netwire | 120cdfbcb025ada491a35f0aebfa143730d8755cd67b8b4a7a701da592f822c7

General

Target

34885e384ba164409fd2e150c62b527f_JaffaCakes118.exe
Size

831KB
MD5

34885e384ba164409fd2e150c62b527f
SHA1

4314a9de717cb5d480182ffd0ba0cc94d84d2d06
SHA256

120cdfbcb025ada491a35f0aebfa143730d8755cd67b8b4a7a701da592f822c7
SHA512

6d1aa6f567324dc625d36603156a7d6401026d34ba8798fe0c8c69584741f6337bdcc28730387eaeedd9b6d7f2f7cacc47fa7ef8e6e235c762f80be55ff2488e
SSDEEP

24576:f2O/GlG2MGLklsZAy5guQGnJwmxhKbH3rUO46Grh:3CklsZXiCJwmxUT3izh

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

194.5.98.182:3080

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Temp12345
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2556-123-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2556-125-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2556-126-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2556-127-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	34885e384ba164409fd2e150c62b527f_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1940	vkv.exe
1032	vkv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\12034267\\vkv.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\12034267\\AMB_PD~1"	vkv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1032 set thread context of 2556	1032	vkv.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1940	vkv.exe
1940	vkv.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 1940	1288	34885e384ba164409fd2e150c62b527f_JaffaCakes118.exe	86
PID 1288 wrote to memory of 1940	1288	34885e384ba164409fd2e150c62b527f_JaffaCakes118.exe	86
PID 1288 wrote to memory of 1940	1288	34885e384ba164409fd2e150c62b527f_JaffaCakes118.exe	86
PID 1940 wrote to memory of 1032	1940	vkv.exe	88
PID 1940 wrote to memory of 1032	1940	vkv.exe	88
PID 1940 wrote to memory of 1032	1940	vkv.exe	88
PID 1032 wrote to memory of 2556	1032	vkv.exe	89
PID 1032 wrote to memory of 2556	1032	vkv.exe	89
PID 1032 wrote to memory of 2556	1032	vkv.exe	89
PID 1032 wrote to memory of 2556	1032	vkv.exe	89
PID 1032 wrote to memory of 2556	1032	vkv.exe	89
PID 1032 wrote to memory of 2556	1032	vkv.exe	89
PID 1032 wrote to memory of 2556	1032	vkv.exe	89
PID 1032 wrote to memory of 2556	1032	vkv.exe	89
PID 1032 wrote to memory of 2556	1032	vkv.exe	89
PID 1032 wrote to memory of 2556	1032	vkv.exe	89
PID 1032 wrote to memory of 2556	1032	vkv.exe	89

C:\Users\Admin\AppData\Local\Temp\34885e384ba164409fd2e150c62b527f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34885e384ba164409fd2e150c62b527f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\12034267\vkv.exe
  "C:\Users\Admin\AppData\Local\Temp\12034267\vkv.exe" amb=pdj
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\12034267\vkv.exe
    C:\Users\Admin\AppData\Local\Temp\12034267\vkv.exe C:\Users\Admin\AppData\Local\Temp\12034267\YLBNB
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12034267\YLBNB

Filesize
87KB

MD5
7f88e801c64188209897860e6947bb15

SHA1
e348dab90fbd6703e9340221acdde5b8ba3c9a90

SHA256
5bf0feefa62be514fa094c55978dca5eae2728624b327afec93513d0fdda4119

SHA512
33069b9551b3834b4a67e50b54d8953d2ecfee7a3f94d80d1a6ceaf5b90e268d0ee327691abdedca104e5693cd6d12c7b31d5d84b5750e66883cf423a59d4cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\12034267\amb=pdj

Filesize
183KB

MD5
726bb62588cd86face8960666ef753d1

SHA1
d87bb7e7e8fd5353863059abe6f8561690cddec4

SHA256
9c1f7c70fbd662230293de4ed7dba875ace5e7bc253233cfa73c67283b4eadf9

SHA512
992f3e16aab9955ccb3b23bd681154708f723e8499e85701c46054dfe45e38c6666c228cf0fab60f86c30c55a4b6aee8bbc8165838a4c41c625636728f65b169

Download Submit
C:\Users\Admin\AppData\Local\Temp\12034267\cco.ppt

Filesize
293B

MD5
de478b67a0c7b86187df64ca7f779808

SHA1
fbe5110b35e8a467fb9cba4beda4473e3e8b3f0b

SHA256
11febe56e9605fc80132525ec04d26447ed5f55fd9bb29b6148008e1da004d52

SHA512
9d9977c0af926b03fa402ee38410468c8dab5031b3bd9e262ed1fb4ec74f5f68c074e9b29996a45f898dd552e303a6a4d4d4da7c46fc0717564478c33365c266

Download Submit
C:\Users\Admin\AppData\Local\Temp\12034267\hcn.bmp

Filesize
498KB

MD5
7ce84aaa9795862aa7a41863ca5ec006

SHA1
591809a40b6aaa5a0200e4b8617ab5dfecfea48b

SHA256
33384cb0e53f142b93e7a95d1df07a0f55faf762be4290684281532197b331a7

SHA512
1ce91bf03a15cd303baf7f37c9f11c1b285249f64e4144c2f912cd0530e47c07f17f6813bc92673a4403531d3fdb455defae307ceb3df3d47ba93d6f46a2c449

Download Submit
C:\Users\Admin\AppData\Local\Temp\12034267\kpw.mp3

Filesize
318B

MD5
c648993b40753c61b974832c87801097

SHA1
3bf588cc8821dd97cb616d166faba960e228c40a

SHA256
719885203dcc1bf069ec6147679583a75ac42ed12b6388010ebeeac063bd6585

SHA512
c7e1c42055d8da8c9ad94d3bb6e5e06110b8cb0a5dfcc43a4c2a13e9d4932885b1e1c76cbdfcbb397b247989418d86f4e5a8b1e5569790f610c63dff2ff8d4ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\12034267\vkv.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2556-123-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2556-125-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2556-126-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2556-127-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads