netwire | 2e60d3cd818fa132f8425b50f8a1de53fb7c1ebfa050bd3891a4f5c97971bf10

Analysis

max time kernel
130s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d97dc7068c3264ec0ef8d228db33ef12_JaffaCakes118.msi
Size

300KB
MD5

d97dc7068c3264ec0ef8d228db33ef12
SHA1

cc811a1ced21af00d47968f87f7c2a6198dffad7
SHA256

2e60d3cd818fa132f8425b50f8a1de53fb7c1ebfa050bd3891a4f5c97971bf10
SHA512

bde02f49f92a39a51ee683522201a83fb6651df424400a0a1b39c00aa74f5ab05dda60f75354467c8ef6c2b535c365dcd68dd86c93b51577afbf2a2fa5dd2be9
SSDEEP

6144:2EAidq19l2sJmwh4HYRYtEWBzhlANcjat9w44mKZ:2E6N44RQEW54m+934zZ

Score

10^/10

netwire botnet discovery persistence privilege_escalation rat stealer

Malware Config

Signatures

NetWire RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1512-42-0x0000000000080000-0x00000000000A0000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.0vxxytub.lnk	MSI3130.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 756 set thread context of 1512	756	app.exe	37

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f773015.msi	msiexec.exe
File created	C:\Windows\Installer\f773018.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3130.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f773018.ipi	msiexec.exe
File created	C:\Windows\Installer\f773015.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI30E0.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
3024	MSI3130.tmp
756	app.exe
1512	app.exe

Loads dropped DLL 2 IoCs

pid	Process
3024	MSI3130.tmp
3024	MSI3130.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2260	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI3130.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2676	msiexec.exe
2676	msiexec.exe
756	app.exe
756	app.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2260	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2260	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeSecurityPrivilege	2676	msiexec.exe
Token: SeCreateTokenPrivilege	2260	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2260	msiexec.exe
Token: SeLockMemoryPrivilege	2260	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2260	msiexec.exe
Token: SeMachineAccountPrivilege	2260	msiexec.exe
Token: SeTcbPrivilege	2260	msiexec.exe
Token: SeSecurityPrivilege	2260	msiexec.exe
Token: SeTakeOwnershipPrivilege	2260	msiexec.exe
Token: SeLoadDriverPrivilege	2260	msiexec.exe
Token: SeSystemProfilePrivilege	2260	msiexec.exe
Token: SeSystemtimePrivilege	2260	msiexec.exe
Token: SeProfSingleProcessPrivilege	2260	msiexec.exe
Token: SeIncBasePriorityPrivilege	2260	msiexec.exe
Token: SeCreatePagefilePrivilege	2260	msiexec.exe
Token: SeCreatePermanentPrivilege	2260	msiexec.exe
Token: SeBackupPrivilege	2260	msiexec.exe
Token: SeRestorePrivilege	2260	msiexec.exe
Token: SeShutdownPrivilege	2260	msiexec.exe
Token: SeDebugPrivilege	2260	msiexec.exe
Token: SeAuditPrivilege	2260	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2260	msiexec.exe
Token: SeChangeNotifyPrivilege	2260	msiexec.exe
Token: SeRemoteShutdownPrivilege	2260	msiexec.exe
Token: SeUndockPrivilege	2260	msiexec.exe
Token: SeSyncAgentPrivilege	2260	msiexec.exe
Token: SeEnableDelegationPrivilege	2260	msiexec.exe
Token: SeManageVolumePrivilege	2260	msiexec.exe
Token: SeImpersonatePrivilege	2260	msiexec.exe
Token: SeCreateGlobalPrivilege	2260	msiexec.exe
Token: SeBackupPrivilege	2912	vssvc.exe
Token: SeRestorePrivilege	2912	vssvc.exe
Token: SeAuditPrivilege	2912	vssvc.exe
Token: SeBackupPrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2636	DrvInst.exe
Token: SeRestorePrivilege	2636	DrvInst.exe
Token: SeRestorePrivilege	2636	DrvInst.exe
Token: SeRestorePrivilege	2636	DrvInst.exe
Token: SeRestorePrivilege	2636	DrvInst.exe
Token: SeRestorePrivilege	2636	DrvInst.exe
Token: SeRestorePrivilege	2636	DrvInst.exe
Token: SeLoadDriverPrivilege	2636	DrvInst.exe
Token: SeLoadDriverPrivilege	2636	DrvInst.exe
Token: SeLoadDriverPrivilege	2636	DrvInst.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeDebugPrivilege	3024	MSI3130.tmp
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeDebugPrivilege	756	app.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2260	msiexec.exe
3024	MSI3130.tmp
2260	msiexec.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3024	MSI3130.tmp

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 3024	2676	msiexec.exe	34
PID 2676 wrote to memory of 3024	2676	msiexec.exe	34
PID 2676 wrote to memory of 3024	2676	msiexec.exe	34
PID 2676 wrote to memory of 3024	2676	msiexec.exe	34
PID 3024 wrote to memory of 756	3024	MSI3130.tmp	35
PID 3024 wrote to memory of 756	3024	MSI3130.tmp	35
PID 3024 wrote to memory of 756	3024	MSI3130.tmp	35
PID 3024 wrote to memory of 756	3024	MSI3130.tmp	35
PID 756 wrote to memory of 1512	756	app.exe	37
PID 756 wrote to memory of 1512	756	app.exe	37
PID 756 wrote to memory of 1512	756	app.exe	37
PID 756 wrote to memory of 1512	756	app.exe	37
PID 756 wrote to memory of 1512	756	app.exe	37
PID 756 wrote to memory of 1512	756	app.exe	37
PID 756 wrote to memory of 1512	756	app.exe	37
PID 756 wrote to memory of 1512	756	app.exe	37
PID 756 wrote to memory of 1512	756	app.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d97dc7068c3264ec0ef8d228db33ef12_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2260

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\Installer\MSI3130.tmp
  "C:\Windows\Installer\MSI3130.tmp"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Roaming\app.exe
    "C:\Users\Admin\AppData\Roaming\app.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Users\Admin\AppData\Roaming\app.exe
      "C:\Users\Admin\AppData\Roaming\app.exe"
      4⤵
      Executes dropped EXE
      PID:1512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D0" "0000000000000558"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f773019.rbs

Filesize
663B

MD5
22fcd7db662562f556e739ac1ff64435

SHA1
c410585326ff5e7bcef171a1547ac4dd679ca939

SHA256
a523109a257f996a0e9a1a44302d829d349290cb8fafb5774841dcdd6ac76e4c

SHA512
b9ffe4b9094c9c7c51874577986a16c3493b45512638788f1daf3b0403362c04251299b0a220af25f5ad65bc349d96502f2330d79dcf488f56bb88c2e5ede47b

Download Submit
C:\Windows\Installer\MSI3130.tmp

Filesize
274KB

MD5
73724b470edb3f41133b46d9a86e40b7

SHA1
bcad91a319ee05563eb63c1dd34456f961c19cf4

SHA256
bf6750c39f9a74489588698123c7231b0045baee86325f6e2e7ff5fad859dff3

SHA512
cca819c2973060c55809e02c711fb8cc1af0248c6776f1ebf6f16108c461cb9f2062c37a10fff86ed75c6e3872330c8349943b4b9578a0b9683aa98678120fb1

Download Submit
memory/1512-42-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download