netwire | de60cb399e76b142afc3f7876e2228d6d8c17fd4d3dc7e6f9084172543f6c327

Analysis

max time kernel
146s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd757716c49f28b3b5fdd4889622ac88_JaffaCakes118.msi
Size

636KB
MD5

bd757716c49f28b3b5fdd4889622ac88
SHA1

4a0aa1abddc6b37e1f1cec49944ce1a86c1c0ed6
SHA256

de60cb399e76b142afc3f7876e2228d6d8c17fd4d3dc7e6f9084172543f6c327
SHA512

557a3b0be972d2d3402a4a8846bdfb182389a4d575c722386cc67e8ce7d868bac26f169e40a397ad7f2851ac62fc58fca220772228616a000f6c7b0dfef994f6
SSDEEP

12288:BE5y8d0ZBrXbv2/q+BZZPhZfg5YJeIIBy:BEEZB2/qgZ0a

Score

10^/10

netwire botnet persistence privilege_escalation rat stealer

Malware Config

Extracted

Family

netwire

185.84.181.80:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/2272-16-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2272-18-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2272-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5088 set thread context of 2272	5088	MSI8A8E.tmp	92

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI8A3E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A8E.tmp	msiexec.exe
File created	C:\Windows\Installer\e578993.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e578993.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
5088	MSI8A8E.tmp
2272	MSI8A8E.tmp

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

pid	Process
5076	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9712a8ab103c3e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9712a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9712a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9712a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9712a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4432	msiexec.exe
4432	msiexec.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5076	msiexec.exe
Token: SeSecurityPrivilege	4432	msiexec.exe
Token: SeCreateTokenPrivilege	5076	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5076	msiexec.exe
Token: SeLockMemoryPrivilege	5076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5076	msiexec.exe
Token: SeMachineAccountPrivilege	5076	msiexec.exe
Token: SeTcbPrivilege	5076	msiexec.exe
Token: SeSecurityPrivilege	5076	msiexec.exe
Token: SeTakeOwnershipPrivilege	5076	msiexec.exe
Token: SeLoadDriverPrivilege	5076	msiexec.exe
Token: SeSystemProfilePrivilege	5076	msiexec.exe
Token: SeSystemtimePrivilege	5076	msiexec.exe
Token: SeProfSingleProcessPrivilege	5076	msiexec.exe
Token: SeIncBasePriorityPrivilege	5076	msiexec.exe
Token: SeCreatePagefilePrivilege	5076	msiexec.exe
Token: SeCreatePermanentPrivilege	5076	msiexec.exe
Token: SeBackupPrivilege	5076	msiexec.exe
Token: SeRestorePrivilege	5076	msiexec.exe
Token: SeShutdownPrivilege	5076	msiexec.exe
Token: SeDebugPrivilege	5076	msiexec.exe
Token: SeAuditPrivilege	5076	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5076	msiexec.exe
Token: SeChangeNotifyPrivilege	5076	msiexec.exe
Token: SeRemoteShutdownPrivilege	5076	msiexec.exe
Token: SeUndockPrivilege	5076	msiexec.exe
Token: SeSyncAgentPrivilege	5076	msiexec.exe
Token: SeEnableDelegationPrivilege	5076	msiexec.exe
Token: SeManageVolumePrivilege	5076	msiexec.exe
Token: SeImpersonatePrivilege	5076	msiexec.exe
Token: SeCreateGlobalPrivilege	5076	msiexec.exe
Token: SeBackupPrivilege	528	vssvc.exe
Token: SeRestorePrivilege	528	vssvc.exe
Token: SeAuditPrivilege	528	vssvc.exe
Token: SeBackupPrivilege	4432	msiexec.exe
Token: SeRestorePrivilege	4432	msiexec.exe
Token: SeRestorePrivilege	4432	msiexec.exe
Token: SeTakeOwnershipPrivilege	4432	msiexec.exe
Token: SeRestorePrivilege	4432	msiexec.exe
Token: SeTakeOwnershipPrivilege	4432	msiexec.exe
Token: SeRestorePrivilege	4432	msiexec.exe
Token: SeTakeOwnershipPrivilege	4432	msiexec.exe
Token: SeBackupPrivilege	4816	srtasks.exe
Token: SeRestorePrivilege	4816	srtasks.exe
Token: SeSecurityPrivilege	4816	srtasks.exe
Token: SeTakeOwnershipPrivilege	4816	srtasks.exe
Token: SeBackupPrivilege	4816	srtasks.exe
Token: SeRestorePrivilege	4816	srtasks.exe
Token: SeSecurityPrivilege	4816	srtasks.exe
Token: SeTakeOwnershipPrivilege	4816	srtasks.exe
Token: SeRestorePrivilege	4432	msiexec.exe
Token: SeTakeOwnershipPrivilege	4432	msiexec.exe
Token: SeRestorePrivilege	4432	msiexec.exe
Token: SeTakeOwnershipPrivilege	4432	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5076	msiexec.exe
5088	MSI8A8E.tmp
5088	MSI8A8E.tmp
5076	msiexec.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
5088	MSI8A8E.tmp
5088	MSI8A8E.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5088	MSI8A8E.tmp

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 4816	4432	msiexec.exe	89
PID 4432 wrote to memory of 4816	4432	msiexec.exe	89
PID 4432 wrote to memory of 5088	4432	msiexec.exe	91
PID 4432 wrote to memory of 5088	4432	msiexec.exe	91
PID 4432 wrote to memory of 5088	4432	msiexec.exe	91
PID 5088 wrote to memory of 2272	5088	MSI8A8E.tmp	92
PID 5088 wrote to memory of 2272	5088	MSI8A8E.tmp	92
PID 5088 wrote to memory of 2272	5088	MSI8A8E.tmp	92
PID 5088 wrote to memory of 2272	5088	MSI8A8E.tmp	92
PID 5088 wrote to memory of 2272	5088	MSI8A8E.tmp	92
PID 5088 wrote to memory of 2272	5088	MSI8A8E.tmp	92
PID 5088 wrote to memory of 2272	5088	MSI8A8E.tmp	92
PID 5088 wrote to memory of 2272	5088	MSI8A8E.tmp	92
PID 5088 wrote to memory of 2272	5088	MSI8A8E.tmp	92
PID 5088 wrote to memory of 2272	5088	MSI8A8E.tmp	92
PID 5088 wrote to memory of 2272	5088	MSI8A8E.tmp	92
PID 5088 wrote to memory of 2272	5088	MSI8A8E.tmp	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bd757716c49f28b3b5fdd4889622ac88_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5076

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- C:\Windows\Installer\MSI8A8E.tmp
  "C:\Windows\Installer\MSI8A8E.tmp"
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\Installer\MSI8A8E.tmp
    "C:\Windows\Installer\MSI8A8E.tmp"
    3⤵
    - Executes dropped EXE
    PID:2272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e578996.rbs

Filesize
663B

MD5
fccf5f22403662da11f164d58e8df0d6

SHA1
90f36d3c5daa0bfe59bb607bf33abbe277d81f18

SHA256
c9502025bfd580f0c128aef93efbd2bb89d02484351fcadccbbd89001f5c892e

SHA512
7accc6f5c2de20def5289ad3d5584370cb86e215b7b25fa2d0c731878f3196c320f9d288fdf6702e3a8c0aff42413e645e71e391a683b85e98dc33b6218ec8e9

Download Submit
C:\Windows\Installer\MSI8A8E.tmp

Filesize
612KB

MD5
08e5d4bf2798a5f830d46435fe0dfda8

SHA1
707cf924e41cec93560acd7469fea2bc890d8f72

SHA256
99fbb00a465c7d47ea64416934e9e01a614d8e6c900d89b0e32e815809cb4985

SHA512
09b4546e4da4d5116d9f17edcca3bade32a417867126e17bb750d14972a912caf5f1f2584efaf76ff19f373ad1edba36b973d3fb1ba28e356910531533b694a8

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
c87df723e446136b515ecc80126e2dae

SHA1
3485d80265881bc1b4e401d9d1915d8a0b915e87

SHA256
be5bd2e44b513f3e29e876fee546c08b71f43767b65a5a430fc3e9e90ee7fa6c

SHA512
0f8be4e159faa9d52d7986c1801ed0010c19aa15d969561c7f6d0fff33ea2402f07ba582a49cb8bc887ec522502dee67d8b114f5a1979d73fb7452623c1bec00

Download Submit
\??\Volume{8a2a71c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ddbb4ae6-61b8-47e1-be09-e0e0652b2c57}_OnDiskSnapshotProp

Filesize
6KB

MD5
e9b5dbdbd7a491e6e06d01dee81a6a38

SHA1
1b315a4864d77775239c5388e0734719fb4db5d1

SHA256
9abe6d5ccff42020268f6aaeb76bd41053219f70690798b61594a17f02685c1e

SHA512
6e3a4584d87a6e6b25b3ccee02523b9e0ffabb65cc9ec7b53b2f31235db9ed4e1150b62b578f2dec6c15de73348963bccd11fe8bd97a85c1405e8900be4aa688

Download Submit
memory/2272-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2272-18-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2272-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download