netwire | 508363ac23d75a1e265f6ba9dc64f3fe227ec361f8ebfa21d03bbed7a2c878c0

General

Target

ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe
Size

1.2MB
MD5

ea0126d07ca352687cd80de06cbcb6f7
SHA1

12dab64dd13e2f6c02c9639e6d88deeadcedcccd
SHA256

508363ac23d75a1e265f6ba9dc64f3fe227ec361f8ebfa21d03bbed7a2c878c0
SHA512

46337c02e847cb6e0e3688d83396584cdad73636c95b8985522183dd0ae440ba4ef45eaa77e62de83c3c81ecc23366bcd58a575384776295932b0ba280663fb0
SSDEEP

24576:AAOcZwdf+OD0+Oxbuk8E33NtEFd9imt3fO+veij:efOxbuhs4zj

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

harold.ns01.info:3606

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Netwir
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
pHJVBoFH
offline_keylogger
true
password
master12
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4624-46-0x0000000000960000-0x0000000000E60000-memory.dmp	netwire
behavioral2/memory/4624-48-0x0000000000960000-0x0000000000E60000-memory.dmp	netwire
behavioral2/memory/4624-49-0x0000000000960000-0x0000000000E60000-memory.dmp	netwire
behavioral2/memory/4624-50-0x0000000000960000-0x0000000000E60000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2308	otruv.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\60498075\\otruv.pif C:\\Users\\Admin\\60498075\\IQWNGE~1.USC"	otruv.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 4624	2308	otruv.pif	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2308	1228	ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe	88
PID 1228 wrote to memory of 2308	1228	ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe	88
PID 1228 wrote to memory of 2308	1228	ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe	88
PID 2308 wrote to memory of 4624	2308	otruv.pif	94
PID 2308 wrote to memory of 4624	2308	otruv.pif	94
PID 2308 wrote to memory of 4624	2308	otruv.pif	94
PID 2308 wrote to memory of 4624	2308	otruv.pif	94
PID 2308 wrote to memory of 4624	2308	otruv.pif	94

C:\Users\Admin\AppData\Local\Temp\ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea0126d07ca352687cd80de06cbcb6f7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\60498075\otruv.pif
  "C:\Users\Admin\60498075\otruv.pif" iqwngegkog.usc
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\60498075\iqwngegkog.usc

Filesize
168.1MB

MD5
803bb85e4681c4c97188ea251be186a5

SHA1
f4268e3fbc25c6af75ad2ce7f024aa5d07f3786f

SHA256
268d50b171ec5d2d642537d97bef2b1e2c22d6d110c745fc8cd78208f71c88c8

SHA512
d4723846d08c220d2256382cb37db705d00be9a0706b8d184c47251b0067f98457e9f6c507118fe6d21c16cc3ff87f9a1b1eefd29b19bf63e2a95a9f1e412b64

Download Submit
C:\Users\Admin\60498075\otruv.pif

Filesize
646KB

MD5
208b6eb9bd9304bb409265cb3c924da4

SHA1
f08040e503a022319bb2cccd39867629211568c9

SHA256
b6f7607ed1866b34da77cbf481b8da0156122565b04ba3d5678d1b9b50eb1e1e

SHA512
d79fb196beafeba5e578b6584d5f47583425a2a3b150f690a17f20a0860288f170c6ade94d6f76ed85e9e0259e3878ba1bf830283f36e20c9cf9d370597799c8

Download Submit
C:\Users\Admin\60498075\rcvqk.xls

Filesize
375KB

MD5
179c3d4b1802089203155707d273018a

SHA1
5a9ad9a6ba0f3a5e027a8ee2b8fc816a773c3aab

SHA256
9f086611ed37523b44c5e451c3e1e5a1f5744076e88b271bc2b9c4c036efbccd

SHA512
4989e0860d1911254bc63815eff34b617421c6894d67eb1f2d08a8fcc53e5e192a77a62a713988b7119529027a6b2779ab6e14f62c11d5895f09b5f73ffd758e

Download Submit
memory/4624-46-0x0000000000960000-0x0000000000E60000-memory.dmp

Filesize
5.0MB

Download
memory/4624-48-0x0000000000960000-0x0000000000E60000-memory.dmp

Filesize
5.0MB

Download
memory/4624-49-0x0000000000960000-0x0000000000E60000-memory.dmp

Filesize
5.0MB

Download
memory/4624-50-0x0000000000960000-0x0000000000E60000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads