Analysis Overview
SHA256
bdf2ac2fd9106e36b071409e48ba9c1996c4b987b6d28e6baf70046316d27c00
Threat Level: Known bad
The file 99693f2f6c85421734381a0957f5e382_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
NetWire RAT payload
Netwire
Netwire family
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-25 05:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 05:11
Reported
2024-11-25 05:14
Platform
win7-20241010-en
Max time kernel
38s
Max time network
19s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Netwire family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2600 set thread context of 2972 | N/A | C:\Users\Admin\AppData\Local\Temp\99693f2f6c85421734381a0957f5e382_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\99693f2f6c85421734381a0957f5e382_JaffaCakes118.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\99693f2f6c85421734381a0957f5e382_JaffaCakes118.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\99693f2f6c85421734381a0957f5e382_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\99693f2f6c85421734381a0957f5e382_JaffaCakes118.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\99693f2f6c85421734381a0957f5e382_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\99693f2f6c85421734381a0957f5e382_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LlLyRuJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFB9E.tmp"
C:\Users\Admin\AppData\Local\Temp\99693f2f6c85421734381a0957f5e382_JaffaCakes118.exe
"{path}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 140
Network
Files
memory/2600-0-0x00000000749FE000-0x00000000749FF000-memory.dmp
memory/2600-1-0x0000000000C40000-0x0000000000CCC000-memory.dmp
memory/2600-2-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2600-3-0x0000000000430000-0x0000000000438000-memory.dmp
memory/2600-4-0x00000000749FE000-0x00000000749FF000-memory.dmp
memory/2600-5-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2600-6-0x0000000005760000-0x00000000057F8000-memory.dmp
memory/2600-7-0x00000000043C0000-0x000000000440C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpFB9E.tmp
| MD5 | 9236c9aa0d1963122fbdb412346eca91 |
| SHA1 | 706ba9bf115e00aaafa99552dfd7005433e3bd4d |
| SHA256 | d819c19990e40a99988329a9754a8ca05cc6fe1f6d75f480efb98885c615adc5 |
| SHA512 | c85e48ed77534b9d32478596d293b5d77aab0e87b4c29eacf17c9c12dd486e16ebdb77244ae8afb472939f67d51065bdba8d7ead077a2263ffe8e1d7cf9fb07c |
memory/2972-11-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2972-15-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2972-14-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2972-23-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2972-21-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2972-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2972-18-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2972-16-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2972-13-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2972-12-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2600-24-0x00000000749F0000-0x00000000750DE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-25 05:11
Reported
2024-11-25 05:14
Platform
win10v2004-20241007-en
Max time kernel
111s
Max time network
141s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Netwire family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\99693f2f6c85421734381a0957f5e382_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2068 set thread context of 3524 | N/A | C:\Users\Admin\AppData\Local\Temp\99693f2f6c85421734381a0957f5e382_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\99693f2f6c85421734381a0957f5e382_JaffaCakes118.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\99693f2f6c85421734381a0957f5e382_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\99693f2f6c85421734381a0957f5e382_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\99693f2f6c85421734381a0957f5e382_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\99693f2f6c85421734381a0957f5e382_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LlLyRuJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3052.tmp"
C:\Users\Admin\AppData\Local\Temp\99693f2f6c85421734381a0957f5e382_JaffaCakes118.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 193.23.127.96:5004 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 193.23.127.96:5004 | tcp |
Files
memory/2068-0-0x000000007470E000-0x000000007470F000-memory.dmp
memory/2068-1-0x0000000000B90000-0x0000000000C1C000-memory.dmp
memory/2068-2-0x0000000005B20000-0x00000000060C4000-memory.dmp
memory/2068-3-0x0000000005610000-0x00000000056A2000-memory.dmp
memory/2068-4-0x00000000055F0000-0x00000000055FA000-memory.dmp
memory/2068-5-0x0000000074700000-0x0000000074EB0000-memory.dmp
memory/2068-6-0x0000000005840000-0x0000000005848000-memory.dmp
memory/2068-7-0x0000000006950000-0x00000000069EC000-memory.dmp
memory/2068-8-0x000000007470E000-0x000000007470F000-memory.dmp
memory/2068-9-0x0000000074700000-0x0000000074EB0000-memory.dmp
memory/2068-10-0x0000000006EE0000-0x0000000006F78000-memory.dmp
memory/2068-11-0x00000000093C0000-0x000000000940C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3052.tmp
| MD5 | bbcff1aa0845cdc74d95efd258f63594 |
| SHA1 | cfb928d54cc9fec283730ed9a01ddccfbe9df1d7 |
| SHA256 | 7a396b58b4755618db461d75c78dcb934a510423346eda2aa1b8f93c2d82c0d7 |
| SHA512 | dbf7aa10ae161579e04a2fe4d650f7ffe397e9702e0f0c565ded21984e09f53c293eac2d41d45c03d0030bd0603f88111cb84492be07b75d8b13f0b2f6ad7bdf |
memory/3524-15-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3524-19-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3524-18-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2068-20-0x0000000074700000-0x0000000074EB0000-memory.dmp
memory/3524-21-0x0000000000400000-0x0000000000433000-memory.dmp