General

  • Target

    JaffaCakes118_a11a2b4877664bfacaa49ce46f161af9e03c0a044832260da0c6977c610cbaae

  • Size

    1021KB

  • Sample

    241224-259geaznfw

  • MD5

    06cdc76364c27b957f5b59560ed4c1d2

  • SHA1

    3bb240353f9f58397dc611ec100d6e20e0c124b7

  • SHA256

    a11a2b4877664bfacaa49ce46f161af9e03c0a044832260da0c6977c610cbaae

  • SHA512

    56c2c1730ca717056bf41679de9785a1569f980624e7a3b35b0e4b178890beb5bc9a76241981cf30e92fd5ccc15c129e028dc1a20cdaa37ee9f391c9a65fce0e

  • SSDEEP

    12288:uQjA0qAp0T2o/lkZ7VPNWx2PPvu86fvKtLKeDoXmYccJ7z78zNfmoMMzoMhx6KNe:PjA3G5HNSSG86Korvcu78xfmoM0BzNEd

Malware Config

Extracted

Family

netwire

C2

donphilongz.org:5005

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    uTGwFNvi

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    true

Extracted

Family

nanocore

Version

1.2.2.0

C2

donphilongz.org:5070

Mutex

c68af378-9f2e-46e2-88f3-79ec61d84319

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    donphilongz.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-02-01T08:21:40.055121836Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    5070

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    c68af378-9f2e-46e2-88f3-79ec61d84319

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    donphilongz.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

wshrat

C2

http://strserver1.duckdns.org:8001

Targets

    • Target

      9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin

    • Size

      1.1MB

    • MD5

      aa4c23269c9b3026cf16225badbf7d5f

    • SHA1

      78247b69edd8cf0bdc064fcae5ab31470c62ab3a

    • SHA256

      9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e

    • SHA512

      c9d6716616ddd6cd2ccf4679af1fbd2dff587f89ba89745c122d82fa8aabd6762a59534ad002c4ea5ddc9373328fbae7588f9d4b071f1083ce91915a73f7ab3c

    • SSDEEP

      24576:eNcBtkZXdipp/ZUIdi1iXEjF67x+T4coqS5HaD2XZRm3JbfsGZL:5eCPEZex+T7oqWHayX3+L

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Nanocore family

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Netwire family

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

    • Wshrat family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks