netwire | ed4145efcad60f0b7ec1a5c1035ce0077f1f063b5f627688dedbd552a315af6e

General

Target

28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe
Size

240KB
MD5

28e079d68969bfab0594ecc1b6516b4c
SHA1

3e442a3579fe119b8c7ffda8678b0eace22a21f9
SHA256

ed4145efcad60f0b7ec1a5c1035ce0077f1f063b5f627688dedbd552a315af6e
SHA512

467afae7c8b44d378c7ee4a627d77433174f15575ad51a6ed46b4efc6fb1d90f8285c2ab5172ecd954ad331d49d8dfd405c1609cb8435c781e1aa63fa34a4325
SSDEEP

3072:4Y71EbU9xasE+tTvAmm28ST0569+vqVoMB65bc3vHG06h:4TbQxal+tDtA9iOMLv7O

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

info1.nowddns.com:5552

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
NOW-DNS-5552
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
lock_executable
false
mutex
gqmQdKHu
offline_keylogger
true
password
caster123
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x000a00000002338c-12.dat	netwire
behavioral2/memory/2248-22-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome_proxy.exe.lnk	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2248	tmp.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4700	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\ProgramFiles\chrome_proxy.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4308	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe
4308	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe
4308	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe
4308	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4308	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4308	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 2708	4308	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	88
PID 4308 wrote to memory of 2708	4308	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	88
PID 4308 wrote to memory of 2708	4308	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	88
PID 2708 wrote to memory of 3912	2708	cmd.exe	90
PID 2708 wrote to memory of 3912	2708	cmd.exe	90
PID 2708 wrote to memory of 3912	2708	cmd.exe	90
PID 4308 wrote to memory of 2248	4308	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	91
PID 4308 wrote to memory of 2248	4308	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	91
PID 4308 wrote to memory of 2248	4308	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	91
PID 4308 wrote to memory of 3780	4308	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	92
PID 4308 wrote to memory of 3780	4308	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	92
PID 4308 wrote to memory of 3780	4308	28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe	92
PID 3780 wrote to memory of 4700	3780	cmd.exe	94
PID 3780 wrote to memory of 4700	3780	cmd.exe	94
PID 3780 wrote to memory of 4700	3780	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28e079d68969bfab0594ecc1b6516b4c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\ProgramFiles\chrome_proxy.exe.lnk" /f
    3⤵
    PID:3912
- C:\Users\Admin\AppData\Roaming\tmp.exe
  "C:\Users\Admin\AppData\Roaming\tmp.exe"
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\ProgramFiles\chrome_proxy.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ProgramFiles\chrome_proxy.exe.bat

Filesize
202B

MD5
fa81c6ee06535dc9eb667bccd99585fb

SHA1
0c6d4671822a4f416c2431fe5ee7317ce39badeb

SHA256
c59f1d85dd58bc49e1838d98e64bf472f69c97036b27aca8d1e94305f59add37

SHA512
6a719e9234fa434e77f5f9f3affae51bfe1414aa5427e38a9fa1a5165ca81080f107b049d22d40face8cf8ffacac7237245e1b097ae3528e78c6707e94cfdc02

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
132KB

MD5
2e67d3a21d89cc81144b13591ec31f5d

SHA1
1fd6761f1ea5d541b8a4046a45f6229edab25534

SHA256
b98b4928345cff1bf8be93d66e1c35ba601e6c5ad58350e096cfba6a78df049f

SHA512
0a8aee6a4c226492f6852b01281eedc00876217341fbebd319906a5e7d843b21f0a1ba8776f15051a002ac83eed72e4fa6a944b6eac97f6a0d4baf3244a35d04

Download Submit
memory/2248-22-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4308-0-0x0000000074C02000-0x0000000074C03000-memory.dmp

Filesize
4KB

Download
memory/4308-1-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/4308-2-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download
memory/4308-21-0x0000000074C00000-0x00000000751B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing