netwire | e37779b6dd136ffc0248d95fcc6a5f5120d8cce48c5b39c56744f0f660c593de

Analysis

max time kernel
148s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/04/2024, 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
Size

476KB
MD5

6b588f10b8814fce208026eed63ff8b0
SHA1

7074e305ab66eac5dc2ec8bb99282c00bc5bdfb7
SHA256

e37779b6dd136ffc0248d95fcc6a5f5120d8cce48c5b39c56744f0f660c593de
SHA512

92663f54c80ef082d2bdb59e7a1735e441ce51dc0ebf0c2b3d4a7fd4021ccb1a04242299f30b6fbee4a6f43e20f0c875bbda2afc5bd80a6d2ebd128be198feb5
SSDEEP

6144:iYY7Vh8F5RbioPIUsI192HNl+w9GwAUIV52nBmGjUjkiEiLLeeLubfiVUEJvYgQ1:ipJh4ooVZ9izGwA952nBZ2OifelOJj

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

william1979.ddns.net:4417

mathkros79.ddns.net:4417

engine79.ddns.net:4417

chrisle79.ddns.net:4417

jacknop79.ddns.net:4417

smath79.ddns.net:4417

whatis79.ddns.net:4417

goodgt79.ddns.net:4417

bonding79.ddns.net:4417

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Oct 2017
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password2$
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 13 IoCs

rat

resource	yara_rule
behavioral1/files/0x0005000000018698-16.dat	netwire
behavioral1/memory/1264-34-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/1264-37-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/1264-40-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/1264-43-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/1668-53-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/1668-54-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/1264-55-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/1668-58-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/1668-60-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/1668-62-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/1668-64-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/1668-66-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1668	tmp.exe
1264	svhost.exe

Loads dropped DLL 5 IoCs

pid	Process
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 1264	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1744	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2348	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2348	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2348	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2348	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	30
PID 2348 wrote to memory of 876	2348	cmd.exe	32
PID 2348 wrote to memory of 876	2348	cmd.exe	32
PID 2348 wrote to memory of 876	2348	cmd.exe	32
PID 2348 wrote to memory of 876	2348	cmd.exe	32
PID 2220 wrote to memory of 1668	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	33
PID 2220 wrote to memory of 1668	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	33
PID 2220 wrote to memory of 1668	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	33
PID 2220 wrote to memory of 1668	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	33
PID 2220 wrote to memory of 1264	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	34
PID 2220 wrote to memory of 1264	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	34
PID 2220 wrote to memory of 1264	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	34
PID 2220 wrote to memory of 1264	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	34
PID 2220 wrote to memory of 1264	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	34
PID 2220 wrote to memory of 1264	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	34
PID 2220 wrote to memory of 1264	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	34
PID 2220 wrote to memory of 1264	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	34
PID 2220 wrote to memory of 1264	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	34
PID 2220 wrote to memory of 516	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	35
PID 2220 wrote to memory of 516	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	35
PID 2220 wrote to memory of 516	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	35
PID 2220 wrote to memory of 516	2220	6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe	35
PID 516 wrote to memory of 1744	516	cmd.exe	37
PID 516 wrote to memory of 1744	516	cmd.exe	37
PID 516 wrote to memory of 1744	516	cmd.exe	37
PID 516 wrote to memory of 1744	516	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6b588f10b8814fce208026eed63ff8b0_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
    3⤵
    PID:876
- C:\Users\Admin\AppData\Roaming\tmp.exe
  "C:\Users\Admin\AppData\Roaming\tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat

Filesize
192B

MD5
2635074d7f7e0d207beb83ce59970114

SHA1
16dbeff80010f5f6a5b3366397a196333bdc2a79

SHA256
9ccaaadc4fa9c321a486c5ed45587cb17c3cb282ad1a15e010c6b2e8324ad2dd

SHA512
61371dc2ad275594f8c688787e75b7e5dae86f4dc25556d93502bd0187a13f4a6c12cdd79293667fe573be57dbd8fc846421fa449dbb4c7f9bf97212499ac36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.jpg

Filesize
476KB

MD5
6b588f10b8814fce208026eed63ff8b0

SHA1
7074e305ab66eac5dc2ec8bb99282c00bc5bdfb7

SHA256
e37779b6dd136ffc0248d95fcc6a5f5120d8cce48c5b39c56744f0f660c593de

SHA512
92663f54c80ef082d2bdb59e7a1735e441ce51dc0ebf0c2b3d4a7fd4021ccb1a04242299f30b6fbee4a6f43e20f0c875bbda2afc5bd80a6d2ebd128be198feb5

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
2e5f1cf69f92392f8829fc9c9263ae9b

SHA1
97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5

SHA256
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b

SHA512
f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe

Filesize
89KB

MD5
cdde9af77fa6ad86a8c335337c2ae5ca

SHA1
00f03239d08d1bc6e9986a82c0b43048b9e10a61

SHA256
4e77720762fb65c577aa94e3861afa1a0412da0eebd5023f5308c9b0e36c3c36

SHA512
6027decfc375ff3371ae08c882f2bd41eeeaf7ce479e80dbbf6fd3dc9d9f7b4443aeeb818a56c4093418aa9803b91f9af7e9ec92216893622dfdf16d5b037733

Download Submit
memory/1264-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1264-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1264-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1264-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1264-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1264-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1264-33-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1264-37-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1264-29-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1668-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1668-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1668-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1668-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1668-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1668-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1668-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2220-0-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/2220-2-0x00000000023C0000-0x0000000002400000-memory.dmp

Filesize
256KB

Download
memory/2220-52-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download
memory/2220-1-0x0000000075010000-0x00000000755BB000-memory.dmp

Filesize
5.7MB

Download