netwire | cdfd2505408b2c422e018011e64500a241f149654435a7cd0e4d674a733c5bd6

General

Target

80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe
Size

7.6MB
MD5

80f528588d5e84152ecf6e25b8dad4dd
SHA1

80947aee4243d752b9c187caf01b3d864b7474c7
SHA256

cdfd2505408b2c422e018011e64500a241f149654435a7cd0e4d674a733c5bd6
SHA512

2e3ed889d636e45c52b65e8445dd6bf630f9117703cf98fcf95e6a129856d5c8b6bd0fa4f8812fe33eb52b8872194ff11222ffd9170e08c0f3d5934672aebcdc
SSDEEP

3072:QexSaR/D54T4ebgGZB8OOccgwM6G2Cgo5wUlkGkfCNrkdTOMJXIYOUHqlJN3Wpl:Qklr5kbg0B8VcnJcCg4jlkGp0T5i

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

miikymouse1978.ooguy.com:5435

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
myRattyVin
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
glgSVnej
offline_keylogger
true
password
jamesnature
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3464-14-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
3464	svhost.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1572 set thread context of 3464	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	94

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5716	3464	WerFault.exe	94

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3476	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\mcromnvc\microndas.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe
1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe
1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe
1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe
Token: 33	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 3604	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	91
PID 1572 wrote to memory of 3604	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	91
PID 1572 wrote to memory of 3604	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	91
PID 3604 wrote to memory of 1012	3604	cmd.exe	93
PID 3604 wrote to memory of 1012	3604	cmd.exe	93
PID 3604 wrote to memory of 1012	3604	cmd.exe	93
PID 1572 wrote to memory of 3464	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	94
PID 1572 wrote to memory of 3464	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	94
PID 1572 wrote to memory of 3464	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	94
PID 1572 wrote to memory of 3464	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	94
PID 1572 wrote to memory of 3464	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	94
PID 1572 wrote to memory of 3464	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	94
PID 1572 wrote to memory of 3464	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	94
PID 1572 wrote to memory of 3464	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	94
PID 1572 wrote to memory of 3464	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	94
PID 1572 wrote to memory of 3464	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	94
PID 1572 wrote to memory of 4828	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	95
PID 1572 wrote to memory of 4828	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	95
PID 1572 wrote to memory of 4828	1572	80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe	95
PID 4828 wrote to memory of 3476	4828	cmd.exe	97
PID 4828 wrote to memory of 3476	4828	cmd.exe	97
PID 4828 wrote to memory of 3476	4828	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\80f528588d5e84152ecf6e25b8dad4dd_JaffaCakes118.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\mcromnvc\microndas.exe.lnk" /f
    3⤵
    PID:1012
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  PID:3464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 248
    3⤵
    - Program crash
    PID:5716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mcromnvc\microndas.exe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3464 -ip 3464
1⤵
PID:5692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mcromnvc\microndas.exe

Filesize
7.6MB

MD5
80f528588d5e84152ecf6e25b8dad4dd

SHA1
80947aee4243d752b9c187caf01b3d864b7474c7

SHA256
cdfd2505408b2c422e018011e64500a241f149654435a7cd0e4d674a733c5bd6

SHA512
2e3ed889d636e45c52b65e8445dd6bf630f9117703cf98fcf95e6a129856d5c8b6bd0fa4f8812fe33eb52b8872194ff11222ffd9170e08c0f3d5934672aebcdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcromnvc\microndas.exe.bat

Filesize
210B

MD5
7308f4cb66944239f4b7e8f63b05da85

SHA1
add86175090f50f69fa977dcf2cb9fda0fd00f51

SHA256
c07c617fbb20c3e37db0bdd1da5807396c63754ceae9937c946805f266c0405c

SHA512
04b1c403d5feb3ae2334fa507d675ec9922b3faabe403738faf6b15fd51502dbf185515f23f70decd8b55053fe30efae749be234998f1259def04493de427e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
memory/1572-0-0x0000000074A92000-0x0000000074A93000-memory.dmp

Filesize
4KB

Download
memory/1572-1-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/1572-2-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/1572-3-0x0000000074A92000-0x0000000074A93000-memory.dmp

Filesize
4KB

Download
memory/1572-4-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/1572-1431-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/3464-14-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing