netwire | e07abb182a17f0aa383972c376849fd46a74f105a2f2c5f949441028a66c5538

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
Size

852KB
MD5

fd71393eda58df36ee3618f526ffb3e0
SHA1

0d1a0cd0660099f34f8620dd7b338b0b6ab3671d
SHA256

e07abb182a17f0aa383972c376849fd46a74f105a2f2c5f949441028a66c5538
SHA512

b22aed4b27466d9bde1236bf7643e8f81c148e9f4e7bce92b93abb9513b61935bd4fdb6648ffa5338f395f38a90fbbd11fb410dd80f82755093c5a15dceaadd3
SSDEEP

24576:iRmJkcoQricOIQxiZY1iaSAD00jSORI6Ttm8:3JZoQrbTFZY1iaSADmO

Score

10^/10

netwire botnet persistence rat stealer upx

Malware Config

Extracted

Family

netwire

benti.ddns.net:3350

Attributes

activex_autorun
true
activex_key
{2FMC35P2-J0LB-143R-SR61-UGN00XFQ045P}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Adobe
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1780-11-0x0000000000400000-0x0000000000422000-memory.dmp	netwire
behavioral2/memory/1780-16-0x0000000000400000-0x0000000000422000-memory.dmp	netwire
behavioral2/memory/3832-37-0x0000000000400000-0x0000000000422000-memory.dmp	netwire
behavioral2/memory/3832-47-0x0000000000400000-0x0000000000422000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FMC35P2-J0LB-143R-SR61-UGN00XFQ045P}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FMC35P2-J0LB-143R-SR61-UGN00XFQ045P}	Host.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	Host.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
2448	Host.exe
3580	Host.exe
3832	Host.exe
2596	Host.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1780-4-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/2428-7-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1780-8-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/2428-12-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1780-11-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/1780-16-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/2428-14-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2428-23-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3832-37-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/2596-40-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2596-41-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2596-45-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3832-47-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023405-18.dat	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1932 set thread context of 1780	1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	91
PID 1932 set thread context of 2428	1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	92
PID 3580 set thread context of 3832	3580	Host.exe	95
PID 3580 set thread context of 2596	3580	Host.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4832	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
4832	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
2448	Host.exe
2448	Host.exe
3580	Host.exe
3580	Host.exe
3580	Host.exe
3580	Host.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
3580	Host.exe
3580	Host.exe
3580	Host.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
3580	Host.exe
3580	Host.exe
3580	Host.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2428	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
2596	Host.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 1932	4832	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	89
PID 4832 wrote to memory of 1932	4832	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	89
PID 4832 wrote to memory of 1932	4832	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	89
PID 1932 wrote to memory of 1780	1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	91
PID 1932 wrote to memory of 1780	1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	91
PID 1932 wrote to memory of 1780	1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	91
PID 1932 wrote to memory of 1780	1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	91
PID 1932 wrote to memory of 1780	1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	91
PID 1932 wrote to memory of 1780	1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	91
PID 1932 wrote to memory of 2428	1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	92
PID 1932 wrote to memory of 2428	1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	92
PID 1932 wrote to memory of 2428	1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	92
PID 1932 wrote to memory of 2428	1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	92
PID 1932 wrote to memory of 2428	1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	92
PID 1932 wrote to memory of 2428	1932	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	92
PID 1780 wrote to memory of 2448	1780	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	93
PID 1780 wrote to memory of 2448	1780	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	93
PID 1780 wrote to memory of 2448	1780	fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe	93
PID 2448 wrote to memory of 3580	2448	Host.exe	94
PID 2448 wrote to memory of 3580	2448	Host.exe	94
PID 2448 wrote to memory of 3580	2448	Host.exe	94
PID 3580 wrote to memory of 3832	3580	Host.exe	95
PID 3580 wrote to memory of 3832	3580	Host.exe	95
PID 3580 wrote to memory of 3832	3580	Host.exe	95
PID 3580 wrote to memory of 3832	3580	Host.exe	95
PID 3580 wrote to memory of 3832	3580	Host.exe	95
PID 3580 wrote to memory of 3832	3580	Host.exe	95
PID 3580 wrote to memory of 2596	3580	Host.exe	96
PID 3580 wrote to memory of 2596	3580	Host.exe	96
PID 3580 wrote to memory of 2596	3580	Host.exe	96
PID 3580 wrote to memory of 2596	3580	Host.exe	96
PID 3580 wrote to memory of 2596	3580	Host.exe	96
PID 3580 wrote to memory of 2596	3580	Host.exe	96

C:\Users\Admin\AppData\Local\Temp\fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe" /AutoIt3ExecuteScript C:\Users\Admin\AppData\Local\Temp\lol.bin
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2448
    - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe" /AutoIt3ExecuteScript C:\Users\Admin\AppData\Local\Temp\lol.bin
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3580
      - C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3832
      - C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2596
- - C:\Users\Admin\AppData\Local\Temp\fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fd71393eda58df36ee3618f526ffb3e0_JaffaCakes118.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lol.bin

Filesize
134KB

MD5
f0dd33ff1510513d62905d914a4c0374

SHA1
117a4b5d34409a199d31bcfffc06494fe1b879ad

SHA256
60953008cd8aa7f9163a6703268fd6cdbfea13f759fbdabab5dc26e3444ede55

SHA512
0f32c9384a1541259f92f3143da579352c74b98bf9046bec6ff410e0bdc5ff38bca33cc8a64cca5f4d2115767079da2e178432a5c4c3b1dad1611613e33c6783

Download Submit
C:\Users\Admin\AppData\Local\Temp\pid.txt

Filesize
4B

MD5
f63f65b503e22cb970527f23c9ad7db1

SHA1
3807ac7d80021434c1c1d9029d3fefc5986d354f

SHA256
d8d0dedb4bda4204d0b5e1de5a990a00757aa2d80a64bd97699cad3b3d6fbf5f

SHA512
f13a24d6cdd8105fb9a7777d87377d0f66c125301aefa4c73da39a5986a1adfcd47b4f126f359c711ae6f3ae07716e7d4e53779f08c650a49f0e3c15f17721f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pid.txt

Filesize
4B

MD5
ea9268cb43f55d1d12380fb6ea5bf572

SHA1
8b270ac2c95070830a7bf0c060ae8809c4c06b1a

SHA256
ca4812488ca6357f8d687e2cb7083980d03d25648e75b12593899d04231512ee

SHA512
5d099d087afc0fe8590df9bc57cebedf0ddf6f18837a1e79cb898b833040bb1e2606897153ebe01282e075c77063499a4d3fcad9adc1592d57595766bfb84569

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
852KB

MD5
fd71393eda58df36ee3618f526ffb3e0

SHA1
0d1a0cd0660099f34f8620dd7b338b0b6ab3671d

SHA256
e07abb182a17f0aa383972c376849fd46a74f105a2f2c5f949441028a66c5538

SHA512
b22aed4b27466d9bde1236bf7643e8f81c148e9f4e7bce92b93abb9513b61935bd4fdb6648ffa5338f395f38a90fbbd11fb410dd80f82755093c5a15dceaadd3

Download Submit
memory/1780-4-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1780-8-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1780-11-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1780-16-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2428-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-14-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2428-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2596-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2596-41-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2596-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3832-37-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3832-47-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download