Overview

overview

10

Static

static

3

7beb088d24...18.exe

windows7-x64

10

7beb088d24...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 05:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe

  • Size

    4.8MB

  • MD5

    7beb088d242e66f5cce11a084bff8c97

  • SHA1

    fb1196b51f191f3c92e3d54dd649faac0451f395

  • SHA256

    886b49c0050de4f05f48028ebfd87d2b552ee61141dda7bd836b3f3129249a00

  • SHA512

    3e2a56254a3f3eb9aed67bd3a06b0d4023b6de45f503cf07de5c7417a59f6bd5ef1d821728cfb0a5fa31b15267cd65803db42252bb6199170c0305d58da98dd5

  • SSDEEP

    3072:w30F9m8D+EVl+xF945o3xUvS36894wkpmf3cLsGrFKdAtaIuuaBktbVJgNZBu:w389R+Er+Fu5WUvg6rpmUXQRuaBhNZ

Score
10/10
netwirebotnetdiscoverypersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

94.177.123.116:3368

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    win10ram

  • keylogger_dir

    %AppData%\axe\

  • lock_executable

    false

  • mutex

    mxjvAOdg

  • offline_keylogger

    true

  • password

    Invalid123!

  • registry_autorun

    false

  • use_mutex

    true

Signatures

  • NetWire RAT payload 1 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Netwire family
    netwire
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4436
    • C:\Users\Admin\AppData\Local\Temp\7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4152
      • C:\Users\Admin\AppData\Local\Temp\BEAPRONED.exe
        "C:\Users\Admin\AppData\Local\Temp\BEAPRONED.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3620
        • C:\Users\Admin\AppData\Local\Temp\BEAPRONED.exe
          "C:\Users\Admin\AppData\Local\Temp\BEAPRONED.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:2888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BEAPRONED.exe
    Filesize

    4.8MB

    MD5

    d33769f0e4c4bdad17606ce73812752a

    SHA1

    a1cd055c65c8553eb4bcf8f370246e3ea4d4134d

    SHA256

    57b0ee6870acb9c988ab40f6bfb793df6c80bef599d5bc5ddc1b2a424fdb4478

    SHA512

    653e445add78cda8d4af3494e7c60a34d3e98d4b3b2996dde9c41eea70f3643fdfbac252d65fbe4cb220c7c3085ef9da19fecb8456764cd60e1e8432a2d9a25e

    Download Submit

  • C:\Windows\win.ini
    Filesize

    123B

    MD5

    6bf517432f65eb7f0d18d574bf14124c

    SHA1

    5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

    SHA256

    6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

    SHA512

    7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

    Download Submit

  • memory/2888-29-0x0000000000400000-0x00000000008C8000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/4436-3-0x0000000077B61000-0x0000000077C81000-memory.dmp

    Filesize

    1.1MB

    Download