netwire | 5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe
Size

824KB
MD5

601eac781876bbe44d59f1cd2e6f38b0
SHA1

d4467be6a1db3962cf9287d27245ec7ae03641f3
SHA256

5f5e8fca6ab9657c82efdc33fe9084c8bf1c3f71dff22879700d7b0a3ec87995
SHA512

3b46e954a871852f9f124bebffeef9d46616e7f463fd54675fbf256f11853c056acb7fa1f291667bd528d899aeb0c271fa2a8397dd5ab66a20a620cda0804232
SSDEEP

24576:f2O/GlKzBmrxcuUoXJ4yzwmxhKbH3rUO46GnZp0:c+yCSwmxUT3ivZp0

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

185.244.29.116:4066

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Nov12345
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/1616-142-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1616-139-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1616-137-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1616-135-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1616-146-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1616-144-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 3 IoCs

pid	Process
2628	fke.exe
2232	fke.exe
1616	RegSvcs.exe

Loads dropped DLL 6 IoCs

pid	Process
2104	601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe
2104	601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe
2104	601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe
2104	601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe
2628	fke.exe
2232	fke.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81913139\\fke.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\81913139\\LEL_VC~1"	fke.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2232 set thread context of 1616	2232	fke.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2628	fke.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2628	2104	601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2628	2104	601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2628	2104	601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2628	2104	601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2628	2104	601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2628	2104	601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe	30
PID 2104 wrote to memory of 2628	2104	601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe	30
PID 2628 wrote to memory of 2232	2628	fke.exe	31
PID 2628 wrote to memory of 2232	2628	fke.exe	31
PID 2628 wrote to memory of 2232	2628	fke.exe	31
PID 2628 wrote to memory of 2232	2628	fke.exe	31
PID 2628 wrote to memory of 2232	2628	fke.exe	31
PID 2628 wrote to memory of 2232	2628	fke.exe	31
PID 2628 wrote to memory of 2232	2628	fke.exe	31
PID 2232 wrote to memory of 1616	2232	fke.exe	32
PID 2232 wrote to memory of 1616	2232	fke.exe	32
PID 2232 wrote to memory of 1616	2232	fke.exe	32
PID 2232 wrote to memory of 1616	2232	fke.exe	32
PID 2232 wrote to memory of 1616	2232	fke.exe	32
PID 2232 wrote to memory of 1616	2232	fke.exe	32
PID 2232 wrote to memory of 1616	2232	fke.exe	32
PID 2232 wrote to memory of 1616	2232	fke.exe	32
PID 2232 wrote to memory of 1616	2232	fke.exe	32
PID 2232 wrote to memory of 1616	2232	fke.exe	32
PID 2232 wrote to memory of 1616	2232	fke.exe	32
PID 2232 wrote to memory of 1616	2232	fke.exe	32
PID 2232 wrote to memory of 1616	2232	fke.exe	32
PID 2232 wrote to memory of 1616	2232	fke.exe	32

C:\Users\Admin\AppData\Local\Temp\601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\601eac781876bbe44d59f1cd2e6f38b0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe
  "C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe" lel=vcc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe
    C:\Users\Admin\AppData\Local\Temp\81913139\fke.exe C:\Users\Admin\AppData\Local\Temp\81913139\NTNNZ
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81913139\BorderConstants.docx

Filesize
133B

MD5
88e49f064d3a64a665d1aacec00412f4

SHA1
452ed82da9ba84aeab1a769234c44322106dda43

SHA256
ff35a9dec7311443eb46f398c4a1ae5b7e1e0d461783e07cec082384bf17958b

SHA512
953019ebe9f69e5e1c2468b364c373059f5ee0b738e22a20d5e77fc17882679622eca9cd5c040b04a5183e192cbe39898d89ec712bc8b3ddc0f1fddcab517cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\81913139\NTNNZ

Filesize
87KB

MD5
f619d1c321f994280318e4899808f579

SHA1
966c6c06a68c53bb21cebd289cc50de7e88dfd7b

SHA256
f933a5a03de01e9a488c4cb71285bee17baba1a0684d08ce49094ae01cfd2c96

SHA512
8aa70b965fc37292aba22e452dca20291cde7ca71cf791214bbc534da8f003fd282ab50c7ffba7c3a631bdb2358a1948a2de65ae31bca36405415e18b7d6a75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\81913139\TreeViewConstants.mp4

Filesize
36B

MD5
ca93714441a8d3ef16a7774a3298074c

SHA1
5140b2d0a3a2c36f9ec413cad1ae614fc56d977d

SHA256
9afbd1a569a66aaea4429582a0e9f795ccaec874c9a98b75de620b825db1eba7

SHA512
425e85387f51334eca6f997b041c49ffb1977f19a87704a6336ec2c3350418e9f64158f0f4e495b21ec06a46d6e3381a38071e525f4c5332c0ac0714db02afa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\81913139\fxl.xl

Filesize
491KB

MD5
462f4d1de916f644cdb5ea29c8c51f8f

SHA1
7ac2072c4e3d9ad0b8d2336dd3c52eb48ff93a00

SHA256
02b3a0ccc1716ca0d5be2dff72e715f80bff2fbb11784bdf44449746bb37884b

SHA512
b63dca754b19c080825e55a76e46d753f0207595e3a0c20aace55b86e63c1501002ca3ee78c3c9c2821c6b7b8f0eb570acb1ea4d65a73d203f1229a7edbd175c

Download Submit
C:\Users\Admin\AppData\Local\Temp\81913139\lel=vcc

Filesize
303KB

MD5
b9dd6356f3e9b1281d047ab42650944a

SHA1
15765fee1d0ba347e13037bdac59e7a684ba2be8

SHA256
46df4ccddef86332d56ae5cac26dccac4fc3fb84cbc8a9d297dbacf79af04ce7

SHA512
cdde822cfa1d736409d23b374932adc3bbbe02a060ba9496d8f97b3a7027e19a0f714d138dcea2594a95d1884325f3fae228c598520173ccc3d5843a8b29c956

Download Submit
\Users\Admin\AppData\Local\Temp\81913139\fke.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/1616-142-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1616-129-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1616-141-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1616-139-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1616-137-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1616-135-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1616-133-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1616-131-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1616-146-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1616-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download