Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
03-01-2025 11:10
General
-
Target
JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe
-
Size
396KB
-
MD5
6c33cc232ababa439e295a455f3980a0
-
SHA1
774365e9521f8087145820b49814d28f37e5c65e
-
SHA256
d1be6471a46b5d2cae582b6bad0646cc3b59c85df440363a77f2bb41ab553e82
-
SHA512
48c9aa276dc7532766865b3159f5d2c9b9f8cb942060ddc1d311eff8a5d3e8a52fa0ae353975a6ea19625c5e7f9a285602784b3ae8f0b5c50f9bdda19c4ce347
-
SSDEEP
3072:LBB+77tPHkDLQ2AhPlG/1WBZf7qF/Z2iYmsdxDxUxt6mDLoGrww9JGbtENmszvZ+:Lf+7ODLQ2GEWBZE22lnNlRRP
Malware Config
Extracted
netwire
23.95.88.13:3360
-
activex_autorun
true
-
activex_key
{3GYL0VK1-5SB1-4X20-W6B8-PQP7L2B50166}
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
doctor
-
registry_autorun
true
-
startup_name
system
-
use_mutex
false
Signatures
-
NetWire RAT payload 4 IoCs
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Netwire family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe-m "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Host.exe-m "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe"4⤵
- Boot or Logon Autostart Execution: Active Setup
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD56c33cc232ababa439e295a455f3980a0
SHA1774365e9521f8087145820b49814d28f37e5c65e
SHA256d1be6471a46b5d2cae582b6bad0646cc3b59c85df440363a77f2bb41ab553e82
SHA51248c9aa276dc7532766865b3159f5d2c9b9f8cb942060ddc1d311eff8a5d3e8a52fa0ae353975a6ea19625c5e7f9a285602784b3ae8f0b5c50f9bdda19c4ce347
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
400KB
-
Filesize
24KB
-
Filesize
120KB