netwire | 8de3dda2e65faa4fffcac28429edb1dbd767edbfebf45314cba0269c3a4e6933

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	Host.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50L4QLIK-5N0E-1U7P-5W65-RDN0R6N72FF0}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50L4QLIK-5N0E-1U7P-5W65-RDN0R6N72FF0}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Host.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Host.exe

Executes dropped EXE 3 IoCs

pid	Process
2672	Host.exe
1956	Host.exe
2208	Host.exe

Loads dropped DLL 1 IoCs

pid	Process
2476	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Host.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Host.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 2476	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	31
PID 2672 set thread context of 1956	2672	Host.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2400	schtasks.exe
1220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe
2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe
2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe
2672	Host.exe
2672	Host.exe
2672	Host.exe
2672	Host.exe
2672	Host.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe
Token: SeDebugPrivilege	2672	Host.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2400	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	29
PID 2592 wrote to memory of 2400	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	29
PID 2592 wrote to memory of 2400	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	29
PID 2592 wrote to memory of 2400	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	29
PID 2592 wrote to memory of 2476	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	31
PID 2592 wrote to memory of 2476	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	31
PID 2592 wrote to memory of 2476	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	31
PID 2592 wrote to memory of 2476	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	31
PID 2592 wrote to memory of 2476	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	31
PID 2592 wrote to memory of 2476	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	31
PID 2592 wrote to memory of 2476	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	31
PID 2592 wrote to memory of 2476	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	31
PID 2592 wrote to memory of 2476	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	31
PID 2592 wrote to memory of 2476	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	31
PID 2592 wrote to memory of 2476	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	31
PID 2592 wrote to memory of 2476	2592	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	31
PID 2476 wrote to memory of 2672	2476	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2672	2476	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2672	2476	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2672	2476	636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe	32
PID 2672 wrote to memory of 1220	2672	Host.exe	35
PID 2672 wrote to memory of 1220	2672	Host.exe	35
PID 2672 wrote to memory of 1220	2672	Host.exe	35
PID 2672 wrote to memory of 1220	2672	Host.exe	35
PID 2672 wrote to memory of 2208	2672	Host.exe	37
PID 2672 wrote to memory of 2208	2672	Host.exe	37
PID 2672 wrote to memory of 2208	2672	Host.exe	37
PID 2672 wrote to memory of 2208	2672	Host.exe	37
PID 2672 wrote to memory of 1956	2672	Host.exe	38
PID 2672 wrote to memory of 1956	2672	Host.exe	38
PID 2672 wrote to memory of 1956	2672	Host.exe	38
PID 2672 wrote to memory of 1956	2672	Host.exe	38
PID 2672 wrote to memory of 1956	2672	Host.exe	38
PID 2672 wrote to memory of 1956	2672	Host.exe	38
PID 2672 wrote to memory of 1956	2672	Host.exe	38
PID 2672 wrote to memory of 1956	2672	Host.exe	38
PID 2672 wrote to memory of 1956	2672	Host.exe	38
PID 2672 wrote to memory of 1956	2672	Host.exe	38
PID 2672 wrote to memory of 1956	2672	Host.exe	38
PID 2672 wrote to memory of 1956	2672	Host.exe	38

C:\Users\Admin\AppData\Local\Temp\636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKoqzTArbkVKfc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8E4B.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\636fe98bde392f519b60e46f80dbbda5_JaffaCakes118.exe
  "{path}"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Roaming\Install\Host.exe
    "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
    3⤵
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VMWare Tools registry key
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mKoqzTArbkVKfc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp120A.tmp"
      4⤵
      Creates scheduled task(s)
      PID:1220
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:2208
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "{path}"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

T1082

Virtualization/Sandbox Evasion