General
-
Target
a217880f3e4ffe347256d08ea0a8e756_JaffaCakes118
-
Size
620KB
-
Sample
240612-yph3qsxhqe
-
MD5
a217880f3e4ffe347256d08ea0a8e756
-
SHA1
fbe38b496f08f3263659aa8f64263741a76b3464
-
SHA256
3a5fef44125d1ff9e9315dacf594bbd66a3f2619173306ab668dcc11395ca750
-
SHA512
731e37ca08f50f04fd6a67d4184b108daae48aa29551459eacfcdabfe7328a64669bbeeb249f2c189363741da6824ace393565ca7023a440a92599e05c511658
-
SSDEEP
12288:WVm7aREb32/fpxOQlzoYg+65VyAcidV2+:Wc77b3Wl31Owz
Static task
static1
Behavioral task
behavioral1
Sample
a217880f3e4ffe347256d08ea0a8e756_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a217880f3e4ffe347256d08ea0a8e756_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
netwire
46.20.33.82:3444
62.102.148.181:57980
46.165.208.108:3490
213.152.162.99:3829
109.163.226.153:3829
-
activex_autorun
true
-
activex_key
{KCU0IT3O-S203-3AK5-A012-E75586QE8077}
-
copy_executable
true
-
delete_original
false
-
host_id
~JuneLogs~%Rand%
-
install_path
%AppData%\Microsoft\HKRUN.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
QRRNjPvc
-
offline_keylogger
true
-
password
123456
-
registry_autorun
true
-
startup_name
ProLogs
-
use_mutex
true
Targets
-
-
Target
a217880f3e4ffe347256d08ea0a8e756_JaffaCakes118
-
Size
620KB
-
MD5
a217880f3e4ffe347256d08ea0a8e756
-
SHA1
fbe38b496f08f3263659aa8f64263741a76b3464
-
SHA256
3a5fef44125d1ff9e9315dacf594bbd66a3f2619173306ab668dcc11395ca750
-
SHA512
731e37ca08f50f04fd6a67d4184b108daae48aa29551459eacfcdabfe7328a64669bbeeb249f2c189363741da6824ace393565ca7023a440a92599e05c511658
-
SSDEEP
12288:WVm7aREb32/fpxOQlzoYg+65VyAcidV2+:Wc77b3Wl31Owz
Score10/10-
NetWire RAT payload
-
Modifies Installed Components in the registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-