General
-
Target
JaffaCakes118_3326a928efab31246be7225e71039bb2cc0e25e2e941a6df4c65638eb659a06b
-
Size
315.3MB
-
Sample
241223-wa26yswnfq
-
MD5
f38b394ac2927d45437658660fe52beb
-
SHA1
f89a61635d5bb8782032fb965aabccd4a937b3df
-
SHA256
3326a928efab31246be7225e71039bb2cc0e25e2e941a6df4c65638eb659a06b
-
SHA512
2fe776da07e384369d8bd6565decf636e188dd4388870fda5fe8723e25b41e2955d4f7bdb4f045884b5658890662ae18f5a60e516e7b2ec052c231103d3f2214
-
SSDEEP
6291456:ye6XwWpXiODZAbBKiCBeG9mTvIspSXtqlHwMkRdTQZ:FXWpSOabBRCIGsTvISBkn8Z
Static task
static1
Behavioral task
behavioral1
Sample
79A7AD7C358A63478887BE6CECD20DE05B172B472C3AD573EC38FA2B1E332BF2.exe
Resource
win7-20240903-en
Malware Config
Extracted
https://i.top4top.io/m_1891i29ay1.mp4
Extracted
netwire
alice2019.myftp.biz:3360
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
FRAPPE2021
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
79A7AD7C358A63478887BE6CECD20DE05B172B472C3AD573EC38FA2B1E332BF2
-
Size
315.3MB
-
MD5
3a573b39c6ee245668c50e6f143726a8
-
SHA1
649526a6cd120a05a876a089ec0439151d64f636
-
SHA256
79a7ad7c358a63478887be6cecd20de05b172b472c3ad573ec38fa2b1e332bf2
-
SHA512
ed2858aae6d2af0f30b4a88e259183f400ac1f8fa1cd89a673041b9703efaca326698324e94aba71d625ff045eee5460ad71bcf1d932a8bfa310c2b05a72a41b
-
SSDEEP
6291456:OWvFOyTZCnrwqttpXAc7dr/zm8Zgc3G3U/9DKWj8B8gx0oE:O8CBtOc7dr/zm5CG0QW3gRE
-
NetWire RAT payload
-
Netwire family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1