netwire | 7ba0b6ce1beabf5437752c8dbe851e1af8bbc74154c1ce318cd4241acf4c763f

General

Target

1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe
Size

1.3MB
MD5

1cd6e77a4650155c54c0dc02b7ac8830
SHA1

2806bda7ff96b1a020400e69fb74773baff36b0a
SHA256

7ba0b6ce1beabf5437752c8dbe851e1af8bbc74154c1ce318cd4241acf4c763f
SHA512

28dd6bde9cd2d6ce063b7142b1b9bf0f5bcb34c702882c7c167e985863c5b1720c4eba25e92b12ee34c00f3651edae355a64b1681b51a9e3bbc325c04907af14
SSDEEP

24576:uAHnh+eWsN3skA4RV1Hom2KXMmHaJnhlHsMkyigucCg/fFq1t5:Zh+ZkldoPK8YahhlHsMksunyfsR

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

79.134.225.35:8687

Attributes

activex_autorun
true
activex_key
{TK1A7HT7-DQYO-67A2-ANU2-MW11C1A1UU6E}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
true
startup_name
windows
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/316-4-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/316-15-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/2760-37-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{TK1A7HT7-DQYO-67A2-ANU2-MW11C1A1UU6E}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{TK1A7HT7-DQYO-67A2-ANU2-MW11C1A1UU6E}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Executes dropped EXE 2 IoCs

pid	Process
2516	Host.exe
2760	Host.exe

Loads dropped DLL 2 IoCs

pid	Process
316	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe
2516	Host.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\tbacjqhpmshonqemdpvu = "C:\\Users\\Public\\tbacjqhpmshonqemdpvu.vbs"	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\tbacjqhpmshonqemdpvu = "C:\\Users\\Public\\tbacjqhpmshonqemdpvu.vbs"	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000014400-17.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2948 set thread context of 316	2948	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe	28
PID 2516 set thread context of 2760	2516	Host.exe	30

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2948	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe
2948	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe
2948	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe
2516	Host.exe
2516	Host.exe
2516	Host.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2948	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe
2948	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe
2948	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe
2516	Host.exe
2516	Host.exe
2516	Host.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 316	2948	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe	28
PID 2948 wrote to memory of 316	2948	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe	28
PID 2948 wrote to memory of 316	2948	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe	28
PID 2948 wrote to memory of 316	2948	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe	28
PID 2948 wrote to memory of 316	2948	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe	28
PID 2948 wrote to memory of 316	2948	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe	28
PID 316 wrote to memory of 2516	316	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe	29
PID 316 wrote to memory of 2516	316	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe	29
PID 316 wrote to memory of 2516	316	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe	29
PID 316 wrote to memory of 2516	316	1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe	29
PID 2516 wrote to memory of 2760	2516	Host.exe	30
PID 2516 wrote to memory of 2760	2516	Host.exe	30
PID 2516 wrote to memory of 2760	2516	Host.exe	30
PID 2516 wrote to memory of 2760	2516	Host.exe	30
PID 2516 wrote to memory of 2760	2516	Host.exe	30
PID 2516 wrote to memory of 2760	2516	Host.exe	30

C:\Users\Admin\AppData\Local\Temp\1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1cd6e77a4650155c54c0dc02b7ac8830_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Users\Admin\AppData\Roaming\Install\Host.exe
    "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.3MB

MD5
1cd6e77a4650155c54c0dc02b7ac8830

SHA1
2806bda7ff96b1a020400e69fb74773baff36b0a

SHA256
7ba0b6ce1beabf5437752c8dbe851e1af8bbc74154c1ce318cd4241acf4c763f

SHA512
28dd6bde9cd2d6ce063b7142b1b9bf0f5bcb34c702882c7c167e985863c5b1720c4eba25e92b12ee34c00f3651edae355a64b1681b51a9e3bbc325c04907af14

Download Submit
memory/316-2-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/316-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/316-4-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/316-15-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2760-37-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2760-32-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads