netwire | 5283ee93c25e567f42c1dd8743e1121a6973f922d1ef6e9286b3d40e27f357b5

General

Target

bdd639e15d8c88efe5ab1f58608a0302_JaffaCakes118.exe
Size

562KB
MD5

bdd639e15d8c88efe5ab1f58608a0302
SHA1

fd99f0cff3ebbc6254c86147096148b41aa31b5f
SHA256

5283ee93c25e567f42c1dd8743e1121a6973f922d1ef6e9286b3d40e27f357b5
SHA512

880f7f2401a470c4c157659cec8b3f396233b260a1cc68d698cb0443e88bef56ddf2435e100a1c780956b5cbe5c22906024ef4a90245d1615ebf28fd67efdd85
SSDEEP

12288:V8FaD+mjs28sVj4tOSlI3XopCZET0Ri+esTCmmZ:QaD+mgGj4tlQX1Zq0x2my

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

127.0.0.1:3360

elumadns.eluma101.com:4003

elumadns.eluma101.com:4000

jmoney.daniel2you.com:4000

jmoney.daniel2you.com:4003

oluwa101.hopto.org:4003

oluwa101.hopto.org:4000

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
NEWEST_2019
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
BEBSWoHf
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1468-35-0x0000000000400000-0x000000000042D000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
2608	Host.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ms OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Macromedia\\StikyNot.exe"	bdd639e15d8c88efe5ab1f58608a0302_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4720 set thread context of 1468	4720	bdd639e15d8c88efe5ab1f58608a0302_JaffaCakes118.exe	109

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdd639e15d8c88efe5ab1f58608a0302_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 1468	4720	bdd639e15d8c88efe5ab1f58608a0302_JaffaCakes118.exe	109
PID 4720 wrote to memory of 1468	4720	bdd639e15d8c88efe5ab1f58608a0302_JaffaCakes118.exe	109
PID 4720 wrote to memory of 1468	4720	bdd639e15d8c88efe5ab1f58608a0302_JaffaCakes118.exe	109
PID 4720 wrote to memory of 1468	4720	bdd639e15d8c88efe5ab1f58608a0302_JaffaCakes118.exe	109
PID 4720 wrote to memory of 1468	4720	bdd639e15d8c88efe5ab1f58608a0302_JaffaCakes118.exe	109
PID 1468 wrote to memory of 2608	1468	mstsc.exe	110
PID 1468 wrote to memory of 2608	1468	mstsc.exe	110
PID 1468 wrote to memory of 2608	1468	mstsc.exe	110

C:\Users\Admin\AppData\Local\Temp\bdd639e15d8c88efe5ab1f58608a0302_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bdd639e15d8c88efe5ab1f58608a0302_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\System32\mstsc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Users\Admin\AppData\Roaming\Install\Host.exe
    "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.2MB

MD5
9381487fc539c364449fba525e05dd52

SHA1
ef6c688bc2aee22ebc5cb95d014e044a9ea8605f

SHA256
6d0f73a4fbf12fee6fe20a5b02cc23874a75977726e5b8605000321f3e686622

SHA512
348f87928c18eb6a79898a47a9511f7c24490eac80a4644f2b1aeb52ce4c0b82fbdd60455c01bd12fcbe20dae16499e1b20a3cced4049f81002338b0b1e3f631

Download Submit
memory/1468-29-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1468-35-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1468-32-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4720-18-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/4720-15-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/4720-4-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4720-3-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/4720-2-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/4720-9-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4720-10-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/4720-12-0x00000000024C0000-0x00000000024C2000-memory.dmp

Filesize
8KB

Download
memory/4720-11-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/4720-19-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/4720-0-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/4720-17-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4720-16-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4720-5-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4720-14-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/4720-13-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/4720-20-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/4720-21-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4720-22-0x0000000002330000-0x0000000002372000-memory.dmp

Filesize
264KB

Download
memory/4720-24-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4720-23-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/4720-6-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/4720-7-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/4720-33-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/4720-8-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/4720-1-0x0000000002330000-0x0000000002372000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads