General

  • Target

    JaffaCakes118_08b6f783b5d528892de40a0c32cbe940

  • Size

    393KB

  • Sample

    250524-sqhkpsfq6z

  • MD5

    08b6f783b5d528892de40a0c32cbe940

  • SHA1

    96f76af63990c354ba59d31a18dc223c992b515d

  • SHA256

    485e994ad7fc7a7f9aaf06832ab496cf3094d28cf10a61e84c7de3ab36aaf502

  • SHA512

    c4f6883a1ef213a173015c2be2c7211bc3cba646a9ab61b839c32a8f909a8cca1a20a2b335fe04f1320ee6ca880ba16a61632278ee7fb43d1c1a46f22314d863

  • SSDEEP

    6144:WZFV6YJoVLIW91ILonX9buxDNae0rMAZZV8mS2vS+44kgQj1nKh/AY6PuqjDobE+:kT6eoVH91nnX84vS+4qQNUhqjDoIYo2

Malware Config

Extracted

Family

netwire

C2

155.94.198.169:9112

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    Corona-Virus

  • install_path

    %AppData%\Install\offiice365.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Pounds

  • registry_autorun

    true

  • startup_name

    officeii365

  • use_mutex

    false

Targets

    • Target

      JaffaCakes118_08b6f783b5d528892de40a0c32cbe940

    • Size

      393KB

    • MD5

      08b6f783b5d528892de40a0c32cbe940

    • SHA1

      96f76af63990c354ba59d31a18dc223c992b515d

    • SHA256

      485e994ad7fc7a7f9aaf06832ab496cf3094d28cf10a61e84c7de3ab36aaf502

    • SHA512

      c4f6883a1ef213a173015c2be2c7211bc3cba646a9ab61b839c32a8f909a8cca1a20a2b335fe04f1320ee6ca880ba16a61632278ee7fb43d1c1a46f22314d863

    • SSDEEP

      6144:WZFV6YJoVLIW91ILonX9buxDNae0rMAZZV8mS2vS+44kgQj1nKh/AY6PuqjDobE+:kT6eoVH91nnX84vS+4qQNUhqjDoIYo2

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Netwire family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks