netwire | 667c10a7b4f2f2804e25c238318f9b1861c968950bda3c13245570ad06c44bda

General

Target

5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe
Size

389KB
MD5

5187f0ae3fc7ecd5b247cd1414c38400
SHA1

36f96baef19fe58e3ce8b11638ff080658cd4390
SHA256

667c10a7b4f2f2804e25c238318f9b1861c968950bda3c13245570ad06c44bda
SHA512

4bbdbf59ed4000b04ee4519b18cf78c4affa4b226168deb4041fa4a06ae205d95189b4a26baa97a4941fa388c0c5ac8ec95dc3645949032b71460e9f5aa6d0be
SSDEEP

6144:NjOgBFDO7SlyYpVYNwKWy/8E4R9j/T/I2IAoC1RdTwHxQXP8Ryk6lBpVX9y:lrO2PjdHc8ES9j/mDqRdM6xk6Tv

Score

10^/10

netwire agilenet botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

99.38.102.122:3364

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
14438136789D
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/2572-24-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/2572-25-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/2572-27-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/2572-32-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/2572-38-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/2572-35-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 2 IoCs

pid	Process
2836	javaw.exe
2572	javaw.exe

Loads dropped DLL 2 IoCs

pid	Process
2460	cmd.exe
2836	javaw.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/2836-15-0x0000000000700000-0x000000000070A000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java(TM) platform SE b = "C:\\Users\\Admin\\AppData\\Local\\javaw.exe -boot"	javaw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2836 set thread context of 2572	2836	javaw.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe
Token: 33	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe
Token: SeDebugPrivilege	2836	javaw.exe
Token: 33	2836	javaw.exe
Token: SeIncBasePriorityPrivilege	2836	javaw.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2564	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe	30
PID 1368 wrote to memory of 2564	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe	30
PID 1368 wrote to memory of 2564	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe	30
PID 1368 wrote to memory of 2564	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe	30
PID 1368 wrote to memory of 2460	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe	32
PID 1368 wrote to memory of 2460	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe	32
PID 1368 wrote to memory of 2460	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe	32
PID 1368 wrote to memory of 2460	1368	5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe	32
PID 2460 wrote to memory of 2836	2460	cmd.exe	34
PID 2460 wrote to memory of 2836	2460	cmd.exe	34
PID 2460 wrote to memory of 2836	2460	cmd.exe	34
PID 2460 wrote to memory of 2836	2460	cmd.exe	34
PID 2836 wrote to memory of 2572	2836	javaw.exe	35
PID 2836 wrote to memory of 2572	2836	javaw.exe	35
PID 2836 wrote to memory of 2572	2836	javaw.exe	35
PID 2836 wrote to memory of 2572	2836	javaw.exe	35
PID 2836 wrote to memory of 2572	2836	javaw.exe	35
PID 2836 wrote to memory of 2572	2836	javaw.exe	35
PID 2836 wrote to memory of 2572	2836	javaw.exe	35
PID 2836 wrote to memory of 2572	2836	javaw.exe	35
PID 2836 wrote to memory of 2572	2836	javaw.exe	35
PID 2836 wrote to memory of 2572	2836	javaw.exe	35
PID 2836 wrote to memory of 2572	2836	javaw.exe	35

C:\Users\Admin\AppData\Local\Temp\5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5187f0ae3fc7ecd5b247cd1414c38400_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\javaw.exe"
  2⤵
  PID:2564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\javaw.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Local\javaw.exe
    "C:\Users\Admin\AppData\Local\javaw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Local\javaw.exe
      "C:\Users\Admin\AppData\Local\javaw.exe"
      4⤵
      Executes dropped EXE
      PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\javaw.exe

Filesize
389KB

MD5
5187f0ae3fc7ecd5b247cd1414c38400

SHA1
36f96baef19fe58e3ce8b11638ff080658cd4390

SHA256
667c10a7b4f2f2804e25c238318f9b1861c968950bda3c13245570ad06c44bda

SHA512
4bbdbf59ed4000b04ee4519b18cf78c4affa4b226168deb4041fa4a06ae205d95189b4a26baa97a4941fa388c0c5ac8ec95dc3645949032b71460e9f5aa6d0be

Download Submit
memory/1368-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/1368-1-0x0000000000820000-0x0000000000888000-memory.dmp

Filesize
416KB

Download
memory/1368-2-0x00000000002C0000-0x00000000002F0000-memory.dmp

Filesize
192KB

Download
memory/1368-3-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/1368-4-0x0000000000410000-0x000000000041A000-memory.dmp

Filesize
40KB

Download
memory/1368-5-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/1368-6-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/1368-7-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/1368-12-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2572-24-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2572-18-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2572-19-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2572-21-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2572-25-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2572-27-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2572-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2572-32-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2572-38-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2572-35-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2836-15-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/2836-14-0x0000000000180000-0x00000000001E8000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads