netwire | dfedae8d3b13ad57c1ce0abcccc3578c411e890fde8c118c64aa7b1564aeead4

General

Target

7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe
Size

1.1MB
MD5

7e325204fdaa3d9a4be3facd66a01bf9
SHA1

72ae942dbdd61ab7256bac03a71c2f6488c4f381
SHA256

dfedae8d3b13ad57c1ce0abcccc3578c411e890fde8c118c64aa7b1564aeead4
SHA512

e91f5a3a8fd3e6800454eeba81c6489c3097d00f18e3126c036307f0d6909e91e618d26340fcadf4c7fc61a632f9fede8a8573f6712a3ad0f4d85b28ee834865
SSDEEP

24576:yAHnh+eWsN3skA4RV1Hom2KXMmHaCfIGCImN5:1h+ZkldoPK8YaCy

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

checklewis.ddns.net:3361

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
qbpWIrEm
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/3020-34-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/2216-12-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/2216-1-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 2 IoCs

pid	Process
2480	Host.exe
3020	Host.exe

Loads dropped DLL 6 IoCs

pid	Process
2216	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe
2656	WerFault.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000b000000015c3c-31.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2168 set thread context of 2216	2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe	28
PID 2480 set thread context of 3020	2480	Host.exe	30

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2884	2168	WerFault.exe	27
2656	2480	WerFault.exe	29

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe
2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe
2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe
2480	Host.exe
2480	Host.exe
2480	Host.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe
2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe
2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe
2480	Host.exe
2480	Host.exe
2480	Host.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2216	2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2216	2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2216	2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2216	2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2216	2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe	28
PID 2168 wrote to memory of 2216	2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe	28
PID 2216 wrote to memory of 2480	2216	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe	29
PID 2216 wrote to memory of 2480	2216	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe	29
PID 2216 wrote to memory of 2480	2216	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe	29
PID 2216 wrote to memory of 2480	2216	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe	29
PID 2480 wrote to memory of 3020	2480	Host.exe	30
PID 2480 wrote to memory of 3020	2480	Host.exe	30
PID 2480 wrote to memory of 3020	2480	Host.exe	30
PID 2480 wrote to memory of 3020	2480	Host.exe	30
PID 2480 wrote to memory of 3020	2480	Host.exe	30
PID 2480 wrote to memory of 3020	2480	Host.exe	30
PID 2168 wrote to memory of 2884	2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2884	2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2884	2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe	31
PID 2168 wrote to memory of 2884	2168	7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe	31
PID 2480 wrote to memory of 2656	2480	Host.exe	32
PID 2480 wrote to memory of 2656	2480	Host.exe	32
PID 2480 wrote to memory of 2656	2480	Host.exe	32
PID 2480 wrote to memory of 2656	2480	Host.exe	32

C:\Users\Admin\AppData\Local\Temp\7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7e325204fdaa3d9a4be3facd66a01bf9_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Roaming\Install\Host.exe
    "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      PID:3020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 432
      4⤵
      Loads dropped DLL
      Program crash
      PID:2656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 424
  2⤵
  - Program crash
  PID:2884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.1MB

MD5
7e325204fdaa3d9a4be3facd66a01bf9

SHA1
72ae942dbdd61ab7256bac03a71c2f6488c4f381

SHA256
dfedae8d3b13ad57c1ce0abcccc3578c411e890fde8c118c64aa7b1564aeead4

SHA512
e91f5a3a8fd3e6800454eeba81c6489c3097d00f18e3126c036307f0d6909e91e618d26340fcadf4c7fc61a632f9fede8a8573f6712a3ad0f4d85b28ee834865

Download Submit
memory/2168-40-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2216-12-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2216-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2216-1-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2216-0-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2480-33-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2480-41-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/3020-34-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/3020-28-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing