Analysis
-
max time kernel
131s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2024 15:13
Static task
static1
Behavioral task
behavioral1
Sample
9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe
-
Size
3.3MB
-
MD5
9b1e365aab7ce774ccf22cf671543129
-
SHA1
1aed28938e6b1945ac64314facb315d01e7e5519
-
SHA256
0784e638fe04e5cd4775531aacae4a7e200e0748a49407def7044017ec5939e8
-
SHA512
c8610e2caa2f548b2b00e33b18523c0e414dce832b70fe6572288f6b1f09f61b229600d7e1b65e3d7e91c4c610dcb3e48a6394c82522c95deb9233d44f94530f
-
SSDEEP
49152:Ih+ZkldoPK8YaFsJha/KoHO9VG4xb4sd8t8S/aVg/3Vrtge4Ky+bZSZKyVto3aN:p2cPK8Ko7J4/d8tZ8g/D94KyVZZB9za
Malware Config
Extracted
netwire
clients.enigmasolutions.xyz:54578
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
Office-%Rand%
-
install_path
%AppData%\Microsoft\Crypto\fers.exe
-
keylogger_dir
%AppData%\msr\
-
lock_executable
false
-
offline_keylogger
true
-
password
\tx>N(6H`Om2k/cWJBp,""bUbAd1-0Mg
-
registry_autorun
true
-
startup_name
fers
-
use_mutex
false
Signatures
-
NetWire RAT payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/1592-11-0x0000000003AA0000-0x0000000003B06000-memory.dmp netwire behavioral2/memory/1592-12-0x0000000003AA0000-0x0000000003B06000-memory.dmp netwire behavioral2/memory/5084-15-0x0000000000C40000-0x0000000000C70000-memory.dmp netwire behavioral2/memory/5084-14-0x0000000000C40000-0x0000000000C70000-memory.dmp netwire behavioral2/memory/1592-18-0x0000000003AA0000-0x0000000003B06000-memory.dmp netwire behavioral2/memory/4156-42-0x0000000000F10000-0x0000000000F40000-memory.dmp netwire behavioral2/memory/4156-44-0x0000000000F10000-0x0000000000F40000-memory.dmp netwire -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
fers.exefers.exepid process 5080 fers.exe 4156 fers.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fers.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fers = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\fers.exe" fers.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exefers.exedescription pid process target process PID 1592 set thread context of 5084 1592 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe PID 5080 set thread context of 4156 5080 fers.exe fers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exefers.exedescription pid process target process PID 1592 wrote to memory of 5084 1592 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe PID 1592 wrote to memory of 5084 1592 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe PID 1592 wrote to memory of 5084 1592 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe PID 1592 wrote to memory of 5084 1592 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe PID 1592 wrote to memory of 5084 1592 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe PID 5084 wrote to memory of 5080 5084 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe fers.exe PID 5084 wrote to memory of 5080 5084 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe fers.exe PID 5084 wrote to memory of 5080 5084 9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe fers.exe PID 5080 wrote to memory of 4156 5080 fers.exe fers.exe PID 5080 wrote to memory of 4156 5080 fers.exe fers.exe PID 5080 wrote to memory of 4156 5080 fers.exe fers.exe PID 5080 wrote to memory of 4156 5080 fers.exe fers.exe PID 5080 wrote to memory of 4156 5080 fers.exe fers.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\9b1e365aab7ce774ccf22cf671543129_JaffaCakes118.exe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeC:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aut3F89.tmpFilesize
395KB
MD59e363c345d2acd93bb1bde7842ce3f0a
SHA16372c573b867b8352729fa8ecba7b7eac4be16fd
SHA256dab9341a1028e06c038ad40853b8cb060bae97fb635c5b9a8d0e35e740364bc6
SHA51223dde3ce7ef9424a4fbbc6210ce5fc139322ac5e4cba0878b062e34da33dd619c2481e02b2aa46f35cef4b4cc12883ca74080d4f62e402328d08563664168ba5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fers.exeFilesize
3.3MB
MD59b1e365aab7ce774ccf22cf671543129
SHA11aed28938e6b1945ac64314facb315d01e7e5519
SHA2560784e638fe04e5cd4775531aacae4a7e200e0748a49407def7044017ec5939e8
SHA512c8610e2caa2f548b2b00e33b18523c0e414dce832b70fe6572288f6b1f09f61b229600d7e1b65e3d7e91c4c610dcb3e48a6394c82522c95deb9233d44f94530f
-
memory/1592-12-0x0000000003AA0000-0x0000000003B06000-memory.dmpFilesize
408KB
-
memory/1592-9-0x0000000003AA0000-0x0000000003B06000-memory.dmpFilesize
408KB
-
memory/1592-10-0x0000000003AA0000-0x0000000003B06000-memory.dmpFilesize
408KB
-
memory/1592-11-0x0000000003AA0000-0x0000000003B06000-memory.dmpFilesize
408KB
-
memory/1592-8-0x0000000003AA0000-0x0000000003B06000-memory.dmpFilesize
408KB
-
memory/1592-13-0x0000000076FF8000-0x0000000076FF9000-memory.dmpFilesize
4KB
-
memory/1592-18-0x0000000003AA0000-0x0000000003B06000-memory.dmpFilesize
408KB
-
memory/1592-7-0x0000000003AA0000-0x0000000003B06000-memory.dmpFilesize
408KB
-
memory/4156-42-0x0000000000F10000-0x0000000000F40000-memory.dmpFilesize
192KB
-
memory/4156-44-0x0000000000F10000-0x0000000000F40000-memory.dmpFilesize
192KB
-
memory/5084-15-0x0000000000C40000-0x0000000000C70000-memory.dmpFilesize
192KB
-
memory/5084-14-0x0000000000C40000-0x0000000000C70000-memory.dmpFilesize
192KB