Overview

overview

10

Static

static

1

e63df87df2...18.ps1

windows7-x64

10

e63df87df2...18.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    17-09-2024 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e63df87df22bc2302cd69c4235d33540_JaffaCakes118.ps1

  • Size

    1.5MB

  • MD5

    e63df87df22bc2302cd69c4235d33540

  • SHA1

    07c0969da07fb6c81e4d87031e59150d9485639d

  • SHA256

    9ba0535c61d531c8128acb5431ca8308e9fec809a9098921e6074822ab2302b9

  • SHA512

    dcc3e688c99d01113ea73994e01944cac2a4da6ac85821700361db19b8274a73b1e4f0bddf8314061e8e54bd6473646a6bdc06132e3b967fa9833f8f3aa43d57

  • SSDEEP

    24576:Mw2O9/TgwrSUhVPHahmorI0hnvUwLS4A9ifw/vk2+4R:x95cwOI0Zh20fwpBR

Score
10/10
netwirebotnetdiscoveryexecutionratstealer

Malware Config

Extracted

Family

netwire

C2

turnawayfromyourevilways.duckdns.org:5123

turnawayfromyourevilways.duckdns.org:4123
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    true

  • host_id

    CONNECTION TEST

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    HKBWgTeq

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    true

Signatures

  • NetWire RAT payload 2 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\e63df87df22bc2302cd69c4235d33540_JaffaCakes118.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Public\lfyd.exe
      "C:\Users\Public\lfyd.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\APPENDIX B - RFP 2044644.pdf"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2296
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\Public\lfyd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\SysWOW64\timeout.exe
          TimeOut 1
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:3000
      • C:\Users\Public\lfyd.exe
        "C:\Users\Public\lfyd.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\APPENDIX B - RFP 2044644.pdf
    Filesize

    45KB

    MD5

    07e74d5315dd64caf2911790872a6956

    SHA1

    ca39a5d4def85a1195cea755a13a2354eebd1d59

    SHA256

    9fd5ed20b1e46911df51e259f86dd687f76a9d79c41de8c7053e658c1d2d93e5

    SHA512

    b235eb9ce9d5a052a35a1d0f4e5555c4513222aaf533c9e9abaff72f06400308d01aa111e64e3937a1317a5b1dbf2a5a6731384e32ee1af9d471fbeafd6b340d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dmclient\NetEvtFwdr.exe
    Filesize

    1.1MB

    MD5

    6e4f518683d4780429095fbebf5b7c50

    SHA1

    fd73b6c8243acbd2cdba90881d3a95edad1d2194

    SHA256

    3762ae8ac8503882d654b701111f2a6d29c066d5ba3b67b0b536ad88a42fa0be

    SHA512

    be0d59843dad570984008b503540fcbce3b7b2a46d131aecf79271013b658afca797d6a323c9d3f131ccd35e06c1d0553f30936ab370a3510ed908f6d9d3e313

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    503c420b525ab18b47ca7878189b4fba

    SHA1

    fd1faf9dbe26b822f54c37f39c646dc75c37a685

    SHA256

    a2a077b9dfa2c0e8799ecd1ff00d150282ba92091854f721ae59a2735d3ee68b

    SHA512

    33e81b05d3a60a971c40a98d00199906c11d82dbe1b609f17f10e39a54e7681e13fdfd492aa62d457e4bccedef4e8c197d90092de55499f2ef00bec9f780b082

    Download Submit

  • C:\Users\Public\lfyd.exe
    Filesize

    1.1MB

    MD5

    7db0abdd88a0df42e25b3fd1b0b86b52

    SHA1

    5948b4b2d6b3e634843986abf8131e9cc62c1128

    SHA256

    9b419a5d68c20e412fd58dec7774ca8ab4e2cd11c3faa282f4dde44930e5ea01

    SHA512

    f70b3605bbb18fd2ac7ac5b6030d8822161146c8164b1c9b8f573e5b9b1d1debeb0784ac67d615fa8f0931a617768b668d26084a419bb7d9e5fe6039c4b381d9

    Download Submit

  • memory/2520-8-0x000007FEF6700000-0x000007FEF709D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2520-9-0x000007FEF6700000-0x000007FEF709D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2520-4-0x000007FEF69BE000-0x000007FEF69BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2520-15-0x000007FEF6700000-0x000007FEF709D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2520-7-0x000007FEF6700000-0x000007FEF709D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2520-6-0x0000000002070000-0x0000000002078000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2520-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2860-49-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2860-45-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2860-41-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2860-39-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download