Overview

overview

10

Static

static

3

f08f1aa3c5...18.exe

windows7-x64

10

f08f1aa3c5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 20:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f08f1aa3c5032ea42e94d0b4e4fb26ff_JaffaCakes118.exe

  • Size

    212KB

  • MD5

    f08f1aa3c5032ea42e94d0b4e4fb26ff

  • SHA1

    302fe72736c735e8b164d8a27a638c47285de9c1

  • SHA256

    0b19af1135b7c65d63c372d0679ad30d18383df55283237f4fcfe57520458599

  • SHA512

    d731bfaa104334a1f7b8f7ecb48332df2fdc26aa51d86da4ce0d77ccc05d052401b1f0dc42cf68903449f6ddb10c1e5a136c76686c84fb4e55bbc57b1fba3f80

  • SSDEEP

    3072:7yoO0nALc8GrtL6idfyGRoa5aO3Me84J95kVuaNTpD9Hm/pmgFMFDKJh:iLcJrtLpVox0msatm/EgFMFeJ

Score
10/10
netwirebotnetdiscoveryratstealer

Malware Config

Extracted

Family

netwire

C2

auth.dynns.com:1212

auth.myddns.me:1111
Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    true

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f08f1aa3c5032ea42e94d0b4e4fb26ff_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f08f1aa3c5032ea42e94d0b4e4fb26ff_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Users\Admin\AppData\Roaming\Install\Host.exe
      -m "C:\Users\Admin\AppData\Local\Temp\f08f1aa3c5032ea42e94d0b4e4fb26ff_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Install\Host.exe
    Filesize

    212KB

    MD5

    f08f1aa3c5032ea42e94d0b4e4fb26ff

    SHA1

    302fe72736c735e8b164d8a27a638c47285de9c1

    SHA256

    0b19af1135b7c65d63c372d0679ad30d18383df55283237f4fcfe57520458599

    SHA512

    d731bfaa104334a1f7b8f7ecb48332df2fdc26aa51d86da4ce0d77ccc05d052401b1f0dc42cf68903449f6ddb10c1e5a136c76686c84fb4e55bbc57b1fba3f80

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Biannually1.vbe
    Filesize

    384B

    MD5

    0f8888c293619d54449dcff068817a91

    SHA1

    0534ec5ac5e74c3fe4f3210748fe3f6998363867

    SHA256

    439fe869e842a15ea416df47dbb4d759cfde9a843d59d1d964a10bb984129b3f

    SHA512

    d57655506df079874fdba6bbbd1c7fa9bcff5c7687cab9c40ce9fb8936777c67fcfa9a542699d999379fdc8342238a205190b373c0a0a1e15ad8a3ce305b5f94

    Download Submit

  • memory/1864-26-0x0000000074BA0000-0x0000000074CFD000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1864-29-0x0000000074BA0000-0x0000000074CFD000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3188-5-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3188-10-0x0000000076EE1000-0x0000000077001000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3188-15-0x0000000074BA0000-0x0000000074CC0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3188-14-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3188-16-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download