Overview

overview

10

Static

static

1

bd757716c4...18.msi

windows7-x64

10

bd757716c4...18.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    19-06-2024 17:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd757716c49f28b3b5fdd4889622ac88_JaffaCakes118.msi

  • Size

    636KB

  • MD5

    bd757716c49f28b3b5fdd4889622ac88

  • SHA1

    4a0aa1abddc6b37e1f1cec49944ce1a86c1c0ed6

  • SHA256

    de60cb399e76b142afc3f7876e2228d6d8c17fd4d3dc7e6f9084172543f6c327

  • SHA512

    557a3b0be972d2d3402a4a8846bdfb182389a4d575c722386cc67e8ce7d868bac26f169e40a397ad7f2851ac62fc58fca220772228616a000f6c7b0dfef994f6

  • SSDEEP

    12288:BE5y8d0ZBrXbv2/q+BZZPhZfg5YJeIIBy:BEEZB2/qgZ0a

Score
10/10
netwirebotnetpersistenceprivilege_escalationratstealer

Malware Config

Extracted

Family

netwire

C2

185.84.181.80:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 2 IoCs
  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bd757716c49f28b3b5fdd4889622ac88_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2416
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\Installer\MSI3A83.tmp
      "C:\Windows\Installer\MSI3A83.tmp"
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\Installer\MSI3A83.tmp
        "C:\Windows\Installer\MSI3A83.tmp"
        3⤵
        • Executes dropped EXE
        PID:3000
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2608
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "00000000000005AC" "00000000000005A0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Privilege Escalation

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76398b.rbs
    Filesize

    663B

    MD5

    0cd7b7f3cfaa6e99f463d3961fbb6957

    SHA1

    0f98a402f12f508275788504a144e6dc894f0db8

    SHA256

    f952a8a5f91d732dd9e269cb47144f577ee8036c47d1eda143509884796f9f2e

    SHA512

    d5cca96bcf806f22ab21c4e1e145321a7cf917989fbf6cc39c58521826d815c6a71a98f421739b6d530c9638444c4ce4d6084bdff951ebc25eb863fd72728231

    Download Submit
  • C:\Windows\Installer\MSI3A83.tmp
    Filesize

    612KB

    MD5

    08e5d4bf2798a5f830d46435fe0dfda8

    SHA1

    707cf924e41cec93560acd7469fea2bc890d8f72

    SHA256

    99fbb00a465c7d47ea64416934e9e01a614d8e6c900d89b0e32e815809cb4985

    SHA512

    09b4546e4da4d5116d9f17edcca3bade32a417867126e17bb750d14972a912caf5f1f2584efaf76ff19f373ad1edba36b973d3fb1ba28e356910531533b694a8

    Download Submit
  • memory/3000-16-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/3000-18-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/3000-29-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download