netwire | ed4145efcad60f0b7ec1a5c1035ce0077f1f063b5f627688dedbd552a315af6e

General

Target

28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe
Size

240KB
MD5

28e079d68969bfab0594ecc1b6516b4c
SHA1

3e442a3579fe119b8c7ffda8678b0eace22a21f9
SHA256

ed4145efcad60f0b7ec1a5c1035ce0077f1f063b5f627688dedbd552a315af6e
SHA512

467afae7c8b44d378c7ee4a627d77433174f15575ad51a6ed46b4efc6fb1d90f8285c2ab5172ecd954ad331d49d8dfd405c1609cb8435c781e1aa63fa34a4325
SSDEEP

3072:4Y71EbU9xasE+tTvAmm28ST0569+vqVoMB65bc3vHG06h:4TbQxal+tDtA9iOMLv7O

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

info1.nowddns.com:5552

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
NOW-DNS-5552
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
gqmQdKHu
offline_keylogger
true
password
caster123
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000013134-8.dat	netwire
behavioral1/memory/2668-25-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome_proxy.exe.lnk	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2668	tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe
2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2500	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\ProgramFiles\chrome_proxy.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe
2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe
2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe
2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 1884	2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	28
PID 2876 wrote to memory of 1884	2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	28
PID 2876 wrote to memory of 1884	2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	28
PID 2876 wrote to memory of 1884	2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	28
PID 1884 wrote to memory of 2548	1884	cmd.exe	30
PID 1884 wrote to memory of 2548	1884	cmd.exe	30
PID 1884 wrote to memory of 2548	1884	cmd.exe	30
PID 1884 wrote to memory of 2548	1884	cmd.exe	30
PID 2876 wrote to memory of 2668	2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	31
PID 2876 wrote to memory of 2668	2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	31
PID 2876 wrote to memory of 2668	2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	31
PID 2876 wrote to memory of 2668	2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	31
PID 2876 wrote to memory of 2572	2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	32
PID 2876 wrote to memory of 2572	2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	32
PID 2876 wrote to memory of 2572	2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	32
PID 2876 wrote to memory of 2572	2876	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	32
PID 2572 wrote to memory of 2500	2572	cmd.exe	34
PID 2572 wrote to memory of 2500	2572	cmd.exe	34
PID 2572 wrote to memory of 2500	2572	cmd.exe	34
PID 2572 wrote to memory of 2500	2572	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ProgramFiles\chrome_proxy.exe.lnk" /f
    3⤵
    PID:2548
- C:\Users\Admin\AppData\Roaming\tmp.exe
  "C:\Users\Admin\AppData\Roaming\tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\ProgramFiles\chrome_proxy.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ProgramFiles\chrome_proxy.exe.bat

Filesize
202B

MD5
fa81c6ee06535dc9eb667bccd99585fb

SHA1
0c6d4671822a4f416c2431fe5ee7317ce39badeb

SHA256
c59f1d85dd58bc49e1838d98e64bf472f69c97036b27aca8d1e94305f59add37

SHA512
6a719e9234fa434e77f5f9f3affae51bfe1414aa5427e38a9fa1a5165ca81080f107b049d22d40face8cf8ffacac7237245e1b097ae3528e78c6707e94cfdc02

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe

Filesize
132KB

MD5
2e67d3a21d89cc81144b13591ec31f5d

SHA1
1fd6761f1ea5d541b8a4046a45f6229edab25534

SHA256
b98b4928345cff1bf8be93d66e1c35ba601e6c5ad58350e096cfba6a78df049f

SHA512
0a8aee6a4c226492f6852b01281eedc00876217341fbebd319906a5e7d843b21f0a1ba8776f15051a002ac83eed72e4fa6a944b6eac97f6a0d4baf3244a35d04

Download Submit
memory/2668-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2876-0-0x00000000745F1000-0x00000000745F2000-memory.dmp

Filesize
4KB

Download
memory/2876-1-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2876-2-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download
memory/2876-24-0x00000000745F0000-0x0000000074B9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing