netwire | e07abb182a17f0aa383972c376849fd46a74f105a2f2c5f949441028a66c5538

General

Target

fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
Size

852KB
MD5

fd71393eda58df36ee3618f526ffb3e0
SHA1

0d1a0cd0660099f34f8620dd7b338b0b6ab3671d
SHA256

e07abb182a17f0aa383972c376849fd46a74f105a2f2c5f949441028a66c5538
SHA512

b22aed4b27466d9bde1236bf7643e8f81c148e9f4e7bce92b93abb9513b61935bd4fdb6648ffa5338f395f38a90fbbd11fb410dd80f82755093c5a15dceaadd3
SSDEEP

24576:iRmJkcoQricOIQxiZY1iaSAD00jSORI6Ttm8:3JZoQrbTFZY1iaSADmO

Score

10^/10

netwire botnet rat stealer upx

Malware Config

Extracted

Family

netwire

C2

benti.ddns.net:3350

Attributes

activex_autorun
true
activex_key
{2FMC35P2-J0LB-143R-SR61-UGN00XFQ045P}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Adobe
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2544-16-0x0000000000400000-0x0000000000422000-memory.dmp	netwire
behavioral1/memory/2544-18-0x0000000000400000-0x0000000000422000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2544-8-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2544-10-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2544-6-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2544-14-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2544-16-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2544-18-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2672-17-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2672-20-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2672-23-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2672-22-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2672-24-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2672-26-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2672-25-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2672-30-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

description	pid	process	target process
PID 1044 set thread context of 2544	1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2720 2544 WerFault.exe fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

pid	pid_target	process	target process
2720	2544	WerFault.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exefd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

pid	process
2092	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

pid	process
1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

pid	process
1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

pid process

2672 fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

pid	process
2672	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exefd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exefd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe" /AutoIt3ExecuteScript C:\Users\Admin\AppData\Local\Temp\lol.bin
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Local\Temp\fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 116
4⤵
- Program crash
PID:2720

C:\Users\Admin\AppData\Local\Temp\fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:2672

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lol.bin
Filesize
134KB

MD5
f0dd33ff1510513d62905d914a4c0374

SHA1
117a4b5d34409a199d31bcfffc06494fe1b879ad

SHA256
60953008cd8aa7f9163a6703268fd6cdbfea13f759fbdabab5dc26e3444ede55

SHA512
0f32c9384a1541259f92f3143da579352c74b98bf9046bec6ff410e0bdc5ff38bca33cc8a64cca5f4d2115767079da2e178432a5c4c3b1dad1611613e33c6783

Download Submit
C:\Users\Admin\AppData\Local\Temp\pid.txt
Filesize
4B

MD5
f0f6ba4b5e0000340312d33c212c3ae8

SHA1
f40c22f2dc6461f1cd9243ad4df239052f78040f

SHA256
18177338c3669a1314d644b7f4ecfd18a5c735e819edf1e2062c3bc354d0dd7f

SHA512
b9537ba03e00791da5b07082b0a6ce3b087af1620f122c59f02edfc589d55794141496311841da65992cf9fc369d05d40a573d37b90da7f0228cc150c1c39988

Download Submit
memory/2544-4-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2544-8-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2544-10-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2544-6-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2544-14-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2544-16-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2544-18-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2672-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-22-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-24-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-25-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2672-30-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

description	pid	process	target process
PID 2092 wrote to memory of 1044	2092	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 2092 wrote to memory of 1044	2092	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 2092 wrote to memory of 1044	2092	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 2092 wrote to memory of 1044	2092	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 1044 wrote to memory of 2544	1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 1044 wrote to memory of 2544	1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 1044 wrote to memory of 2544	1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 1044 wrote to memory of 2544	1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 1044 wrote to memory of 2544	1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 1044 wrote to memory of 2544	1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 1044 wrote to memory of 2544	1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 1044 wrote to memory of 2672	1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 1044 wrote to memory of 2672	1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 1044 wrote to memory of 2672	1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 1044 wrote to memory of 2672	1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 1044 wrote to memory of 2672	1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 1044 wrote to memory of 2672	1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
PID 2544 wrote to memory of 2720	2544	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	WerFault.exe
PID 2544 wrote to memory of 2720	2544	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	WerFault.exe
PID 2544 wrote to memory of 2720	2544	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	WerFault.exe
PID 2544 wrote to memory of 2720	2544	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	WerFault.exe
PID 1044 wrote to memory of 2672	1044	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads