General
-
Target
735eddee12acb57b02e33b06c3614ef7_JaffaCakes118
-
Size
2.8MB
-
Sample
241024-m1y3jsydpn
-
MD5
735eddee12acb57b02e33b06c3614ef7
-
SHA1
897921bf02dee9cc1b10755a5e38cdff631ad0ab
-
SHA256
c64afd566b4daa00151c5c6835fc38069c6a7419590a8af40c8f4a6ff847870e
-
SHA512
83bb98c4c04d100548e43956f3960b6dfafa8ad7cd8a57f0354de632fa3407d0e87fc6c691a999225689344c565320c6a17744230219d6e277209ea7ffd0fb15
-
SSDEEP
49152:SlvmAvSSFH6UsEnVVuoOajWETbaaCtF0ygG/D4R6yPLRpHd4OT6:8hFaOJOuDQXgG/D4wQRp9f
Malware Config
Extracted
netwire
trololo.dynamic-dns.net:6273
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
RsNaujas
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
nesamone
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
735eddee12acb57b02e33b06c3614ef7_JaffaCakes118
-
Size
2.8MB
-
MD5
735eddee12acb57b02e33b06c3614ef7
-
SHA1
897921bf02dee9cc1b10755a5e38cdff631ad0ab
-
SHA256
c64afd566b4daa00151c5c6835fc38069c6a7419590a8af40c8f4a6ff847870e
-
SHA512
83bb98c4c04d100548e43956f3960b6dfafa8ad7cd8a57f0354de632fa3407d0e87fc6c691a999225689344c565320c6a17744230219d6e277209ea7ffd0fb15
-
SSDEEP
49152:SlvmAvSSFH6UsEnVVuoOajWETbaaCtF0ygG/D4R6yPLRpHd4OT6:8hFaOJOuDQXgG/D4wQRp9f
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-