Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 17:05
Static task
static1
Behavioral task
behavioral1
Sample
af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe
-
Size
392KB
-
MD5
af79eb8a77c46f99d2a80841353679d2
-
SHA1
d07a388f144864a69d3b1fb9f6b83a5a9fc01b4d
-
SHA256
a7374e3645615c6c1c7326ccdab9c6743ed71723397524a15b1548d2c1a24a15
-
SHA512
aa88e883bf3f1c1387283e0e68b40cf13e55501c328ac26efa663c943d9b9bf6f8f0e0d5a8162783feadde3d2e4f7279d6a327ba9c2dc2e77c05042e42e5e3c4
-
SSDEEP
6144:fNXqRB78GUgn+DTCcfBLy+SnpsuXBKnVN0tYyvrn:VXqr78GU8G98RKVGr
Malware Config
Extracted
netwire
wealthyman.brasilia.me:39560
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
WEALTH
-
keylogger_dir
%AppData%\music\
-
lock_executable
false
-
offline_keylogger
true
-
password
sucess
-
registry_autorun
false
-
use_mutex
false
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/7312-17900-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Executes dropped EXE 1 IoCs
Processes:
Bantamvgteren.exepid process 7312 Bantamvgteren.exe -
Drops file in Windows directory 2 IoCs
Processes:
af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exeBantamvgteren.exedescription ioc process File opened for modification C:\Windows\win.ini af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe File opened for modification C:\Windows\win.ini Bantamvgteren.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exeBantamvgteren.exepid process 2804 af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe 7312 Bantamvgteren.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Bantamvgteren.exepid process 7312 Bantamvgteren.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exetaskeng.exedescription pid process target process PID 2804 wrote to memory of 7176 2804 af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe schtasks.exe PID 2804 wrote to memory of 7176 2804 af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe schtasks.exe PID 2804 wrote to memory of 7176 2804 af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe schtasks.exe PID 2804 wrote to memory of 7176 2804 af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe schtasks.exe PID 2804 wrote to memory of 7248 2804 af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe schtasks.exe PID 2804 wrote to memory of 7248 2804 af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe schtasks.exe PID 2804 wrote to memory of 7248 2804 af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe schtasks.exe PID 2804 wrote to memory of 7248 2804 af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe schtasks.exe PID 7280 wrote to memory of 7312 7280 taskeng.exe Bantamvgteren.exe PID 7280 wrote to memory of 7312 7280 taskeng.exe Bantamvgteren.exe PID 7280 wrote to memory of 7312 7280 taskeng.exe Bantamvgteren.exe PID 7280 wrote to memory of 7312 7280 taskeng.exe Bantamvgteren.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Minters4" /TR "C:\Users\Admin\AppData\Local\Temp\Bantamvgteren.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /run /tn "Minters4"2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {B5620E5B-E1A9-43DE-BFAD-812FE17665B2} S-1-5-21-1340930862-1405011213-2821322012-1000:TICCAUTD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Bantamvgteren.exeC:\Users\Admin\AppData\Local\Temp\Bantamvgteren.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Bantamvgteren.exeFilesize
392KB
MD5cd2bd627123db0ea0c2bbb428e830bfb
SHA13cc80c258bb30b2ad4815427ec57b7a19ba2cc00
SHA256480310f5e5d0605c22a5cf739559a6f2176220b0df7a488ae1753ca33e186a46
SHA512e4ac28d670eb47733e1368dc1b8b8864943e552bd17bc682bd56920c21e218264f555f3833f1e9733cf706b45ac26e7d7c9280b50136e9facf25bc5340bcb1a2
-
C:\Windows\win.iniFilesize
497B
MD580f15b158c49b73757d1dde727355db7
SHA1212a5c033130af8e8254d2b7a4a6c8762628ec91
SHA2560df5cecf65125ca8de5b8a599400bda1aa3700b43f9f73ac91c2261da7946368
SHA512767af13228a26d8b8ff2dfdefa223045638df6e37d4e614274c425e2e70cd12125a933946da286c1375e892668decd732300e22d301b4c8087f887dabf13050a
-
C:\Windows\win.iniMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2804-8947-0x00000000770B0000-0x0000000077186000-memory.dmpFilesize
856KB
-
memory/2804-8948-0x000000000BAA0000-0x000000000C55A000-memory.dmpFilesize
10.7MB
-
memory/7312-17900-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB