netwire | 0e96012b8943538086ce528e979199c5d70c30ed8baac4336f43ae02a410a769

General

Target

04bbdd921511f861a0f57266f1b4df74_JaffaCakes118.exe
Size

1.2MB
MD5

04bbdd921511f861a0f57266f1b4df74
SHA1

9bc604264b0bbb72e4676a03410b362d13dfc4fe
SHA256

0e96012b8943538086ce528e979199c5d70c30ed8baac4336f43ae02a410a769
SHA512

29a1566adbee4a9271279af58f97746e1cb47f5cd3d046cf4cf7737dc59f9595f80aecca06ff7b9cdb18cd4377958cddb3ee984b1746ba2a954d1bfe1b316da1
SSDEEP

24576:n6dCrRs7z+jfzalONIoo7LGOb7Bwew9s6yApEwviC9P:6YqO1o7/63pEq

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

pd1n.ddns.net:1968

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
pd1n-noip
lock_executable
false
offline_keylogger
false
password
Kimbolsapoq!P12
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/3264-32-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/3264-36-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral2/memory/3264-40-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
5020	sfdwxncdr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fgtyhrtg = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\fgtyhrtg.txt \| cmd"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5020 set thread context of 3264	5020	sfdwxncdr.exe	97

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.net\Framework\v2.0.50727\.IgHiJkLiO	regasm.exe
File opened for modification	C:\Windows\Microsoft.net\Framework\v2.0.50727\.IgHiJkLiO	regasm.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	04bbdd921511f861a0f57266f1b4df74_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	04bbdd921511f861a0f57266f1b4df74_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	04bbdd921511f861a0f57266f1b4df74_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	04bbdd921511f861a0f57266f1b4df74_JaffaCakes118.exe
Token: SeDebugPrivilege	5020	sfdwxncdr.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 1364	4796	04bbdd921511f861a0f57266f1b4df74_JaffaCakes118.exe	91
PID 4796 wrote to memory of 1364	4796	04bbdd921511f861a0f57266f1b4df74_JaffaCakes118.exe	91
PID 4796 wrote to memory of 1364	4796	04bbdd921511f861a0f57266f1b4df74_JaffaCakes118.exe	91
PID 1364 wrote to memory of 5020	1364	cmd.exe	93
PID 1364 wrote to memory of 5020	1364	cmd.exe	93
PID 1364 wrote to memory of 5020	1364	cmd.exe	93
PID 5020 wrote to memory of 3360	5020	sfdwxncdr.exe	94
PID 5020 wrote to memory of 3360	5020	sfdwxncdr.exe	94
PID 5020 wrote to memory of 3360	5020	sfdwxncdr.exe	94
PID 3360 wrote to memory of 4172	3360	cmd.exe	96
PID 3360 wrote to memory of 4172	3360	cmd.exe	96
PID 3360 wrote to memory of 4172	3360	cmd.exe	96
PID 5020 wrote to memory of 3264	5020	sfdwxncdr.exe	97
PID 5020 wrote to memory of 3264	5020	sfdwxncdr.exe	97
PID 5020 wrote to memory of 3264	5020	sfdwxncdr.exe	97
PID 5020 wrote to memory of 3264	5020	sfdwxncdr.exe	97
PID 5020 wrote to memory of 3264	5020	sfdwxncdr.exe	97
PID 5020 wrote to memory of 3264	5020	sfdwxncdr.exe	97
PID 5020 wrote to memory of 3264	5020	sfdwxncdr.exe	97
PID 5020 wrote to memory of 3264	5020	sfdwxncdr.exe	97
PID 5020 wrote to memory of 3264	5020	sfdwxncdr.exe	97

C:\Users\Admin\AppData\Local\Temp\04bbdd921511f861a0f57266f1b4df74_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04bbdd921511f861a0f57266f1b4df74_JaffaCakes118.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Roaming\jhgnmklphnm\sfdwxncdr.exe
    "C:\Users\Admin\AppData\Roaming\jhgnmklphnm\sfdwxncdr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3360
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "fgtyhrtg" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\fgtyhrtg.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:4172
  - - C:\Windows\Microsoft.net\Framework\v2.0.50727\regasm.exe
      "C:\Users\Admin\AppData\Roaming\jhgnmklphnm\sfdwxncdr.exe"
      4⤵
      Drops file in Windows directory
      PID:3264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4584 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0972B7C417F696E06E186AEB26286F01_6DEFC1B0F00B73D870DAEE9AD78095DA

Filesize
1KB

MD5
87c9b5aa0aba47f43667849b7ad94679

SHA1
ab92c9d13c7837b041b1015e240e928abbed1210

SHA256
62e7f4c427bb51f537caaaed3a6c07428b6960adf7d2f1af34868467528c6902

SHA512
8906cc2d8a6fd38f531df12594413c5a8755ac0c3af82a7d86a7b17d2678f678df4b62cd4c2eca77199317349eb01bcd1d0cada684a18c3cec5fe7ca8170e4ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A3D5BF1283C2E63D8C8A8C72F0051F5A

Filesize
834B

MD5
cbed24fd2b55aea95367efca5ee889de

SHA1
946f48b5c344fd57113845cd483fed5fb9fa3e54

SHA256
1dc8a0fcbe260b77adfe5ad9aaac543239b2a0d9f4e1f3c2657beee4376ffee4

SHA512
c504a11ea576f8ce14de26a0617e22e71e14db0f1dadefc187ce94e4a35a83743c743824e3629899c262aae4772bb86a0ee5bb643db20645483f0c376215ec6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0972B7C417F696E06E186AEB26286F01_6DEFC1B0F00B73D870DAEE9AD78095DA

Filesize
398B

MD5
597b19f36acded84351751f1736499a2

SHA1
9630c1d2f4d7d4da6bb215292774783094e2b709

SHA256
14b0d0d90cf6283e0d96b6f5fc582035d3ba444d30440b4d8a2fc59f64126767

SHA512
8f25092abcb5ba8197e5549a8aca2ff61762178e4bc33a6247e4dedd05d24fb9c8d509cdcf788da2bfd34faa60973066e1424e1443cbed2f7f43f75b2e8e2853

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F

Filesize
392B

MD5
f0871da629c4ddd9510609e1404305c1

SHA1
61e00059cbbcc5892c53193b78f58eb1e3460e48

SHA256
cfc31ecc643b8188057e0fe095090e314c7312fcb9dcc54e7b7e1411430449b4

SHA512
e079eea164f7496cc02fce81e7329cde3d1f5d4bdaa579c6784dd58865721247c557034fcb5d67a4fd7a540bab504d67859c8c9e8f3ff5fd8da0d96ce591b6c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A3D5BF1283C2E63D8C8A8C72F0051F5A

Filesize
178B

MD5
2b7fecfa5a0ef9f6dd353da61d9196ac

SHA1
89f15a851e5556b5f8cc947e7828d34a9ac5c7d5

SHA256
dabbd25a1a50c3f652f55aeb2255bdb8156f346e5557bd98c611913af87a394d

SHA512
07c2d66270a827c82751953ec6f1f88a37f6673005a2ae1638acd389d49c99a85293da6378628a47fac617d43bc58670f36cc6626051a1b46cd9c2071c7ed762

Download Submit
C:\Users\Admin\AppData\Roaming\jhgnmklphnm\sfdwxncdr.exe

Filesize
1.2MB

MD5
04bbdd921511f861a0f57266f1b4df74

SHA1
9bc604264b0bbb72e4676a03410b362d13dfc4fe

SHA256
0e96012b8943538086ce528e979199c5d70c30ed8baac4336f43ae02a410a769

SHA512
29a1566adbee4a9271279af58f97746e1cb47f5cd3d046cf4cf7737dc59f9595f80aecca06ff7b9cdb18cd4377958cddb3ee984b1746ba2a954d1bfe1b316da1

Download Submit
memory/3264-32-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3264-40-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3264-36-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4796-0-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4796-2-0x0000000000E90000-0x0000000000EA0000-memory.dmp

Filesize
64KB

Download
memory/4796-1-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/4796-30-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/5020-27-0x0000000001890000-0x00000000018A0000-memory.dmp

Filesize
64KB

Download
memory/5020-34-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/5020-29-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download
memory/5020-20-0x0000000074DE0000-0x0000000075391000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads