Analysis
-
max time kernel
145s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 15:10
Static task
static1
Behavioral task
behavioral1
Sample
126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe
-
Size
620KB
-
MD5
126a93893a231d0d04d51c062ffacb24
-
SHA1
2dc7626161923496e1161321564649de8a505462
-
SHA256
8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20
-
SHA512
7ead5d82543478d48820429fa78a6b47c4b96f9a081d6599bc7f47208acc73dee20b97345f971b7298642fb4104d90eb8a660cbdc8f592449410cba459d46715
-
SSDEEP
6144:jIgLd7M38csN+OepKstohqNuPSzjRfXfqSicv2oJ04YIEr7rwdaJ:JNMJzpWhYvRfXiSicbJ0d7rco
Malware Config
Extracted
netwire
Wealthybond.ddns.me:39560
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
uElWAoFe
-
offline_keylogger
true
-
password
sucess
-
registry_autorun
false
-
use_mutex
true
Signatures
-
NetWire RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1928-31-0x0000000000400000-0x000000000049D000-memory.dmp netwire -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
Elektroteknikkerne3.exeElektroteknikkerne3.exepid process 1036 Elektroteknikkerne3.exe 1928 Elektroteknikkerne3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Elektroteknikkerne3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Fejdendes = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Elektroteknikkerne3.vbs\"" Elektroteknikkerne3.exe -
Drops file in Windows directory 4 IoCs
Processes:
126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exeElektroteknikkerne3.exeElektroteknikkerne3.exedescription ioc process File opened for modification C:\Windows\win.ini 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe File opened for modification C:\Windows\win.ini 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe File opened for modification C:\Windows\win.ini Elektroteknikkerne3.exe File opened for modification C:\Windows\win.ini Elektroteknikkerne3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exeElektroteknikkerne3.exeElektroteknikkerne3.exepid process 1380 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe 1380 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe 2736 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe 2736 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe 1036 Elektroteknikkerne3.exe 1036 Elektroteknikkerne3.exe 1928 Elektroteknikkerne3.exe 1928 Elektroteknikkerne3.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exeElektroteknikkerne3.exeElektroteknikkerne3.exepid process 1380 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe 1380 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe 2736 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe 2736 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe 1036 Elektroteknikkerne3.exe 1036 Elektroteknikkerne3.exe 1928 Elektroteknikkerne3.exe 1928 Elektroteknikkerne3.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exeElektroteknikkerne3.exeElektroteknikkerne3.exepid process 1380 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe 2736 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe 1036 Elektroteknikkerne3.exe 1928 Elektroteknikkerne3.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exeElektroteknikkerne3.exedescription pid process target process PID 1380 wrote to memory of 2736 1380 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe PID 1380 wrote to memory of 2736 1380 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe PID 1380 wrote to memory of 2736 1380 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe PID 2736 wrote to memory of 1036 2736 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe Elektroteknikkerne3.exe PID 2736 wrote to memory of 1036 2736 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe Elektroteknikkerne3.exe PID 2736 wrote to memory of 1036 2736 126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe Elektroteknikkerne3.exe PID 1036 wrote to memory of 1928 1036 Elektroteknikkerne3.exe Elektroteknikkerne3.exe PID 1036 wrote to memory of 1928 1036 Elektroteknikkerne3.exe Elektroteknikkerne3.exe PID 1036 wrote to memory of 1928 1036 Elektroteknikkerne3.exe Elektroteknikkerne3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\126a93893a231d0d04d51c062ffacb24_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe"C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe"C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4020,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Elektroteknikkerne3.exeFilesize
620KB
MD5c8b740d5083715048f6ec93a3fdc627c
SHA1754919550bdd0d8c911e2a8f064a474d0cdeb457
SHA2567cc46b7baca763d9a1ec051befb75e5d2e6e30aeffd76613d149e6ccb6f9e42b
SHA5129ca26f1f9f716320792804152eda11c17f85f55fbb02fea7f074415d72c87795dbb34ecc3944042f1597c5c64b3da4c19f30c123d24d9ddee01c772f5d2d366e
-
C:\Windows\win.iniFilesize
123B
MD56bf517432f65eb7f0d18d574bf14124c
SHA15b9f37c1dd1318ebbec3bd2f07c109eb9d22c727
SHA2566e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46
SHA5127b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06
-
memory/1380-3-0x00000000038E0000-0x00000000039E0000-memory.dmpFilesize
1024KB
-
memory/1380-4-0x0000000077481000-0x00000000775A1000-memory.dmpFilesize
1.1MB
-
memory/1928-31-0x0000000000400000-0x000000000049D000-memory.dmpFilesize
628KB
-
memory/2736-11-0x0000000002C20000-0x0000000002D20000-memory.dmpFilesize
1024KB