netwire | dd38a1eb9c5ce7e1d54168c5a318159cd326161994dab4b2aed1e0d41e44fb75

General

Target

8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe
Size

1.3MB
MD5

8a937fa1cdb94f6f5e905885db5c0fd0
SHA1

5ab4f7c95aa8aeaf5eefa236950dd027be98b28f
SHA256

dd38a1eb9c5ce7e1d54168c5a318159cd326161994dab4b2aed1e0d41e44fb75
SHA512

9a35d5b85a6baeee0854568ee1a5a058f19d4660f8068539e094e3f4d06978ae836370d310a5d8754aa75f9c74ae3ceae361e33862db15fc27ece2d9bc6cd323
SSDEEP

24576:EAHnh+eWsN3skA4RV1Hom2KXMmHaqMDuH7mnsm1ZmV6V+5:Th+ZkldoPK8Yaq2vZ6R

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

lecanoffice.dynu.net:2202

Attributes

activex_autorun
true
activex_key
{5GNR66Y3-78Y4-PMYQ-E1H8-05IS5JYJRW17}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
lolkFUKd
offline_keylogger
true
password
gfffffytt
registry_autorun
true
startup_name
image
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2944-2-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/2944-16-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/1468-39-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5GNR66Y3-78Y4-PMYQ-E1H8-05IS5JYJRW17}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5GNR66Y3-78Y4-PMYQ-E1H8-05IS5JYJRW17}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompatTelRunner.url	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompatTelRunner.url	Host.exe

Executes dropped EXE 2 IoCs

pid	Process
2900	Host.exe
1468	Host.exe

Loads dropped DLL 1 IoCs

pid	Process
2944	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\image = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000016b5e-18.dat	autoit_exe
behavioral1/files/0x000f000000015c87-42.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2776 set thread context of 2944	2776	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe	30
PID 2900 set thread context of 1468	2900	Host.exe	32

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2776	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe
2776	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe
2900	Host.exe
2900	Host.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2776	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe
2776	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe
2776	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe
2900	Host.exe
2900	Host.exe
2900	Host.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2776	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe
2776	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe
2776	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe
2900	Host.exe
2900	Host.exe
2900	Host.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2944	2776	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2944	2776	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2944	2776	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2944	2776	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2944	2776	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe	30
PID 2776 wrote to memory of 2944	2776	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe	30
PID 2944 wrote to memory of 2900	2944	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe	31
PID 2944 wrote to memory of 2900	2944	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe	31
PID 2944 wrote to memory of 2900	2944	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe	31
PID 2944 wrote to memory of 2900	2944	8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe	31
PID 2900 wrote to memory of 1468	2900	Host.exe	32
PID 2900 wrote to memory of 1468	2900	Host.exe	32
PID 2900 wrote to memory of 1468	2900	Host.exe	32
PID 2900 wrote to memory of 1468	2900	Host.exe	32
PID 2900 wrote to memory of 1468	2900	Host.exe	32
PID 2900 wrote to memory of 1468	2900	Host.exe	32

C:\Users\Admin\AppData\Local\Temp\8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\8a937fa1cdb94f6f5e905885db5c0fd0_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Roaming\Install\Host.exe
    "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CompatTelRunner.url

Filesize
68B

MD5
28d02cbe36d8e38882a76b0822519f40

SHA1
adfd9e9a2aa9e117a6ef556bcac78f469334bbb4

SHA256
048dc3d6c202d5ed1ed8d66eb8c57ab2854544a993df3915aa6616eee4e39761

SHA512
5737dde598efd5d95f898513635eb4d34ec0feabb0ba66b76d4084f6867c0eb3cbd7342a6ea94d134ecc8f71c4fa129c66fd6d5681c91ab24bf2f120cd06379f

Download Submit
C:\Users\Admin\GamePanel\CompatTelRunner.vbs

Filesize
109B

MD5
5b8580793ba0d08d3c26802f5282f2a9

SHA1
b9a2a6bf9288d728b7c90c1c163fc570736e5ef5

SHA256
18d95d56a3f1b5280a0e4abb9303312488f59c763df7b68b964adef30bc2bb9d

SHA512
c3a6e554957f44126a4cd8819634aa5dd62d6471060cfb3b7a588aab3e99f7ef7dafc434447ad98abfa73bbff634ea3ffc4c8c8674720ffff45b8754bbf0988a

Download Submit
C:\Users\Admin\GamePanel\compact.exe

Filesize
1.3MB

MD5
b2b251310efe231630a4cba9422b67fe

SHA1
a20f43711774b32c3615a6497ff2d964668dd2f6

SHA256
9d8e68110349fcfe1f60ce52aefcfbeb8618106d5a8bca0f85a3973c0eaa313d

SHA512
b8a1e75f91228d16de1ca769014fb3159c706e92aeabcb7c594609c861c1d65adae1b9d57f3c21952ab5860c6158a7373964e66c1ec4e567262896059a0ed91b

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.3MB

MD5
8a937fa1cdb94f6f5e905885db5c0fd0

SHA1
5ab4f7c95aa8aeaf5eefa236950dd027be98b28f

SHA256
dd38a1eb9c5ce7e1d54168c5a318159cd326161994dab4b2aed1e0d41e44fb75

SHA512
9a35d5b85a6baeee0854568ee1a5a058f19d4660f8068539e094e3f4d06978ae836370d310a5d8754aa75f9c74ae3ceae361e33862db15fc27ece2d9bc6cd323

Download Submit
memory/1468-39-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1468-31-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2776-0-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2944-1-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2944-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2944-2-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2944-16-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads