netwire | 1081a008943d8c67a28d92519792534bd58927cc3f5a010cf4f1ffb04ef5ae04

General

Target

e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe
Size

275KB
MD5

e49c09156be771b3d16101905e9fa96f
SHA1

fe4436364fef2faea57bcf26e9d2a3e1e77224ad
SHA256

1081a008943d8c67a28d92519792534bd58927cc3f5a010cf4f1ffb04ef5ae04
SHA512

7db85fb962610a49f934dfe87afa953f29abaf0d84c18236c101dd3a2f9b99d5bc2c00b7991a15ae2d4cc0f7a9ddc43e8ac25fa47775bd6c894bf69d1f02a4a8
SSDEEP

3072:X3ZnQm4mdfCnsXBF3a/zfFitmrafgDgn+MryVVBJut7wuJhT4wOWq99Szv1ljhqb:n2m4mdKyFKzFOHfgDwK4R5OWq99SzLz

Score

10^/10

netwire botnet discovery rat stealer

Malware Config

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 8 IoCs

rat

resource	yara_rule
behavioral1/memory/1728-22-0x0000000002030000-0x000000000205C000-memory.dmp	netwire
behavioral1/memory/2844-27-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2844-26-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2844-28-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2844-31-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2844-34-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2844-35-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2844-36-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1728 set thread context of 2844	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe
1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2744	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2744	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2744	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	30
PID 1728 wrote to memory of 2744	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	30
PID 2744 wrote to memory of 2680	2744	csc.exe	32
PID 2744 wrote to memory of 2680	2744	csc.exe	32
PID 2744 wrote to memory of 2680	2744	csc.exe	32
PID 2744 wrote to memory of 2680	2744	csc.exe	32
PID 1728 wrote to memory of 2844	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2844	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2844	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2844	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2844	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2844	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2844	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2844	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2844	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2844	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2844	1728	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dtsidjsc\dtsidjsc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF22C.tmp" "c:\Users\Admin\AppData\Local\Temp\dtsidjsc\CSCC41098927D9B4BAD8747AA3D5E5D3C6C.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF22C.tmp

Filesize
1KB

MD5
426853a1fe356f00c8a8b17174746388

SHA1
e9d7adc70c87c3ab4abe2924228c18f1df2db99f

SHA256
8633ce4e87dd2d9cc2497814ff9733a9cbf4de813bcc07dfa840db22f45dde72

SHA512
5c8b598e116aedb2961a7cbb12bb4f7be042629a696eb356f1a57f717bc8940bcd2c904d32df614abec6f3d5a4022501d30dbbea1393a3c72a5d8571f4a792b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dtsidjsc\dtsidjsc.dll

Filesize
19KB

MD5
264d1c9f2f11b3d9c590f0205b964295

SHA1
ba87114098e62116bf0d43b79e88310877f659a3

SHA256
f6466fc013a81a8cb42b54f650d3cb44e3bc2cbcd2900c88433f9c39b63f75ae

SHA512
d24b21da4cc4700c08bd7a9a18144d07777124cc9f0af14e29debd975c2d651aa5b4b0202129a78d7ad156bfc32c8f2f50d4128c329f24a617f043c179e85ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dtsidjsc\dtsidjsc.pdb

Filesize
65KB

MD5
46f69107031c6371d4b91876bc11d567

SHA1
0ba4ef5d1e9663de959db49f3423b24c2350109d

SHA256
89fe632f823dedcb8cc2362389c486ecda3822867e8ffc6dec5099c9301d9f52

SHA512
370654b908a7dab439682b2c059872d79f55665711621460e42ec2a18c0e67988d35d09ca39eef4c4c9271678c9bad1fe93db17fc1b052d0f25df08e3472923e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dtsidjsc\CSCC41098927D9B4BAD8747AA3D5E5D3C6C.TMP

Filesize
1KB

MD5
fe9499cadcbe9dc82c4279e85f7dd8d1

SHA1
f73e66a8f3e9b1c00a899dd46743ae7f443ac916

SHA256
c07a4827ebf1f88dd960e371906ac655343f0531d5c50bf5c1657a18b7a1e601

SHA512
ce100ccde42401b1ba89e63b45c9b5e6dbdb74c480f7b968c23921bec3f1154b87e9eb06a3f6f6eeba114353e87365aeb017cc4f28f14d78e2e38617a61a32c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dtsidjsc\dtsidjsc.0.cs

Filesize
44KB

MD5
f9255e0c57a621b757a8ccdce546d25c

SHA1
c0fd53ff869c0ee9a845554cb0bd05e1b1e412f4

SHA256
3b522318f5dfa7c3582aae67e62e33776273cfd5d5538f9326759e89a88f7007

SHA512
6a921fdb888c0a0337ca6621d0dc2727b71939d1cfd8aa103fe0bd8a36e0c2a551cbc38c81ff110d0153244522020e396b415ff7c7eb5fd7fed34542583cf220

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dtsidjsc\dtsidjsc.cmdline

Filesize
312B

MD5
1230e8dcaefa4452338a2ca5d2311322

SHA1
5e04cd5fe4a156fdc9ef553e20832c13080971a8

SHA256
dd82ca81a677085a5caaf090457313d567ba3861ec3ad416640276fcab0b19d4

SHA512
cf1e9afca79c0c3779809d001a628f7b03580e24b2b94464cb87b8a637f83580d891ac76f95b0ba44157f9938b68cd5b656c286ac0bb17b9ae1088c197f6f39f

Download Submit
memory/1728-22-0x0000000002030000-0x000000000205C000-memory.dmp

Filesize
176KB

Download
memory/1728-6-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1728-1-0x0000000000380000-0x00000000003CA000-memory.dmp

Filesize
296KB

Download
memory/1728-17-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/1728-19-0x0000000001EA0000-0x0000000001ED2000-memory.dmp

Filesize
200KB

Download
memory/1728-20-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/1728-0-0x000000007490E000-0x000000007490F000-memory.dmp

Filesize
4KB

Download
memory/1728-33-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2844-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2844-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2844-23-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2844-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2844-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2844-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2844-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2844-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2844-35-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2844-36-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing