Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 13:28
Static task
static1
Behavioral task
behavioral1
Sample
a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exe
-
Size
321KB
-
MD5
a9ea5e73237d3e45ef3b2bab04612266
-
SHA1
8113bbeb5c04e214e6ae04c9e90aa4c8ee84d3b4
-
SHA256
5d97562c21e9b2f0959963447c9454e3247390fbbb281ca2c2ef2a9c6c7de777
-
SHA512
e85d9268718d987efa1bc308f9f957d65848d961b9bf39a97a82d6879d936c493d8a5341c0e07b0abf5362124f711ebc5695915b8ca4aeb1141dc3a64c5c5dcc
-
SSDEEP
6144:QdWgj21o19KzuuYOgmWkLBTjOB1mQUgQvPwjxG8A59VdxghunhmzgRhsJqB/:Qop169KSejWUOjmQUgQvPwjE8evihuhN
Malware Config
Extracted
netwire
mlhdns.phatbois.me:4772
mlhdns.pandabearsunited.xyz:4772
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/932-15-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/932-16-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral1/memory/932-18-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Drops startup file 2 IoCs
Processes:
a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mscdui.exe a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mscdui.exe a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
mscdui.exepid process 2656 mscdui.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mscdui.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mscdui.exe -boot" mscdui.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mscdui.exedescription pid process target process PID 2656 set thread context of 932 2656 mscdui.exe AppLaunch.exe -
Drops file in Windows directory 4 IoCs
Processes:
a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exemscdui.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new mscdui.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new mscdui.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exemscdui.exedescription pid process Token: SeDebugPrivilege 2116 a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exe Token: SeDebugPrivilege 2656 mscdui.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exeexplorer.exemscdui.exedescription pid process target process PID 2116 wrote to memory of 2672 2116 a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exe explorer.exe PID 2116 wrote to memory of 2672 2116 a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exe explorer.exe PID 2116 wrote to memory of 2672 2116 a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exe explorer.exe PID 2116 wrote to memory of 2672 2116 a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exe explorer.exe PID 2556 wrote to memory of 2656 2556 explorer.exe mscdui.exe PID 2556 wrote to memory of 2656 2556 explorer.exe mscdui.exe PID 2556 wrote to memory of 2656 2556 explorer.exe mscdui.exe PID 2556 wrote to memory of 2656 2556 explorer.exe mscdui.exe PID 2656 wrote to memory of 932 2656 mscdui.exe AppLaunch.exe PID 2656 wrote to memory of 932 2656 mscdui.exe AppLaunch.exe PID 2656 wrote to memory of 932 2656 mscdui.exe AppLaunch.exe PID 2656 wrote to memory of 932 2656 mscdui.exe AppLaunch.exe PID 2656 wrote to memory of 932 2656 mscdui.exe AppLaunch.exe PID 2656 wrote to memory of 932 2656 mscdui.exe AppLaunch.exe PID 2656 wrote to memory of 932 2656 mscdui.exe AppLaunch.exe PID 2656 wrote to memory of 932 2656 mscdui.exe AppLaunch.exe PID 2656 wrote to memory of 932 2656 mscdui.exe AppLaunch.exe PID 2656 wrote to memory of 932 2656 mscdui.exe AppLaunch.exe PID 2656 wrote to memory of 932 2656 mscdui.exe AppLaunch.exe PID 2656 wrote to memory of 932 2656 mscdui.exe AppLaunch.exe PID 2656 wrote to memory of 932 2656 mscdui.exe AppLaunch.exe PID 2656 wrote to memory of 932 2656 mscdui.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a9ea5e73237d3e45ef3b2bab04612266_JaffaCakes118.exe"1⤵
- Drops startup file
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mscdui.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mscdui.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mscdui.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mscdui.exeFilesize
321KB
MD5a9ea5e73237d3e45ef3b2bab04612266
SHA18113bbeb5c04e214e6ae04c9e90aa4c8ee84d3b4
SHA2565d97562c21e9b2f0959963447c9454e3247390fbbb281ca2c2ef2a9c6c7de777
SHA512e85d9268718d987efa1bc308f9f957d65848d961b9bf39a97a82d6879d936c493d8a5341c0e07b0abf5362124f711ebc5695915b8ca4aeb1141dc3a64c5c5dcc
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cchFilesize
478B
MD57f8c21923ca1306f9a0afa89847886b4
SHA16209556ed4deb179d889a29f8bc6108b94f5e562
SHA2568a2e69cb92ecb1aa75805a6ec59908e9a3263a2e384691a6b1c12a9e60d2acdf
SHA5123b8563a1e7f9c816df2fd3071e7c5382e714bcb7ea8572fd7591b1f2ac7894d780175fad463261b0b233cda02879cf60988db29d139c9ac5aeea7fd6e7b4af0b
-
memory/932-15-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/932-16-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/932-18-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2116-0-0x0000000074081000-0x0000000074082000-memory.dmpFilesize
4KB
-
memory/2116-1-0x0000000074080000-0x000000007462B000-memory.dmpFilesize
5.7MB
-
memory/2116-2-0x0000000074080000-0x000000007462B000-memory.dmpFilesize
5.7MB
-
memory/2116-3-0x0000000074080000-0x000000007462B000-memory.dmpFilesize
5.7MB
-
memory/2116-5-0x0000000074080000-0x000000007462B000-memory.dmpFilesize
5.7MB
-
memory/2116-10-0x0000000074080000-0x000000007462B000-memory.dmpFilesize
5.7MB