General
-
Target
7f47dccad1b4b5c771e8e2cc4a73b030_JaffaCakes118
-
Size
543KB
-
Sample
240529-dfjmpagf37
-
MD5
7f47dccad1b4b5c771e8e2cc4a73b030
-
SHA1
155debdbdf572a10a82e400e3c08d656ba3e666e
-
SHA256
c8125be4debd717bbc3dbab953ba9c0d34e2e9fa665ca6a9bd7c2fab4971af4e
-
SHA512
e7bb32c18e24f0b52e744af3642dee3067c166452ca327d3ea0ff61a19dc4726dfdb607236cff91887ae30068d457bf843f649efe044071270184785564330d0
-
SSDEEP
3072:GaQWv6C5GPxH1IGMO2CB7XoG+qDvIdY/WWDcH9JQN7o4wZe+ns93Xxsl2rGQ7cSS:Bvm9/+2vZoGsKXcfYNfoq4VMd
Static task
static1
Behavioral task
behavioral1
Sample
7f47dccad1b4b5c771e8e2cc4a73b030_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7f47dccad1b4b5c771e8e2cc4a73b030_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
netwire
asdfgfg.ru:6973
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
main
-
keylogger_dir
%AppData%\Klog\
-
lock_executable
false
-
mutex
EmLbObgS
-
offline_keylogger
true
-
password
rdfs34df32sdf
-
registry_autorun
false
-
use_mutex
true
Targets
-
-
Target
7f47dccad1b4b5c771e8e2cc4a73b030_JaffaCakes118
-
Size
543KB
-
MD5
7f47dccad1b4b5c771e8e2cc4a73b030
-
SHA1
155debdbdf572a10a82e400e3c08d656ba3e666e
-
SHA256
c8125be4debd717bbc3dbab953ba9c0d34e2e9fa665ca6a9bd7c2fab4971af4e
-
SHA512
e7bb32c18e24f0b52e744af3642dee3067c166452ca327d3ea0ff61a19dc4726dfdb607236cff91887ae30068d457bf843f649efe044071270184785564330d0
-
SSDEEP
3072:GaQWv6C5GPxH1IGMO2CB7XoG+qDvIdY/WWDcH9JQN7o4wZe+ns93Xxsl2rGQ7cSS:Bvm9/+2vZoGsKXcfYNfoq4VMd
Score10/10-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-