General
-
Target
JaffaCakes118_08b6f783b5d528892de40a0c32cbe940
-
Size
393KB
-
Sample
250524-sqhkpsfq6z
-
MD5
08b6f783b5d528892de40a0c32cbe940
-
SHA1
96f76af63990c354ba59d31a18dc223c992b515d
-
SHA256
485e994ad7fc7a7f9aaf06832ab496cf3094d28cf10a61e84c7de3ab36aaf502
-
SHA512
c4f6883a1ef213a173015c2be2c7211bc3cba646a9ab61b839c32a8f909a8cca1a20a2b335fe04f1320ee6ca880ba16a61632278ee7fb43d1c1a46f22314d863
-
SSDEEP
6144:WZFV6YJoVLIW91ILonX9buxDNae0rMAZZV8mS2vS+44kgQj1nKh/AY6PuqjDobE+:kT6eoVH91nnX84vS+4qQNUhqjDoIYo2
Malware Config
Extracted
netwire
155.94.198.169:9112
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
Corona-Virus
-
install_path
%AppData%\Install\offiice365.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Pounds
-
registry_autorun
true
-
startup_name
officeii365
-
use_mutex
false
Targets
-
-
Target
JaffaCakes118_08b6f783b5d528892de40a0c32cbe940
-
Size
393KB
-
MD5
08b6f783b5d528892de40a0c32cbe940
-
SHA1
96f76af63990c354ba59d31a18dc223c992b515d
-
SHA256
485e994ad7fc7a7f9aaf06832ab496cf3094d28cf10a61e84c7de3ab36aaf502
-
SHA512
c4f6883a1ef213a173015c2be2c7211bc3cba646a9ab61b839c32a8f909a8cca1a20a2b335fe04f1320ee6ca880ba16a61632278ee7fb43d1c1a46f22314d863
-
SSDEEP
6144:WZFV6YJoVLIW91ILonX9buxDNae0rMAZZV8mS2vS+44kgQj1nKh/AY6PuqjDobE+:kT6eoVH91nnX84vS+4qQNUhqjDoIYo2
-
NetWire RAT payload
-
Netwire family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-