Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 15:00
Static task
static1
Behavioral task
behavioral1
Sample
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
-
Size
11.3MB
-
MD5
9232b6170f9de848c09d42c7f1eb5f4c
-
SHA1
accb42982aee08d653885af850c4c47454b3a8d8
-
SHA256
bfb0dce9969d9b345e32c9e78c7c1160014274fd9b192b321de06165c7297c31
-
SHA512
4ecc116f704992f317addab60aaf32c203b0e7447c3ce3b275f68660db30322080135cb214f534a078ed496283db3ecae99bd142d1cce104da56765e40cd664b
-
SSDEEP
196608:FRhX3VojgFA1yqyBRzIyLVHsbGaSnDzMOt:FDcgK1yqqpxAGa+zbt
Malware Config
Extracted
azorult
http://abnmz.akrn12.com/index.php
Extracted
netwire
ptmk2.ddns.net:8906
-
activex_autorun
true
-
activex_key
{2BH726K8-04UQ-82YA-EVO8-RCTPBP542701}
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Skyype.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
DkDoPqeJ
-
offline_keylogger
true
-
password
Ratrat123$
-
registry_autorun
true
-
startup_name
NetW
-
use_mutex
true
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1284-17-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/1284-35-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/2524-39-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
Skyype.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BH726K8-04UQ-82YA-EVO8-RCTPBP542701} Skyype.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BH726K8-04UQ-82YA-EVO8-RCTPBP542701}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Skyype.exe\"" Skyype.exe -
Executes dropped EXE 2 IoCs
Processes:
nwd.exeSkyype.exepid process 1284 nwd.exe 2524 Skyype.exe -
Loads dropped DLL 4 IoCs
Processes:
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exenwd.exepid process 2088 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe 2088 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe 1284 nwd.exe 1284 nwd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Skyype.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetW = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Skyype.exe" Skyype.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exenwd.exeSkyype.exepid process 2088 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe 2088 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe 1284 nwd.exe 1284 nwd.exe 2524 Skyype.exe 2524 Skyype.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exenwd.exeSkyype.exepid process 2088 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe 2088 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe 1284 nwd.exe 1284 nwd.exe 2524 Skyype.exe 2524 Skyype.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exenwd.exeSkyype.exepid process 2088 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe 1284 nwd.exe 2524 Skyype.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
nwd.exeSkyype.exepid process 1284 nwd.exe 2524 Skyype.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exenwd.exedescription pid process target process PID 2088 wrote to memory of 1284 2088 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe nwd.exe PID 2088 wrote to memory of 1284 2088 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe nwd.exe PID 2088 wrote to memory of 1284 2088 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe nwd.exe PID 2088 wrote to memory of 1284 2088 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe nwd.exe PID 1284 wrote to memory of 2524 1284 nwd.exe Skyype.exe PID 1284 wrote to memory of 2524 1284 nwd.exe Skyype.exe PID 1284 wrote to memory of 2524 1284 nwd.exe Skyype.exe PID 1284 wrote to memory of 2524 1284 nwd.exe Skyype.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nwd.exe"C:\Users\Admin\AppData\Local\Temp\nwd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Skyype.exe-m "C:\Users\Admin\AppData\Local\Temp\nwd.exe"3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nwd.exeFilesize
3.9MB
MD53752304d7b6071f70916fe001fee8d53
SHA1f6a225e7dfae7c614542c3253ca29444c1e697ae
SHA2569141c98540da1c4716b0a48ef166272c317c59345de8b581534aae606c5ff812
SHA512e9651f4eb5ceb2a1591a295308fafd8fcd8053943a8810373f34f5f01b372c3ce6db2dc6d0efaa990b7981b0175c0e3f603f479fa0f6575e7f18d5a7cb7da2cc
-
memory/1284-16-0x0000000000400000-0x00000000007E8000-memory.dmpFilesize
3.9MB
-
memory/1284-17-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1284-35-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2088-3-0x0000000000400000-0x0000000000F46000-memory.dmpFilesize
11.3MB
-
memory/2088-11-0x0000000000400000-0x0000000000F46000-memory.dmpFilesize
11.3MB
-
memory/2088-15-0x0000000000400000-0x0000000000F46000-memory.dmpFilesize
11.3MB
-
memory/2524-39-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB