General
-
Target
JaffaCakes118_a11a2b4877664bfacaa49ce46f161af9e03c0a044832260da0c6977c610cbaae
-
Size
1021KB
-
Sample
241224-259geaznfw
-
MD5
06cdc76364c27b957f5b59560ed4c1d2
-
SHA1
3bb240353f9f58397dc611ec100d6e20e0c124b7
-
SHA256
a11a2b4877664bfacaa49ce46f161af9e03c0a044832260da0c6977c610cbaae
-
SHA512
56c2c1730ca717056bf41679de9785a1569f980624e7a3b35b0e4b178890beb5bc9a76241981cf30e92fd5ccc15c129e028dc1a20cdaa37ee9f391c9a65fce0e
-
SSDEEP
12288:uQjA0qAp0T2o/lkZ7VPNWx2PPvu86fvKtLKeDoXmYccJ7z78zNfmoMMzoMhx6KNe:PjA3G5HNSSG86Korvcu78xfmoM0BzNEd
Static task
static1
Behavioral task
behavioral1
Sample
9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.exe
Resource
win7-20240903-en
Malware Config
Extracted
netwire
donphilongz.org:5005
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
uTGwFNvi
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
true
Extracted
nanocore
1.2.2.0
donphilongz.org:5070
c68af378-9f2e-46e2-88f3-79ec61d84319
-
activate_away_mode
true
-
backup_connection_host
donphilongz.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-02-01T08:21:40.055121836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5070
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c68af378-9f2e-46e2-88f3-79ec61d84319
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
donphilongz.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
wshrat
http://strserver1.duckdns.org:8001
Targets
-
-
Target
9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin
-
Size
1.1MB
-
MD5
aa4c23269c9b3026cf16225badbf7d5f
-
SHA1
78247b69edd8cf0bdc064fcae5ab31470c62ab3a
-
SHA256
9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e
-
SHA512
c9d6716616ddd6cd2ccf4679af1fbd2dff587f89ba89745c122d82fa8aabd6762a59534ad002c4ea5ddc9373328fbae7588f9d4b071f1083ce91915a73f7ab3c
-
SSDEEP
24576:eNcBtkZXdipp/ZUIdi1iXEjF67x+T4coqS5HaD2XZRm3JbfsGZL:5eCPEZex+T7oqWHayX3+L
-
Nanocore family
-
NetWire RAT payload
-
Netwire family
-
Wshrat family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-