netwire | 667c10a7b4f2f2804e25c238318f9b1861c968950bda3c13245570ad06c44bda

General

Target

5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe
Size

389KB
MD5

5187f0ae3fc7ecd5b247cd1414c38400
SHA1

36f96baef19fe58e3ce8b11638ff080658cd4390
SHA256

667c10a7b4f2f2804e25c238318f9b1861c968950bda3c13245570ad06c44bda
SHA512

4bbdbf59ed4000b04ee4519b18cf78c4affa4b226168deb4041fa4a06ae205d95189b4a26baa97a4941fa388c0c5ac8ec95dc3645949032b71460e9f5aa6d0be
SSDEEP

6144:NjOgBFDO7SlyYpVYNwKWy/8E4R9j/T/I2IAoC1RdTwHxQXP8Ryk6lBpVX9y:lrO2PjdHc8ES9j/mDqRdM6xk6Tv

Score

10^/10

netwire agilenet botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

99.38.102.122:3364

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
14438136789D
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2572-24-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/2572-25-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/2572-27-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/2572-32-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/2572-38-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/2572-35-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

javaw.exejavaw.exe

pid process

2836 javaw.exe
2572 javaw.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exejavaw.exe

pid process

2460 cmd.exe
2836 javaw.exe

pid	process
2836	javaw.exe
2572	javaw.exe

pid	process
2460	cmd.exe
2836	javaw.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2836-15-0x0000000000700000-0x000000000070A000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

javaw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java(TM) platform SE b = "C:\\Users\\Admin\\AppData\\Local\\javaw.exe -boot"	javaw.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

javaw.exe

description pid process target process

PID 2836 set thread context of 2572 2836 javaw.exe javaw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2836 set thread context of 2572	2836	javaw.exe	javaw.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exejavaw.exe

description	pid	process
Token: SeDebugPrivilege	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe
Token: 33	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe
Token: SeDebugPrivilege	2836	javaw.exe
Token: 33	2836	javaw.exe
Token: SeIncBasePriorityPrivilege	2836	javaw.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.execmd.exejavaw.exe

description	pid	process	target process
PID 1368 wrote to memory of 2564	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe	cmd.exe
PID 1368 wrote to memory of 2564	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe	cmd.exe
PID 1368 wrote to memory of 2564	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe	cmd.exe
PID 1368 wrote to memory of 2564	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe	cmd.exe
PID 1368 wrote to memory of 2460	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe	cmd.exe
PID 1368 wrote to memory of 2460	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe	cmd.exe
PID 1368 wrote to memory of 2460	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe	cmd.exe
PID 1368 wrote to memory of 2460	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe	cmd.exe
PID 2460 wrote to memory of 2836	2460	cmd.exe	javaw.exe
PID 2460 wrote to memory of 2836	2460	cmd.exe	javaw.exe
PID 2460 wrote to memory of 2836	2460	cmd.exe	javaw.exe
PID 2460 wrote to memory of 2836	2460	cmd.exe	javaw.exe
PID 2836 wrote to memory of 2572	2836	javaw.exe	javaw.exe
PID 2836 wrote to memory of 2572	2836	javaw.exe	javaw.exe
PID 2836 wrote to memory of 2572	2836	javaw.exe	javaw.exe
PID 2836 wrote to memory of 2572	2836	javaw.exe	javaw.exe
PID 2836 wrote to memory of 2572	2836	javaw.exe	javaw.exe
PID 2836 wrote to memory of 2572	2836	javaw.exe	javaw.exe
PID 2836 wrote to memory of 2572	2836	javaw.exe	javaw.exe
PID 2836 wrote to memory of 2572	2836	javaw.exe	javaw.exe
PID 2836 wrote to memory of 2572	2836	javaw.exe	javaw.exe
PID 2836 wrote to memory of 2572	2836	javaw.exe	javaw.exe
PID 2836 wrote to memory of 2572	2836	javaw.exe	javaw.exe

C:\Users\Admin\AppData\Local\Temp\5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\javaw.exe"
2⤵
PID:2564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\javaw.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460

C:\Users\Admin\AppData\Local\javaw.exe
"C:\Users\Admin\AppData\Local\javaw.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\javaw.exe
"C:\Users\Admin\AppData\Local\javaw.exe"
4⤵
- Executes dropped EXE
PID:2572

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\javaw.exe
Filesize
389KB

MD5
5187f0ae3fc7ecd5b247cd1414c38400

SHA1
36f96baef19fe58e3ce8b11638ff080658cd4390

SHA256
667c10a7b4f2f2804e25c238318f9b1861c968950bda3c13245570ad06c44bda

SHA512
4bbdbf59ed4000b04ee4519b18cf78c4affa4b226168deb4041fa4a06ae205d95189b4a26baa97a4941fa388c0c5ac8ec95dc3645949032b71460e9f5aa6d0be

Download Submit
memory/1368-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/1368-1-0x0000000000820000-0x0000000000888000-memory.dmp

Filesize
416KB

Download
memory/1368-2-0x00000000002C0000-0x00000000002F0000-memory.dmp

Filesize
192KB

Download
memory/1368-3-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/1368-4-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/1368-5-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/1368-6-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/1368-7-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/1368-12-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2572-24-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2572-18-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2572-19-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2572-21-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2572-25-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2572-27-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2572-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2572-32-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2572-38-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2572-35-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2836-15-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/2836-14-0x0000000000180000-0x00000000001E8000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads