General
-
Target
9b1e365aab7ce774ccf22cf671543129_JaffaCakes118
-
Size
3.3MB
-
Sample
240610-slz9ys1aqb
-
MD5
9b1e365aab7ce774ccf22cf671543129
-
SHA1
1aed28938e6b1945ac64314facb315d01e7e5519
-
SHA256
0784e638fe04e5cd4775531aacae4a7e200e0748a49407def7044017ec5939e8
-
SHA512
c8610e2caa2f548b2b00e33b18523c0e414dce832b70fe6572288f6b1f09f61b229600d7e1b65e3d7e91c4c610dcb3e48a6394c82522c95deb9233d44f94530f
-
SSDEEP
49152:Ih+ZkldoPK8YaFsJha/KoHO9VG4xb4sd8t8S/aVg/3Vrtge4Ky+bZSZKyVto3aN:p2cPK8Ko7J4/d8tZ8g/D94KyVZZB9za
Static task
static1
Behavioral task
behavioral1
Sample
9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
netwire
clients.enigmasolutions.xyz:54578
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
Office-%Rand%
-
install_path
%AppData%\Microsoft\Crypto\fers.exe
-
keylogger_dir
%AppData%\msr\
-
lock_executable
false
-
offline_keylogger
true
-
password
\tx>N(6H`Om2k/cWJBp,""bUbAd1-0Mg
-
registry_autorun
true
-
startup_name
fers
-
use_mutex
false
Targets
-
-
Target
9b1e365aab7ce774ccf22cf671543129_JaffaCakes118
-
Size
3.3MB
-
MD5
9b1e365aab7ce774ccf22cf671543129
-
SHA1
1aed28938e6b1945ac64314facb315d01e7e5519
-
SHA256
0784e638fe04e5cd4775531aacae4a7e200e0748a49407def7044017ec5939e8
-
SHA512
c8610e2caa2f548b2b00e33b18523c0e414dce832b70fe6572288f6b1f09f61b229600d7e1b65e3d7e91c4c610dcb3e48a6394c82522c95deb9233d44f94530f
-
SSDEEP
49152:Ih+ZkldoPK8YaFsJha/KoHO9VG4xb4sd8t8S/aVg/3Vrtge4Ky+bZSZKyVto3aN:p2cPK8Ko7J4/d8tZ8g/D94KyVZZB9za
Score10/10-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-