netwire | 3b64f3a5655db4fd8e54db5398e5527e77f9731b80ff22378caae7b2d631437d

General

Target

1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe
Size

393KB
MD5

1936832fc3fa98eb6e6ab8b2bcf06035
SHA1

cc25ac3fb94fe6409fa8a661f1ad9aa11bdd8306
SHA256

3b64f3a5655db4fd8e54db5398e5527e77f9731b80ff22378caae7b2d631437d
SHA512

fabeaca361f7a4bdcca12a767113e84e2248892cef7a6237c03674fb05f3eb1b93ac5a78536766ca3ccb5bf5cdd2091e713e9403189aed223b79e51650a04ca5
SSDEEP

6144:mCbQchTwXNYeiLX4AmFrcPKSdj/4KngWIq6jRkbkN:l7hTwXifX4TFgSSKKngWIjok

Score

10^/10

netwire zgrat botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

mlhdns.phatbois.me:4772

mlhdns.pandabearsunited.xyz:4772

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/3572-5-0x00000000051C0000-0x00000000051E0000-memory.dmp	family_zgrat_v1

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/1920-13-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1920-15-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhhkjk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhhkjk.exe	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4888	mhhkjk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mhhkjk.exe -boot"	mhhkjk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4888 set thread context of 1920	4888	mhhkjk.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3572	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe
Token: SeDebugPrivilege	4888	mhhkjk.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 4920	3572	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe	96
PID 3572 wrote to memory of 4920	3572	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe	96
PID 3572 wrote to memory of 4920	3572	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe	96
PID 3572 wrote to memory of 4140	3572	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe	98
PID 3572 wrote to memory of 4140	3572	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe	98
PID 3572 wrote to memory of 4140	3572	1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe	98
PID 4892 wrote to memory of 4888	4892	explorer.exe	102
PID 4892 wrote to memory of 4888	4892	explorer.exe	102
PID 4892 wrote to memory of 4888	4892	explorer.exe	102
PID 4888 wrote to memory of 1920	4888	mhhkjk.exe	106
PID 4888 wrote to memory of 1920	4888	mhhkjk.exe	106
PID 4888 wrote to memory of 1920	4888	mhhkjk.exe	106
PID 4888 wrote to memory of 1920	4888	mhhkjk.exe	106
PID 4888 wrote to memory of 1920	4888	mhhkjk.exe	106
PID 4888 wrote to memory of 1920	4888	mhhkjk.exe	106
PID 4888 wrote to memory of 1920	4888	mhhkjk.exe	106
PID 4888 wrote to memory of 1920	4888	mhhkjk.exe	106
PID 4888 wrote to memory of 1920	4888	mhhkjk.exe	106
PID 4888 wrote to memory of 1920	4888	mhhkjk.exe	106

C:\Users\Admin\AppData\Local\Temp\1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\1936832fc3fa98eb6e6ab8b2bcf06035_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhhkjk.exe"
  2⤵
  - Drops startup file
  PID:4920
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhhkjk.exe"
  2⤵
  PID:4140

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhhkjk.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhhkjk.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mhhkjk.exe

Filesize
393KB

MD5
1936832fc3fa98eb6e6ab8b2bcf06035

SHA1
cc25ac3fb94fe6409fa8a661f1ad9aa11bdd8306

SHA256
3b64f3a5655db4fd8e54db5398e5527e77f9731b80ff22378caae7b2d631437d

SHA512
fabeaca361f7a4bdcca12a767113e84e2248892cef7a6237c03674fb05f3eb1b93ac5a78536766ca3ccb5bf5cdd2091e713e9403189aed223b79e51650a04ca5

Download Submit
memory/1920-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1920-15-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3572-0-0x0000000074E5E000-0x0000000074E5F000-memory.dmp

Filesize
4KB

Download
memory/3572-1-0x00000000007B0000-0x0000000000818000-memory.dmp

Filesize
416KB

Download
memory/3572-2-0x00000000057B0000-0x0000000005D54000-memory.dmp

Filesize
5.6MB

Download
memory/3572-3-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/3572-4-0x0000000074E50000-0x0000000075600000-memory.dmp

Filesize
7.7MB

Download
memory/3572-5-0x00000000051C0000-0x00000000051E0000-memory.dmp

Filesize
128KB

Download
memory/3572-9-0x0000000074E50000-0x0000000075600000-memory.dmp

Filesize
7.7MB

Download
memory/4888-12-0x0000000006940000-0x00000000069DC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads