netwire | 1081a008943d8c67a28d92519792534bd58927cc3f5a010cf4f1ffb04ef5ae04

General

Target

e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe
Size

275KB
MD5

e49c09156be771b3d16101905e9fa96f
SHA1

fe4436364fef2faea57bcf26e9d2a3e1e77224ad
SHA256

1081a008943d8c67a28d92519792534bd58927cc3f5a010cf4f1ffb04ef5ae04
SHA512

7db85fb962610a49f934dfe87afa953f29abaf0d84c18236c101dd3a2f9b99d5bc2c00b7991a15ae2d4cc0f7a9ddc43e8ac25fa47775bd6c894bf69d1f02a4a8
SSDEEP

3072:X3ZnQm4mdfCnsXBF3a/zfFitmrafgDgn+MryVVBJut7wuJhT4wOWq99Szv1ljhqb:n2m4mdKyFKzFOHfgDwK4R5OWq99SzLz

Score

10^/10

netwire botnet discovery rat stealer

Malware Config

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1352-23-0x00000000054C0000-0x00000000054EC000-memory.dmp	netwire
behavioral2/memory/4264-25-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4264-28-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4264-30-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1352 set thread context of 4264	1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe
1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2360	1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	82
PID 1352 wrote to memory of 2360	1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	82
PID 1352 wrote to memory of 2360	1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	82
PID 2360 wrote to memory of 1508	2360	csc.exe	84
PID 2360 wrote to memory of 1508	2360	csc.exe	84
PID 2360 wrote to memory of 1508	2360	csc.exe	84
PID 1352 wrote to memory of 4264	1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	85
PID 1352 wrote to memory of 4264	1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	85
PID 1352 wrote to memory of 4264	1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	85
PID 1352 wrote to memory of 4264	1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	85
PID 1352 wrote to memory of 4264	1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	85
PID 1352 wrote to memory of 4264	1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	85
PID 1352 wrote to memory of 4264	1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	85
PID 1352 wrote to memory of 4264	1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	85
PID 1352 wrote to memory of 4264	1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	85
PID 1352 wrote to memory of 4264	1352	e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e49c09156be771b3d16101905e9fa96f_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4o01mmks\4o01mmks.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9990.tmp" "c:\Users\Admin\AppData\Local\Temp\4o01mmks\CSC433F234DC0A94380A67D375FB952F4EB.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1508
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4o01mmks\4o01mmks.dll

Filesize
19KB

MD5
3aa73d7db4dcb9ceea6322862b290b98

SHA1
bae16590bb554f0867966f6b4d91426cba91ecf5

SHA256
67f9dc1cbac32b2569a68bcf7097f6ec13b51b95a4d8aaf747edadc5b282c8d1

SHA512
e85cbb07a26bc0730ab45d7efc767b6ff3c448992703db8d8668caad34a53bef7c0bbfa93285dd6fd88cd72953077bd4a04a19f62934d1a0a8b90e4e44677f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\4o01mmks\4o01mmks.pdb

Filesize
65KB

MD5
11697f3e814790015ba9293d2d4622fe

SHA1
7cce50b394b38d69b023b205a5a42bfb849b2fe9

SHA256
b2bf3637a8dbf2a78b023967c38868ed77141352c73645bc465fa11ea95065f0

SHA512
1f1b840b00a41c29b1ea58e59db3b5fd6d6f567b818fb91822ba68713f422997f9ce08f9816f13a580967e094373991254ed8586270964f16b1900cf2e1a5d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9990.tmp

Filesize
1KB

MD5
662be5385a88b1c645e17464365f6bc0

SHA1
f35098ec80d93356f1ed0b9b5a5fd061b693590d

SHA256
b516a81124c855edbf7892b8fe9f77f95fda6ef91da04f2d9eeb5b16fc2e700e

SHA512
5ec61e5c2bd99095e7f72824222acd22444d7b4e61443bc91c6bb871418056af0397b5e3e87c9f312fd9dd3622b9066fad0c25725ad712156d46155496120cb4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4o01mmks\4o01mmks.0.cs

Filesize
44KB

MD5
f9255e0c57a621b757a8ccdce546d25c

SHA1
c0fd53ff869c0ee9a845554cb0bd05e1b1e412f4

SHA256
3b522318f5dfa7c3582aae67e62e33776273cfd5d5538f9326759e89a88f7007

SHA512
6a921fdb888c0a0337ca6621d0dc2727b71939d1cfd8aa103fe0bd8a36e0c2a551cbc38c81ff110d0153244522020e396b415ff7c7eb5fd7fed34542583cf220

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4o01mmks\4o01mmks.cmdline

Filesize
312B

MD5
9158d5f2cf7ca92aa4d3c3c016ded257

SHA1
feb7ea891d3b48f0375fdf067855b37c796ea3dd

SHA256
eeb99eddb014172ba3aacce08b7699c31f80db6c4117b989348dfa4766dcaf17

SHA512
ca5065a7d1b580eefb40dfb3420fd475a4284c3c0c2c9a608a53647e60024265a569d776148c7090048cad5532f7c8dc682971303aa409983fa9405b62003188

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4o01mmks\CSC433F234DC0A94380A67D375FB952F4EB.TMP

Filesize
1KB

MD5
21bffdb089a8d55dd50ce9a332afd927

SHA1
cdacc7f42ca1b9f7582f8b2dfb4066338900da2d

SHA256
3a45498ec02e303523ccabe4177960391d3b143d84c947391f0b7c0b3de426be

SHA512
c9e95ff50cb29c538a02c0b6526dd865f53a18621a550992771a790c8142199f5e825c3460395429cc9abe37a206ae885dd9e662900fd3deeb67e1233419935e

Download Submit
memory/1352-19-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/1352-5-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/1352-1-0x0000000000650000-0x000000000069A000-memory.dmp

Filesize
296KB

Download
memory/1352-17-0x0000000002A00000-0x0000000002A0C000-memory.dmp

Filesize
48KB

Download
memory/1352-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

Filesize
4KB

Download
memory/1352-20-0x0000000005070000-0x00000000050A2000-memory.dmp

Filesize
200KB

Download
memory/1352-21-0x0000000005050000-0x000000000505C000-memory.dmp

Filesize
48KB

Download
memory/1352-23-0x00000000054C0000-0x00000000054EC000-memory.dmp

Filesize
176KB

Download
memory/1352-24-0x0000000005740000-0x00000000057DC000-memory.dmp

Filesize
624KB

Download
memory/1352-29-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/4264-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4264-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4264-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing