netwire | 08a1633161123a511f98004bda97d5ada42bf34a58e2e598fb321c1fe7a1d1a8

General

Target

8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe
Size

233KB
MD5

8acb1a113d20530f501fc371622ff0db
SHA1

3e3996eac73c8c5b100e578bf8794f61fb47d255
SHA256

08a1633161123a511f98004bda97d5ada42bf34a58e2e598fb321c1fe7a1d1a8
SHA512

4ad5c92a299457c8674b76ecf5cd8388fd0b658ef9441c8952d63ac63e8f7404551dc590dedf0c3896f5accbdd60fc365605acab424c42f48be65d1d080877ee
SSDEEP

6144:jxQxWRPYIA/fSU9Ja2da7MgpveTvmdhzh3+BPBZbzUE:jxQxWRPYIIfSUVaMmveTHBRR

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 9 IoCs

rat

resource	yara_rule
behavioral1/memory/1688-23-0x0000000000800000-0x000000000082C000-memory.dmp	netwire
behavioral1/memory/2688-27-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2688-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2688-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2688-28-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2688-34-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2688-36-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2688-37-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2688-44-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PkKqJI.url	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 2688	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe
1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1248	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe	28
PID 1688 wrote to memory of 1248	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe	28
PID 1688 wrote to memory of 1248	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe	28
PID 1688 wrote to memory of 1248	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe	28
PID 1248 wrote to memory of 3048	1248	csc.exe	30
PID 1248 wrote to memory of 3048	1248	csc.exe	30
PID 1248 wrote to memory of 3048	1248	csc.exe	30
PID 1248 wrote to memory of 3048	1248	csc.exe	30
PID 1688 wrote to memory of 2688	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe	31
PID 1688 wrote to memory of 2688	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe	31
PID 1688 wrote to memory of 2688	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe	31
PID 1688 wrote to memory of 2688	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe	31
PID 1688 wrote to memory of 2688	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe	31
PID 1688 wrote to memory of 2688	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe	31
PID 1688 wrote to memory of 2688	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe	31
PID 1688 wrote to memory of 2688	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe	31
PID 1688 wrote to memory of 2688	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe	31
PID 1688 wrote to memory of 2688	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe	31
PID 1688 wrote to memory of 2688	1688	8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8acb1a113d20530f501fc371622ff0db_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j3nk3ulj\j3nk3ulj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13CF.tmp" "c:\Users\Admin\AppData\Local\Temp\j3nk3ulj\CSC99D68E7D7F2C4E1EA65CD5768AB6DD11.TMP"
    3⤵
    PID:3048
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES13CF.tmp

Filesize
1KB

MD5
4c83465c0228fdde4bdfff3a9fb4c714

SHA1
8ca7f2d913611b73231fbd7cea0c02a0f0f6ecd8

SHA256
588b1fd737ad8b185712a4d257c7fdc0fe8ccd1904e59ace2f7c442d84a0a7c4

SHA512
dd919ad85a4f1af2585cf90eea81b2456a90fcd4ea9efe5aabedfa808c31e77506f3b0d7eca93bd1ca6534a69da0d46c4dac731bd49cfeaa1bf10d4a49d2ce88

Download Submit
C:\Users\Admin\AppData\Local\Temp\j3nk3ulj\j3nk3ulj.dll

Filesize
14KB

MD5
c9f40e369360a93abd944bddf910d3af

SHA1
a8c38dcb85a328fdf7e14c3df7e1706cda2475a7

SHA256
3c2b695c57c08bc7b629f8ed132da977e200116c1b6ed44f348d8f74073f722b

SHA512
26da9c1f073b15f56cffb2969b8d68cf8f0a0752be43e499f6ef27c67b6f20fdd683a5e5ffdf0a94fc63493592dd6b6f516d2448195e15a7c7447ccc7948d313

Download Submit
C:\Users\Admin\AppData\Local\Temp\j3nk3ulj\j3nk3ulj.pdb

Filesize
43KB

MD5
547c4a189cd8d786aacf488d2d8b1964

SHA1
5356c3548b9a5783ccbd6578b7bc08aacdec0498

SHA256
a95c83a045bc3361814de46b1c31633beb2c97d5dee300c9994fdcbf2c57f978

SHA512
db4c4227d73b91114be90105738cb2ba2ca0bf5e555f408ff1e0e92a727d97b052d86a6b8ddf6f75c4ed31f417f5719d845789ffa459af9977b54b2650cc9ac2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j3nk3ulj\CSC99D68E7D7F2C4E1EA65CD5768AB6DD11.TMP

Filesize
1KB

MD5
e7aa5d12cb9ce5e615ea5adf62ec957d

SHA1
8e06271467f2f35abc28248d09221cecf6eb0672

SHA256
d8483c7074c50afddebc2354284cdcbdd2a8af62e012d8ad9ca64ec14d32505a

SHA512
40546dcaec9ff77fa5db343073b8853dc08524d4fe119b312d7529b3c84d1ddb2979c677d7c33ea3fd30e106d9f7b9716c4435c9c8c18038b8f6875e38a93538

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j3nk3ulj\j3nk3ulj.0.cs

Filesize
25KB

MD5
3e120cba919a0b824a14c3d50a1175c6

SHA1
d56fd096f33b2d02d05c34f6e5a6abb072ba061b

SHA256
8db78fc0d90762c7ead3c3d9622825b08ae7dba654ca25e7ec1f9676ae604926

SHA512
7a2eaf5eef46dc33972c933c9bf325a55f5e252c43d67a31f9f0aa8773c4079932d97a334d6e751fe750f48d072b5748e4b3cefcbef69b05cb9ab5d397bef643

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j3nk3ulj\j3nk3ulj.cmdline

Filesize
312B

MD5
96428686fdd9473d2965f3322e0c5e2c

SHA1
654efa0c5a00efd073c8b36417077e30d0624477

SHA256
c170db47cadb8e9f95287209acf8de32729e9290411c5b0e63ea29f1438dc4cd

SHA512
11ab9e9727d1f8b4628b16ebde292b84c3384ca33307bfe8ad47be14cc26d52f7d58ff685f0dddf13c78a05a8611dfc0b80b6e4a316fb2a00cc0540ecd6b7621

Download Submit
memory/1688-23-0x0000000000800000-0x000000000082C000-memory.dmp

Filesize
176KB

Download
memory/1688-5-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/1688-1-0x0000000001370000-0x00000000013B0000-memory.dmp

Filesize
256KB

Download
memory/1688-17-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/1688-19-0x0000000000430000-0x0000000000462000-memory.dmp

Filesize
200KB

Download
memory/1688-20-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/1688-0-0x0000000073ECE000-0x0000000073ECF000-memory.dmp

Filesize
4KB

Download
memory/1688-35-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/2688-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2688-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2688-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2688-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2688-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2688-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2688-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2688-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2688-36-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2688-37-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2688-44-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing