66ee71ae21bb9405aecfd6c07954af4af599ea7f91087f34da24405539dceb1b |
| SHA512 | 5026b6faaf71a83f495be9f4ca6a3d42c4da36927b852e016ec760317e811ed6f74dbf9fdad90809986374be0ff16d1d13b144c9f049a268f996afe69a34b9d0 |
memory/3156-17-0x0000000004EF0000-0x0000000004EFA000-memory.dmp
memory/3156-19-0x0000000005040000-0x00000000050D2000-memory.dmp
memory/3156-20-0x0000000005010000-0x0000000005042000-memory.dmp
memory/3156-21-0x0000000005430000-0x000000000543C000-memory.dmp
memory/3156-24-0x0000000005460000-0x000000000548C000-memory.dmp
memory/3156-25-0x00000000056E0000-0x000000000577C000-memory.dmp
memory/708-26-0x0000000000400000-0x000000000042C000-memory.dmp
memory/708-30-0x0000000000400000-0x000000000042C000-memory.dmp
memory/708-29-0x0000000000400000-0x000000000042C000-memory.dmp
memory/708-31-0x0000000000400000-0x000000000042C000-memory.dmp
memory/708-38-0x0000000000400000-0x000000000042C000-memory.dmp