netwire | 3b64f3a5655db4fd8e54db5398e5527e77f9731b80ff22378caae7b2d631437d

General

Target

1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe
Size

393KB
MD5

1936832fc3fa98eb6e6ab8b2bcf06035
SHA1

cc25ac3fb94fe6409fa8a661f1ad9aa11bdd8306
SHA256

3b64f3a5655db4fd8e54db5398e5527e77f9731b80ff22378caae7b2d631437d
SHA512

fabeaca361f7a4bdcca12a767113e84e2248892cef7a6237c03674fb05f3eb1b93ac5a78536766ca3ccb5bf5cdd2091e713e9403189aed223b79e51650a04ca5
SSDEEP

6144:mCbQchTwXNYeiLX4AmFrcPKSdj/4KngWIq6jRkbkN:l7hTwXifX4TFgSSKKngWIjok

Score

10^/10

netwire zgrat botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

mlhdns.phatbois.me:4772

mlhdns.pandabearsunited.xyz:4772

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2992-3-0x0000000000460000-0x0000000000480000-memory.dmp	family_zgrat_v1

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2240-10-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2240-11-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2240-13-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhhkjk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhhkjk.exe	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2996	mhhkjk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mhhkjk.exe -boot"	mhhkjk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2996 set thread context of 2240	2996	mhhkjk.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe
Token: SeDebugPrivilege	2996	mhhkjk.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2604	2992	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe	28
PID 2992 wrote to memory of 2604	2992	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe	28
PID 2992 wrote to memory of 2604	2992	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe	28
PID 2992 wrote to memory of 2604	2992	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe	28
PID 2992 wrote to memory of 2824	2992	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2824	2992	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2824	2992	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe	30
PID 2992 wrote to memory of 2824	2992	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2996	2696	explorer.exe	32
PID 2696 wrote to memory of 2996	2696	explorer.exe	32
PID 2696 wrote to memory of 2996	2696	explorer.exe	32
PID 2696 wrote to memory of 2996	2696	explorer.exe	32
PID 2996 wrote to memory of 2240	2996	mhhkjk.exe	33
PID 2996 wrote to memory of 2240	2996	mhhkjk.exe	33
PID 2996 wrote to memory of 2240	2996	mhhkjk.exe	33
PID 2996 wrote to memory of 2240	2996	mhhkjk.exe	33
PID 2996 wrote to memory of 2240	2996	mhhkjk.exe	33
PID 2996 wrote to memory of 2240	2996	mhhkjk.exe	33
PID 2996 wrote to memory of 2240	2996	mhhkjk.exe	33
PID 2996 wrote to memory of 2240	2996	mhhkjk.exe	33
PID 2996 wrote to memory of 2240	2996	mhhkjk.exe	33
PID 2996 wrote to memory of 2240	2996	mhhkjk.exe	33
PID 2996 wrote to memory of 2240	2996	mhhkjk.exe	33
PID 2996 wrote to memory of 2240	2996	mhhkjk.exe	33
PID 2996 wrote to memory of 2240	2996	mhhkjk.exe	33
PID 2996 wrote to memory of 2240	2996	mhhkjk.exe	33

C:\Users\Admin\AppData\Local\Temp\1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhhkjk.exe"
  2⤵
  - Drops startup file
  PID:2604
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhhkjk.exe"
  2⤵
  PID:2824

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhhkjk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhhkjk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhhkjk.exe

Filesize
393KB

MD5
1936832fc3fa98eb6e6ab8b2bcf06035

SHA1
cc25ac3fb94fe6409fa8a661f1ad9aa11bdd8306

SHA256
3b64f3a5655db4fd8e54db5398e5527e77f9731b80ff22378caae7b2d631437d

SHA512
fabeaca361f7a4bdcca12a767113e84e2248892cef7a6237c03674fb05f3eb1b93ac5a78536766ca3ccb5bf5cdd2091e713e9403189aed223b79e51650a04ca5

Download Submit
memory/2240-10-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2240-11-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2240-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2992-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download
memory/2992-1-0x00000000003F0000-0x0000000000458000-memory.dmp

Filesize
416KB

Download
memory/2992-2-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2992-3-0x0000000000460000-0x0000000000480000-memory.dmp

Filesize
128KB

Download
memory/2992-6-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2996-9-0x0000000000CA0000-0x0000000000D08000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads