Analysis
-
max time kernel
146s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 15:00
Static task
static1
Behavioral task
behavioral1
Sample
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe
-
Size
11.3MB
-
MD5
9232b6170f9de848c09d42c7f1eb5f4c
-
SHA1
accb42982aee08d653885af850c4c47454b3a8d8
-
SHA256
bfb0dce9969d9b345e32c9e78c7c1160014274fd9b192b321de06165c7297c31
-
SHA512
4ecc116f704992f317addab60aaf32c203b0e7447c3ce3b275f68660db30322080135cb214f534a078ed496283db3ecae99bd142d1cce104da56765e40cd664b
-
SSDEEP
196608:FRhX3VojgFA1yqyBRzIyLVHsbGaSnDzMOt:FDcgK1yqqpxAGa+zbt
Malware Config
Extracted
azorult
http://abnmz.akrn12.com/index.php
Extracted
netwire
ptmk2.ddns.net:8906
-
activex_autorun
true
-
activex_key
{2BH726K8-04UQ-82YA-EVO8-RCTPBP542701}
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Skyype.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
DkDoPqeJ
-
offline_keylogger
true
-
password
Ratrat123$
-
registry_autorun
true
-
startup_name
NetW
-
use_mutex
true
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/832-19-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/832-30-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
Skyype.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BH726K8-04UQ-82YA-EVO8-RCTPBP542701} Skyype.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BH726K8-04UQ-82YA-EVO8-RCTPBP542701}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Skyype.exe\"" Skyype.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
nwd.exeSkyype.exepid process 832 nwd.exe 4036 Skyype.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Skyype.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetW = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Skyype.exe" Skyype.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exenwd.exeSkyype.exepid process 3100 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe 3100 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe 832 nwd.exe 832 nwd.exe 4036 Skyype.exe 4036 Skyype.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exenwd.exeSkyype.exepid process 3100 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe 3100 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe 832 nwd.exe 832 nwd.exe 4036 Skyype.exe 4036 Skyype.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exenwd.exeSkyype.exepid process 3100 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe 832 nwd.exe 4036 Skyype.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exenwd.exedescription pid process target process PID 3100 wrote to memory of 832 3100 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe nwd.exe PID 3100 wrote to memory of 832 3100 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe nwd.exe PID 3100 wrote to memory of 832 3100 9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe nwd.exe PID 832 wrote to memory of 4036 832 nwd.exe Skyype.exe PID 832 wrote to memory of 4036 832 nwd.exe Skyype.exe PID 832 wrote to memory of 4036 832 nwd.exe Skyype.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nwd.exe"C:\Users\Admin\AppData\Local\Temp\nwd.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Install\Skyype.exe-m "C:\Users\Admin\AppData\Local\Temp\nwd.exe"3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nwd.exeFilesize
3.9MB
MD53752304d7b6071f70916fe001fee8d53
SHA1f6a225e7dfae7c614542c3253ca29444c1e697ae
SHA2569141c98540da1c4716b0a48ef166272c317c59345de8b581534aae606c5ff812
SHA512e9651f4eb5ceb2a1591a295308fafd8fcd8053943a8810373f34f5f01b372c3ce6db2dc6d0efaa990b7981b0175c0e3f603f479fa0f6575e7f18d5a7cb7da2cc
-
memory/832-19-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/832-30-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3100-2-0x00000000774B1000-0x00000000775D1000-memory.dmpFilesize
1.1MB
-
memory/3100-12-0x0000000000400000-0x0000000000F46000-memory.dmpFilesize
11.3MB
-
memory/3100-17-0x0000000000400000-0x0000000000F46000-memory.dmpFilesize
11.3MB