netwire | 90b71a327684786c22c7a9f4e7b34c893d40ed0c2e14b49205d1d529857a7a06

General

Target

ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe
Size

216KB
MD5

ea952e50775a0c698397e6ec5264efc3
SHA1

35573c9f02b72666de5bc3129e98dbe4e67043d1
SHA256

90b71a327684786c22c7a9f4e7b34c893d40ed0c2e14b49205d1d529857a7a06
SHA512

c075d047369269af168ae7888d46d0dfec885cf4cf38e576c6d2603af86132d53c62807ef9c5344e6afdff2f1c2896c96f55992aeee1f6ecd9920795d4e5c316
SSDEEP

6144:7DP0rJQH2vsWppq4llZVyaDtSECbGOW2eQRB4TPIbjy4IwZpow:7DclFpqcl/yaDtSECxJRB4TPGDp

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

bnatf1.hopto.org:23235

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
fadi1
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/4152-11-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/4152-15-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/4152-18-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Settings.ini	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Settings.ini	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3472 set thread context of 4152	3472	helper.exe	97

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1884	ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe
1884	ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe
3472	helper.exe
3472	helper.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1884	ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1884	ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe
Token: SeDebugPrivilege	3472	helper.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1464	1884	ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe	87
PID 1884 wrote to memory of 1464	1884	ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe	87
PID 1884 wrote to memory of 1464	1884	ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe	87
PID 1464 wrote to memory of 3472	1464	cmd.exe	89
PID 1464 wrote to memory of 3472	1464	cmd.exe	89
PID 1464 wrote to memory of 3472	1464	cmd.exe	89
PID 3472 wrote to memory of 2096	3472	helper.exe	90
PID 3472 wrote to memory of 2096	3472	helper.exe	90
PID 3472 wrote to memory of 2096	3472	helper.exe	90
PID 2096 wrote to memory of 3952	2096	cmd.exe	93
PID 2096 wrote to memory of 3952	2096	cmd.exe	93
PID 2096 wrote to memory of 3952	2096	cmd.exe	93
PID 3472 wrote to memory of 3008	3472	helper.exe	94
PID 3472 wrote to memory of 3008	3472	helper.exe	94
PID 3472 wrote to memory of 3008	3472	helper.exe	94
PID 3008 wrote to memory of 4532	3008	cmd.exe	96
PID 3008 wrote to memory of 4532	3008	cmd.exe	96
PID 3008 wrote to memory of 4532	3008	cmd.exe	96
PID 3472 wrote to memory of 4152	3472	helper.exe	97
PID 3472 wrote to memory of 4152	3472	helper.exe	97
PID 3472 wrote to memory of 4152	3472	helper.exe	97
PID 3472 wrote to memory of 4152	3472	helper.exe	97
PID 3472 wrote to memory of 4152	3472	helper.exe	97
PID 3472 wrote to memory of 4152	3472	helper.exe	97
PID 3472 wrote to memory of 4152	3472	helper.exe	97
PID 3472 wrote to memory of 4152	3472	helper.exe	97
PID 3472 wrote to memory of 4152	3472	helper.exe	97

C:\Users\Admin\AppData\Local\Temp\ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea952e50775a0c698397e6ec5264efc3_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Roaming\winapp\helper.exe
    "C:\Users\Admin\AppData\Roaming\winapp\helper.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\webapp" /F
        5⤵
        
        PID:3952
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\webapp" /XML "C:\Users\Admin\AppData\Local\Temp\888799496.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4532
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Roaming\winapp\helper.exe"
      4⤵
      Drops file in System32 directory
      PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\888799496.xml

Filesize
1KB

MD5
59c70dfa5d029b73c3eb32a03f3d056b

SHA1
2f9e1c5f5a418c67d97298a5b3d81a7831fbdd7c

SHA256
b995a139b4fec78ac7d5d2f2accf3d91838f5c6f341aa2aaf73699f78d3e3256

SHA512
652c864b809b3f8f068dc072680c470a72f3149bcad155c4722bd887b4652075886c8c380c5b1358712f7ea989ab376461737cd6ac5beb8e36844f2adbae7a05

Download Submit
memory/1884-0-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/1884-1-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/1884-2-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/1884-4-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/3472-5-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/3472-6-0x0000000001620000-0x0000000001630000-memory.dmp

Filesize
64KB

Download
memory/3472-9-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/3472-14-0x0000000074830000-0x0000000074DE1000-memory.dmp

Filesize
5.7MB

Download
memory/4152-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4152-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4152-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads