General

  • Target

    JaffaCakes118_3326a928efab31246be7225e71039bb2cc0e25e2e941a6df4c65638eb659a06b

  • Size

    315.3MB

  • Sample

    241223-wa26yswnfq

  • MD5

    f38b394ac2927d45437658660fe52beb

  • SHA1

    f89a61635d5bb8782032fb965aabccd4a937b3df

  • SHA256

    3326a928efab31246be7225e71039bb2cc0e25e2e941a6df4c65638eb659a06b

  • SHA512

    2fe776da07e384369d8bd6565decf636e188dd4388870fda5fe8723e25b41e2955d4f7bdb4f045884b5658890662ae18f5a60e516e7b2ec052c231103d3f2214

  • SSDEEP

    6291456:ye6XwWpXiODZAbBKiCBeG9mTvIspSXtqlHwMkRdTQZ:FXWpSOabBRCIGsTvISBkn8Z

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://i.top4top.io/m_1891i29ay1.mp4

Extracted

Family

netwire

C2

alice2019.myftp.biz:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    FRAPPE2021

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      79A7AD7C358A63478887BE6CECD20DE05B172B472C3AD573EC38FA2B1E332BF2

    • Size

      315.3MB

    • MD5

      3a573b39c6ee245668c50e6f143726a8

    • SHA1

      649526a6cd120a05a876a089ec0439151d64f636

    • SHA256

      79a7ad7c358a63478887be6cecd20de05b172b472c3ad573ec38fa2b1e332bf2

    • SHA512

      ed2858aae6d2af0f30b4a88e259183f400ac1f8fa1cd89a673041b9703efaca326698324e94aba71d625ff045eee5460ad71bcf1d932a8bfa310c2b05a72a41b

    • SSDEEP

      6291456:OWvFOyTZCnrwqttpXAc7dr/zm8Zgc3G3U/9DKWj8B8gx0oE:O8CBtOc7dr/zm5CG0QW3gRE

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Netwire family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks