netwire | 00a2bfbb9c07fad681cf1009e4a0b5de8d9b6d9ce0937887ca1f9c95153e6c22

General

Target

f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe
Size

380KB
MD5

f27d216aad91d14815a55c01bd24a70f
SHA1

645caa29aaf3c51730d42abb3b41cb921c26c357
SHA256

00a2bfbb9c07fad681cf1009e4a0b5de8d9b6d9ce0937887ca1f9c95153e6c22
SHA512

ac1706f87539a66635102f93e910195698ce3698ed95a0297e3ce6fb8f8e2cf9a895a9cc455fb8bbf569d8f4ebaa9b2e1a300e4f550dc85c7486bec198e2b4c0
SSDEEP

6144:BWzRLS309cUvtT9TjiL2kiSYl5uuaRkr6qgo2g/YAurK2B7QS8rJsrWnSfqRn:BWzRLS309cU1T9TjilJ7fyOqgo2KYF5C

Score

10^/10

netwire botnet discovery rat stealer

Malware Config

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 8 IoCs

rat

resource	yara_rule
behavioral1/memory/2960-22-0x0000000002040000-0x000000000206C000-memory.dmp	netwire
behavioral1/memory/2752-38-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2752-40-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2752-28-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2752-36-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2752-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2752-31-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2752-41-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2960 set thread context of 2752	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	34

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe
2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2556	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2556	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2556	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2556	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2236	2556	csc.exe	33
PID 2556 wrote to memory of 2236	2556	csc.exe	33
PID 2556 wrote to memory of 2236	2556	csc.exe	33
PID 2556 wrote to memory of 2236	2556	csc.exe	33
PID 2960 wrote to memory of 2752	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	34
PID 2960 wrote to memory of 2752	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	34
PID 2960 wrote to memory of 2752	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	34
PID 2960 wrote to memory of 2752	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	34
PID 2960 wrote to memory of 2752	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	34
PID 2960 wrote to memory of 2752	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	34
PID 2960 wrote to memory of 2752	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	34
PID 2960 wrote to memory of 2752	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	34
PID 2960 wrote to memory of 2752	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	34
PID 2960 wrote to memory of 2752	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	34
PID 2960 wrote to memory of 2752	2960	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p11dfxqs\p11dfxqs.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD5D.tmp" "c:\Users\Admin\AppData\Local\Temp\p11dfxqs\CSC7EB9ED12B4D040768FAD3697374227.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCD5D.tmp

Filesize
1KB

MD5
71f72b1c8ecb6cdb646e6b76c6657650

SHA1
089e20e511e770e433403e7e95550d5f97bbce3f

SHA256
cdc62ccd1739a50425dbde54d11889d1c379ac6fd8e5ac19d55c633135780f14

SHA512
61a9c1bafe410f0a139a36f297695a50bfebf670bbc4387e48d2fb157bdf996dd10c2508b6f0919858590d2506995d3d7e9b083d2b9eb570d20abd90dc3cb8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\p11dfxqs\p11dfxqs.dll

Filesize
14KB

MD5
c0e2bb0584737514f89df13cb3a60453

SHA1
9c480201578a5b67d710c16c3a0e74d1513ce4d2

SHA256
e25fa505870e0ff58a3a6880daac4ad8786736e93e00cf7b86612635523f418b

SHA512
db1c1ce28d1325da0f9d70166f8b03621ade87b13d1528a1a72781f88d5d75f4889bc31b54e4ce797b75c4d8ec2f1bbac6700e78fd38a64c7d021654ce929b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\p11dfxqs\p11dfxqs.pdb

Filesize
47KB

MD5
e6e66eeb71292a57fafada51adf5e188

SHA1
d7242d443aa0b7afd5cc286f533e0987cc96b53b

SHA256
ec3a54a3bc21c9bb8a58914b7a19d84a2fe50583e83c3499aa680fba7c0320e4

SHA512
42cbbd9b7dd8fc98b9a043c52b8b78f8b5b130b63af0c0a0a02a8d60bdc82dbed8e3ec5a8a6ae01e2e27ab9cdf52dd7475487dd1e01e74dbcc558e3d635ddf67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p11dfxqs\CSC7EB9ED12B4D040768FAD3697374227.TMP

Filesize
1KB

MD5
ecaffe35c523e492086ee7b50587884d

SHA1
962905e3eae22bb77f17075fac94719ffa959dd4

SHA256
834fb82f954cb89d7f52b0bc6b49f0666535c6bd70f5a80c06be5a59efb6b72b

SHA512
d4fc777f37aaa5b5954fea91b20b89aa18bacdc0c54def74810534cf18d23b4521226c594772e87e3c08e5bd51265db465aa8224651b30c1a11cd745ad2336f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p11dfxqs\p11dfxqs.0.cs

Filesize
26KB

MD5
6dcf7939bc91676f447cac21f6a8cddf

SHA1
0b97665ab9f4b6fb932fd9e627f74939c360574d

SHA256
e6304be05bfccf43f75546e8eaa8dd0303d75dbfdd85ebc11fadcebaecd2ebd0

SHA512
95a6e48fa4e092f9369b94d8b1690e17538082e3edfd8467e5c0b329cd29a279063a9bffb2fce052edf5cd4c4fa71a4900f64a8fadab8867aec95c72458788c6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\p11dfxqs\p11dfxqs.cmdline

Filesize
312B

MD5
e5a5cdbe594efcc8a1f7121fdd64a58f

SHA1
42a4f0edec0a2c8af4c297f4753f50f115a85162

SHA256
76b6d9c154401bb7598b9b95fa19896ba38e6fa14f04340b5f209cc23b3ee97c

SHA512
db3a4249d759591cb5c2c81c330b5988375567a372204da1f926b2c427767e201c7b879b71c285cfd171bd35f09fa220d2d57f338c659969cb97203c654425ef

Download Submit
memory/2752-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2752-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2752-41-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2752-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2752-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2752-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2752-36-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2752-23-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2752-38-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2752-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2752-40-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2960-39-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Filesize
6.9MB

Download
memory/2960-0-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

Filesize
4KB

Download
memory/2960-5-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Filesize
6.9MB

Download
memory/2960-22-0x0000000002040000-0x000000000206C000-memory.dmp

Filesize
176KB

Download
memory/2960-20-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2960-19-0x0000000000830000-0x0000000000862000-memory.dmp

Filesize
200KB

Download
memory/2960-17-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/2960-1-0x00000000008B0000-0x0000000000914000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing