General
-
Target
ffacdf40d353463f928a8029b6f1b80e_JaffaCakes118
-
Size
295KB
-
Sample
240930-bse4xsvcme
-
MD5
ffacdf40d353463f928a8029b6f1b80e
-
SHA1
21f0409a67fcadd76ac5fc8b5c2514cf5948d955
-
SHA256
9ee9e88a580a335170d7a00352ec053966974e41fe556147225905a35f058779
-
SHA512
18902d227186f1b956c52fb1ccde6e12f211d8a4fbb9a96c7499ff38007216116ddd16fc89b6db1304b70f113e9d78abcdc908e1c64b6a7635fce0e4b40231e8
-
SSDEEP
3072:O0gNIineV1ilcc3uRBxr5sePDGaU/YEElhYvohF9pbuqIBkOkffXP0o73n0x1N+C:cN9eTIuRBXseNstAhhuRkXPP74+5k
Malware Config
Extracted
netwire
ilenerebeka.ddns.net:1866
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Tochukwu45.
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
ffacdf40d353463f928a8029b6f1b80e_JaffaCakes118
-
Size
295KB
-
MD5
ffacdf40d353463f928a8029b6f1b80e
-
SHA1
21f0409a67fcadd76ac5fc8b5c2514cf5948d955
-
SHA256
9ee9e88a580a335170d7a00352ec053966974e41fe556147225905a35f058779
-
SHA512
18902d227186f1b956c52fb1ccde6e12f211d8a4fbb9a96c7499ff38007216116ddd16fc89b6db1304b70f113e9d78abcdc908e1c64b6a7635fce0e4b40231e8
-
SSDEEP
3072:O0gNIineV1ilcc3uRBxr5sePDGaU/YEElhYvohF9pbuqIBkOkffXP0o73n0x1N+C:cN9eTIuRBXseNstAhhuRkXPP74+5k
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-