Overview

overview

10

Static

static

1

bd757716c4...18.msi

windows7-x64

10

bd757716c4...18.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2024 17:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd757716c49f28b3b5fdd4889622ac88_JaffaCakes118.msi

  • Size

    636KB

  • MD5

    bd757716c49f28b3b5fdd4889622ac88

  • SHA1

    4a0aa1abddc6b37e1f1cec49944ce1a86c1c0ed6

  • SHA256

    de60cb399e76b142afc3f7876e2228d6d8c17fd4d3dc7e6f9084172543f6c327

  • SHA512

    557a3b0be972d2d3402a4a8846bdfb182389a4d575c722386cc67e8ce7d868bac26f169e40a397ad7f2851ac62fc58fca220772228616a000f6c7b0dfef994f6

  • SSDEEP

    12288:BE5y8d0ZBrXbv2/q+BZZPhZfg5YJeIIBy:BEEZB2/qgZ0a

Score
10/10
netwirebotnetpersistenceprivilege_escalationratstealer

Malware Config

Extracted

Family

netwire

C2

185.84.181.80:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Signatures

  • NetWire RAT payload 3 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 2 IoCs
  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bd757716c49f28b3b5fdd4889622ac88_JaffaCakes118.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:5076
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4816
    • C:\Windows\Installer\MSI8A8E.tmp
      "C:\Windows\Installer\MSI8A8E.tmp"
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5088
      • C:\Windows\Installer\MSI8A8E.tmp
        "C:\Windows\Installer\MSI8A8E.tmp"
        3⤵
        • Executes dropped EXE
        PID:2272
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:528

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Privilege Escalation

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e578996.rbs
    Filesize

    663B

    MD5

    fccf5f22403662da11f164d58e8df0d6

    SHA1

    90f36d3c5daa0bfe59bb607bf33abbe277d81f18

    SHA256

    c9502025bfd580f0c128aef93efbd2bb89d02484351fcadccbbd89001f5c892e

    SHA512

    7accc6f5c2de20def5289ad3d5584370cb86e215b7b25fa2d0c731878f3196c320f9d288fdf6702e3a8c0aff42413e645e71e391a683b85e98dc33b6218ec8e9

    Download Submit
  • C:\Windows\Installer\MSI8A8E.tmp
    Filesize

    612KB

    MD5

    08e5d4bf2798a5f830d46435fe0dfda8

    SHA1

    707cf924e41cec93560acd7469fea2bc890d8f72

    SHA256

    99fbb00a465c7d47ea64416934e9e01a614d8e6c900d89b0e32e815809cb4985

    SHA512

    09b4546e4da4d5116d9f17edcca3bade32a417867126e17bb750d14972a912caf5f1f2584efaf76ff19f373ad1edba36b973d3fb1ba28e356910531533b694a8

    Download Submit
  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.7MB

    MD5

    c87df723e446136b515ecc80126e2dae

    SHA1

    3485d80265881bc1b4e401d9d1915d8a0b915e87

    SHA256

    be5bd2e44b513f3e29e876fee546c08b71f43767b65a5a430fc3e9e90ee7fa6c

    SHA512

    0f8be4e159faa9d52d7986c1801ed0010c19aa15d969561c7f6d0fff33ea2402f07ba582a49cb8bc887ec522502dee67d8b114f5a1979d73fb7452623c1bec00

    Download Submit
  • \??\Volume{8a2a71c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ddbb4ae6-61b8-47e1-be09-e0e0652b2c57}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    e9b5dbdbd7a491e6e06d01dee81a6a38

    SHA1

    1b315a4864d77775239c5388e0734719fb4db5d1

    SHA256

    9abe6d5ccff42020268f6aaeb76bd41053219f70690798b61594a17f02685c1e

    SHA512

    6e3a4584d87a6e6b25b3ccee02523b9e0ffabb65cc9ec7b53b2f31235db9ed4e1150b62b578f2dec6c15de73348963bccd11fe8bd97a85c1405e8900be4aa688

    Download Submit
  • memory/2272-16-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/2272-18-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/2272-29-0x0000000000400000-0x000000000042C000-memory.dmp
    Filesize

    176KB

    Download