netwire | 40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62

General

Target

1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe
Size

175KB
MD5

1d92475e5f11ddf8256835c4bfb196a3
SHA1

c40bc3e3fd25bf6b872b0e7953c9f5d833b522de
SHA256

40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62
SHA512

170fac19f61ade42c378811c6f11e91f62319c0b7ad77a9f1138db867bbd21ad48c54d1b3689b8e1d77be483e1a0b39bfe90dc6935e662c5f87aa823b8fc58d6
SSDEEP

3072:NLuXzXwYyr6Dooc245Wi6BrurQddYuscHUA4nKH6TeKtZiM+CC55wl+:NpCbprurQduux4nK6eKtczCO2l+

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

37.233.101.73:8888

213.152.162.104:8747

213.152.162.170:8747

213.152.162.109:8747

213.152.162.89:8747

109.232.227.138:8747

109.232.227.133:8747

213.152.161.211:8747

213.152.162.94:8747

213.152.161.35:8747

213.152.180.5:8747

Attributes

activex_autorun
true
activex_key
{H15R52OJ-8CJI-H436-22TJ-P25072J3Q326}
copy_executable
true
delete_original
true
host_id
IP
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
bmhJQHdn
offline_keylogger
true
password
DAWAJkurwoKASEniePIERDOL
registry_autorun
true
startup_name
NetWire
use_mutex
true

Signatures

NetWire RAT payload 8 IoCs

rat

resource	yara_rule
behavioral1/memory/1580-7-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/1580-9-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/1580-11-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2600-30-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2600-31-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2600-34-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2600-36-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2600-45-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H15R52OJ-8CJI-H436-22TJ-P25072J3Q326}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H15R52OJ-8CJI-H436-22TJ-P25072J3Q326}	Host.exe

Executes dropped EXE 2 IoCs

pid	Process
2488	Host.exe
2600	Host.exe

Loads dropped DLL 3 IoCs

pid	Process
2012	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe
1580	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe
2488	Host.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 1580	2012	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe	28
PID 2488 set thread context of 2600	2488	Host.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3004	2012	WerFault.exe	27

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000015653-12.dat	nsis_installer_1
behavioral1/files/0x0007000000015653-12.dat	nsis_installer_2

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2012	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe
2488	Host.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1580	2012	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe	28
PID 2012 wrote to memory of 1580	2012	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe	28
PID 2012 wrote to memory of 1580	2012	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe	28
PID 2012 wrote to memory of 1580	2012	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe	28
PID 2012 wrote to memory of 1580	2012	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe	28
PID 2012 wrote to memory of 3004	2012	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe	29
PID 2012 wrote to memory of 3004	2012	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe	29
PID 2012 wrote to memory of 3004	2012	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe	29
PID 2012 wrote to memory of 3004	2012	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe	29
PID 1580 wrote to memory of 2488	1580	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe	30
PID 1580 wrote to memory of 2488	1580	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe	30
PID 1580 wrote to memory of 2488	1580	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe	30
PID 1580 wrote to memory of 2488	1580	1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe	30
PID 2488 wrote to memory of 2600	2488	Host.exe	31
PID 2488 wrote to memory of 2600	2488	Host.exe	31
PID 2488 wrote to memory of 2600	2488	Host.exe	31
PID 2488 wrote to memory of 2600	2488	Host.exe	31
PID 2488 wrote to memory of 2600	2488	Host.exe	31

C:\Users\Admin\AppData\Local\Temp\1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Users\Admin\AppData\Roaming\Install\Host.exe
    -m "C:\Users\Admin\AppData\Local\Temp\1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      -m "C:\Users\Admin\AppData\Local\Temp\1d92475e5f11ddf8256835c4bfb196a3_JaffaCakes118.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      PID:2600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 456
  2⤵
  - Program crash
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nIqpNzmw

Filesize
106KB

MD5
8f96258abd217b7d018f28f3f23742aa

SHA1
d80e6b314de6d0a781ce6771cf3b37abf8220332

SHA256
c9c2c007f6d6e7472c857d8942ccb4d9c678a08781fad6b52f1570a5556ab596

SHA512
a27fb703bc31b8ee519579e67b9a86e0717b5a975ac7237c8cdd063f9412cec0687bfd3664e876bf62e2798aaef302e395c626dceed1e06c702820529ce6d808

Download Submit
\Users\Admin\AppData\Local\Temp\nso233B.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
175KB

MD5
1d92475e5f11ddf8256835c4bfb196a3

SHA1
c40bc3e3fd25bf6b872b0e7953c9f5d833b522de

SHA256
40c913b6837bb03dd168536710d88a05faa6a6956b1c210758a0979a6782bf62

SHA512
170fac19f61ade42c378811c6f11e91f62319c0b7ad77a9f1138db867bbd21ad48c54d1b3689b8e1d77be483e1a0b39bfe90dc6935e662c5f87aa823b8fc58d6

Download Submit
memory/1580-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1580-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1580-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2600-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2600-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2600-34-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2600-36-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2600-45-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads