netwire | f1b4a215a84e80e11e558a5c995fd05fe34838aacf38763ca11d5714f4f63091

General

Target

2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe
Size

362KB
MD5

2a3f7f15ae8521504021f70d028c4b3d
SHA1

78130866eeaa2cc64fbdee360f18895058a81cad
SHA256

f1b4a215a84e80e11e558a5c995fd05fe34838aacf38763ca11d5714f4f63091
SHA512

05479fc0547c006d5fa39a12405433ac575dd5f7db00bc11176f1800ac70c7cc272a7d9aa8c5029e7949c766462441310de906c9503739fbe176ea2ede65751a
SSDEEP

6144:rR7PBeJA8J4bTXax4cK0jzzbRe8t35h6DUEVtI7j2:RPB/Wjde8tJhOUEtC

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1836-11-0x0000000000780000-0x00000000007A0000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bitpay.exe.lnk	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1836	Bitpay.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2604 set thread context of 1836	2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2376	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\nwjs\Bitpay.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe
2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe
2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe
2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe
2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe
2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe
2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 992	2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe	95
PID 2604 wrote to memory of 992	2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe	95
PID 2604 wrote to memory of 992	2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe	95
PID 992 wrote to memory of 1532	992	cmd.exe	97
PID 992 wrote to memory of 1532	992	cmd.exe	97
PID 992 wrote to memory of 1532	992	cmd.exe	97
PID 2604 wrote to memory of 1836	2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe	98
PID 2604 wrote to memory of 1836	2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe	98
PID 2604 wrote to memory of 1836	2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe	98
PID 2604 wrote to memory of 1836	2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe	98
PID 2604 wrote to memory of 1836	2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe	98
PID 2604 wrote to memory of 1836	2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe	98
PID 2604 wrote to memory of 1836	2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe	98
PID 2604 wrote to memory of 1836	2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe	98
PID 2604 wrote to memory of 4088	2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe	99
PID 2604 wrote to memory of 4088	2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe	99
PID 2604 wrote to memory of 4088	2604	2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe	99
PID 4088 wrote to memory of 2376	4088	cmd.exe	101
PID 4088 wrote to memory of 2376	4088	cmd.exe	101
PID 4088 wrote to memory of 2376	4088	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a3f7f15ae8521504021f70d028c4b3d_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nwjs\Bitpay.exe.lnk" /f
    3⤵
    PID:1532
- C:\Users\Admin\AppData\Local\Temp\Bitpay.exe
  "C:\Users\Admin\AppData\Local\Temp\Bitpay.exe"
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\nwjs\Bitpay.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 69060
    3⤵
    - Delays execution with timeout.exe
    PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bitpay.exe

Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
C:\Users\Admin\AppData\Roaming\nwjs\Bitpay.exe

Filesize
362KB

MD5
2a3f7f15ae8521504021f70d028c4b3d

SHA1
78130866eeaa2cc64fbdee360f18895058a81cad

SHA256
f1b4a215a84e80e11e558a5c995fd05fe34838aacf38763ca11d5714f4f63091

SHA512
05479fc0547c006d5fa39a12405433ac575dd5f7db00bc11176f1800ac70c7cc272a7d9aa8c5029e7949c766462441310de906c9503739fbe176ea2ede65751a

Download Submit
C:\Users\Admin\AppData\Roaming\nwjs\Bitpay.exe.bat

Filesize
202B

MD5
1417d92e6f1e735adc4a812ab8609217

SHA1
b7a2e8301ea37a49121e23d3b961ffebe07334b3

SHA256
ec6fba9f00c94107fcf80233d3a8d14f7f00620de0255ba3bef7efc06f86cd58

SHA512
288bf17712f16dfb87f81b6df3a82a7e88741fd0913b27f10eecea30ef19bb21e45a81e10cc830d1a2014cb48899b5e1cca09433b9805d75c978f84cffa4e7a0

Download Submit
memory/1836-11-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/2604-0-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/2604-1-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/2604-2-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/2604-15-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing