General
-
Target
874ad1a5d6955021881a3c19061cf4f6_JaffaCakes118
-
Size
972KB
-
Sample
240531-rllk5abb2x
-
MD5
874ad1a5d6955021881a3c19061cf4f6
-
SHA1
65c80b2b25c578ddee72176e836c383b381f3686
-
SHA256
8b4f23379d7c7cbd4aedd2dd648d0b181d80f2cde29eacfe03b7d155e012be91
-
SHA512
97426ed44fdf428ca173f90c2c78d13714168790f7c2c98c92841d3b06eb8260be88a5850b53c905ed6e0db294d85df6923b12fa568b3eb17ff9c67faa0dcb9a
-
SSDEEP
3072:fEL68ieI7D5qSVwn2Ij4zAAc6s7UEPslhEKe9vHKh:8Q71qggj4zAV6sgEsDEKivK
Static task
static1
Behavioral task
behavioral1
Sample
874ad1a5d6955021881a3c19061cf4f6_JaffaCakes118.exe
Resource
win7-20240508-en
Malware Config
Extracted
netwire
iheuche009.hopto.org:1199
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
Bushbush
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
RjCRIvgp
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Extracted
lokibot
http://valdepian.com/eurostil/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
874ad1a5d6955021881a3c19061cf4f6_JaffaCakes118
-
Size
972KB
-
MD5
874ad1a5d6955021881a3c19061cf4f6
-
SHA1
65c80b2b25c578ddee72176e836c383b381f3686
-
SHA256
8b4f23379d7c7cbd4aedd2dd648d0b181d80f2cde29eacfe03b7d155e012be91
-
SHA512
97426ed44fdf428ca173f90c2c78d13714168790f7c2c98c92841d3b06eb8260be88a5850b53c905ed6e0db294d85df6923b12fa568b3eb17ff9c67faa0dcb9a
-
SSDEEP
3072:fEL68ieI7D5qSVwn2Ij4zAAc6s7UEPslhEKe9vHKh:8Q71qggj4zAV6sgEsDEKivK
-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-