netwire | fc69f372117af1a15837fd6a490ae821a91db40907f524d91d9003ea719fa8aa

General

Target

6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe
Size

283KB
MD5

6b5a574c81822c806e598fde5aad93fc
SHA1

afbdd84b379d5c392674f2a54bedf01f6f7f9f2b
SHA256

fc69f372117af1a15837fd6a490ae821a91db40907f524d91d9003ea719fa8aa
SHA512

5ac96dc5046f8408575c6f620129d4d211be178633ba405e20a0a329780c816396bc8ec41a277c09928cb37778fbf6fcf574539d268269ac26261d7ae7ea3cff
SSDEEP

6144:AoMdUh1RXAi/q7KtrDTWXWQGaeyLl2HWYkgSEXMEV9p:AjwJWX55mk

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

185.163.100.6:111

Attributes

activex_autorun
true
activex_key
{446644VO-124I-732R-6QR3-BBYQ1W40UCW2}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
YSxJvAQj
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
true

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2324-27-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2324-24-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2324-21-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2324-19-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2324-20-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2044-2-0x0000000000950000-0x000000000099A000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

file.exefile.exe

pid process

1988 file.exe
2324 file.exe
Loads dropped DLL 9 IoCs

Processes:

cmd.exefile.exeWerFault.exe

pid process

2364 cmd.exe
1988 file.exe
872 WerFault.exe
872 WerFault.exe
872 WerFault.exe
872 WerFault.exe
872 WerFault.exe
872 WerFault.exe
872 WerFault.exe

pid	process
1988	file.exe
2324	file.exe

pid	process
2364	cmd.exe
1988	file.exe
872	WerFault.exe
872	WerFault.exe
872	WerFault.exe
872	WerFault.exe
872	WerFault.exe
872	WerFault.exe
872	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Upd = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Upd.txt \| cmd"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 1988 set thread context of 2324 1988 file.exe file.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

872 2324 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exefile.exe

description pid process

Token: SeDebugPrivilege 2044 6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe
Token: SeDebugPrivilege 1988 file.exe

description	pid	process	target process
PID 1988 set thread context of 2324	1988	file.exe	file.exe

pid	pid_target	process
872	2324	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	2044	6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe
Token: SeDebugPrivilege	1988	file.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.execmd.exefile.execmd.exefile.exe

description	pid	process	target process
PID 2044 wrote to memory of 2364	2044	6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe	cmd.exe
PID 2044 wrote to memory of 2364	2044	6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe	cmd.exe
PID 2044 wrote to memory of 2364	2044	6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe	cmd.exe
PID 2044 wrote to memory of 2364	2044	6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe	cmd.exe
PID 2364 wrote to memory of 1988	2364	cmd.exe	file.exe
PID 2364 wrote to memory of 1988	2364	cmd.exe	file.exe
PID 2364 wrote to memory of 1988	2364	cmd.exe	file.exe
PID 2364 wrote to memory of 1988	2364	cmd.exe	file.exe
PID 1988 wrote to memory of 1416	1988	file.exe	cmd.exe
PID 1988 wrote to memory of 1416	1988	file.exe	cmd.exe
PID 1988 wrote to memory of 1416	1988	file.exe	cmd.exe
PID 1988 wrote to memory of 1416	1988	file.exe	cmd.exe
PID 1416 wrote to memory of 2248	1416	cmd.exe	reg.exe
PID 1416 wrote to memory of 2248	1416	cmd.exe	reg.exe
PID 1416 wrote to memory of 2248	1416	cmd.exe	reg.exe
PID 1416 wrote to memory of 2248	1416	cmd.exe	reg.exe
PID 1988 wrote to memory of 2324	1988	file.exe	file.exe
PID 1988 wrote to memory of 2324	1988	file.exe	file.exe
PID 1988 wrote to memory of 2324	1988	file.exe	file.exe
PID 1988 wrote to memory of 2324	1988	file.exe	file.exe
PID 1988 wrote to memory of 2324	1988	file.exe	file.exe
PID 1988 wrote to memory of 2324	1988	file.exe	file.exe
PID 1988 wrote to memory of 2324	1988	file.exe	file.exe
PID 1988 wrote to memory of 2324	1988	file.exe	file.exe
PID 1988 wrote to memory of 2324	1988	file.exe	file.exe
PID 1988 wrote to memory of 2324	1988	file.exe	file.exe
PID 1988 wrote to memory of 2324	1988	file.exe	file.exe
PID 2324 wrote to memory of 872	2324	file.exe	WerFault.exe
PID 2324 wrote to memory of 872	2324	file.exe	WerFault.exe
PID 2324 wrote to memory of 872	2324	file.exe	WerFault.exe
PID 2324 wrote to memory of 872	2324	file.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6b5a574c81822c806e598fde5aad93fc_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
"cmd"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
"cmd"
4⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Upd" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Upd.txt" | cmd"
5⤵
- Adds Run key to start application
PID:2248

C:\Users\Admin\Desktop\file.exe
"C:\Users\Admin\Desktop\file.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 140
5⤵
- Loads dropped DLL
- Program crash
PID:872

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\Desktop\file.exe
Filesize
283KB

MD5
6b5a574c81822c806e598fde5aad93fc

SHA1
afbdd84b379d5c392674f2a54bedf01f6f7f9f2b

SHA256
fc69f372117af1a15837fd6a490ae821a91db40907f524d91d9003ea719fa8aa

SHA512
5ac96dc5046f8408575c6f620129d4d211be178633ba405e20a0a329780c816396bc8ec41a277c09928cb37778fbf6fcf574539d268269ac26261d7ae7ea3cff

Download Submit
memory/1988-13-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download
memory/1988-34-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download
memory/1988-9-0x0000000000C90000-0x0000000000CDC000-memory.dmp

Filesize
304KB

Download
memory/1988-11-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download
memory/2044-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

Filesize
4KB

Download
memory/2044-1-0x0000000001300000-0x000000000134C000-memory.dmp

Filesize
304KB

Download
memory/2044-2-0x0000000000950000-0x000000000099A000-memory.dmp

Filesize
296KB

Download
memory/2044-3-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/2044-4-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download
memory/2044-10-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download
memory/2324-21-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2324-17-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2324-18-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2324-20-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2324-15-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2324-19-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2324-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2324-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2324-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads