stealthworker | c37290f320f0ff640fe3e8764ba359427c3055d1eb1eebcc557a956708bd5d8e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e05f8762256d965476733822af855604_JaffaCakes118.exe
Size

2.1MB
MD5

e05f8762256d965476733822af855604
SHA1

f198d259101ad85e2bc03582680c19260e76e79b
SHA256

c37290f320f0ff640fe3e8764ba359427c3055d1eb1eebcc557a956708bd5d8e
SHA512

1e1ef1f0218552d4bc0088c17995499880cdc810ae158e12a19558de5629aafe0a7e0011b14b303e5abc1ec6f9fa7f0eeb667f1be10d81628ddeddb8fd59726f
SSDEEP

49152:w7cNuGXqqcjPLk+SZYI7iWxqwrYZb+zwyj5bCtHRzIhElUhkAps1:w7cN9DcjjknZPxqmpkIh8Uhb4

Score

10^/10

stealthworker botnet discovery

Malware Config

Extracted

Family

stealthworker

Version

3.12

http://176.121.14.53:8888

Signatures

StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchoost .exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchoost .exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

e05f8762256d965476733822af855604_JaffaCakes118.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e05f8762256d965476733822af855604_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e05f8762256d965476733822af855604_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2340 wrote to memory of 3936	2340	e05f8762256d965476733822af855604_JaffaCakes118.exe	83
PID 2340 wrote to memory of 3936	2340	e05f8762256d965476733822af855604_JaffaCakes118.exe	83
PID 2340 wrote to memory of 3936	2340	e05f8762256d965476733822af855604_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\e05f8762256d965476733822af855604_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e05f8762256d965476733822af855604_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s.bat

Filesize
305B

MD5
66be48d6c0d1b3653457fea367c3a8f9

SHA1
264fa5e8b055454186dd829f9b6f77dd4930e040

SHA256
9003a806a4a10cef9ba5c31d40dc66814d8dae6dec1cc8f9ea2b105b04704fb0

SHA512
a8a336f1ef5bd4e10014529d69d42701090cbb5342dc87fd2754955f684eb879ab9d674d5dc682a8ff26f0822d870015f39a53f5e7232f38f9ea346981682b99

Download Submit
memory/2340-12-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/2340-6-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/2340-7-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/2340-9-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/2340-10-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/2340-0-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/2340-13-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/2340-14-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/2340-15-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/2340-16-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/2340-17-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/2340-18-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/2340-19-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download
memory/2340-20-0x0000000000400000-0x0000000000AE5000-memory.dmp

Filesize
6.9MB

Download