netwire | 00a2bfbb9c07fad681cf1009e4a0b5de8d9b6d9ce0937887ca1f9c95153e6c22

General

Target

f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe
Size

380KB
MD5

f27d216aad91d14815a55c01bd24a70f
SHA1

645caa29aaf3c51730d42abb3b41cb921c26c357
SHA256

00a2bfbb9c07fad681cf1009e4a0b5de8d9b6d9ce0937887ca1f9c95153e6c22
SHA512

ac1706f87539a66635102f93e910195698ce3698ed95a0297e3ce6fb8f8e2cf9a895a9cc455fb8bbf569d8f4ebaa9b2e1a300e4f550dc85c7486bec198e2b4c0
SSDEEP

6144:BWzRLS309cUvtT9TjiL2kiSYl5uuaRkr6qgo2g/YAurK2B7QS8rJsrWnSfqRn:BWzRLS309cU1T9TjilJ7fyOqgo2KYF5C

Score

10^/10

netwire botnet discovery rat stealer

Malware Config

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 5 IoCs

rat

resource	yara_rule
behavioral2/memory/4372-23-0x0000000005A40000-0x0000000005A6C000-memory.dmp	netwire
behavioral2/memory/5000-25-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/5000-27-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/5000-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/5000-31-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4372 set thread context of 5000	4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	86

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe
4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 696	4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	83
PID 4372 wrote to memory of 696	4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	83
PID 4372 wrote to memory of 696	4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	83
PID 696 wrote to memory of 2248	696	csc.exe	85
PID 696 wrote to memory of 2248	696	csc.exe	85
PID 696 wrote to memory of 2248	696	csc.exe	85
PID 4372 wrote to memory of 5000	4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	86
PID 4372 wrote to memory of 5000	4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	86
PID 4372 wrote to memory of 5000	4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	86
PID 4372 wrote to memory of 5000	4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	86
PID 4372 wrote to memory of 5000	4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	86
PID 4372 wrote to memory of 5000	4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	86
PID 4372 wrote to memory of 5000	4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	86
PID 4372 wrote to memory of 5000	4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	86
PID 4372 wrote to memory of 5000	4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	86
PID 4372 wrote to memory of 5000	4372	f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f27d216aad91d14815a55c01bd24a70f_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\renjhnqd\renjhnqd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA67.tmp" "c:\Users\Admin\AppData\Local\Temp\renjhnqd\CSC3877AE8C7F2044808EEF903E6BB97B7E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBA67.tmp

Filesize
1KB

MD5
9ee82acc1af9fef819796b133fec9aeb

SHA1
d4934d2f9e94558fecad11c1e06469e3e0c99cd1

SHA256
6b8525d375ad0f8bbab8eed976eea3730e394cb897eb9ea8c9d4925970ddf1dc

SHA512
27fbbd9bd7fcc6daf963e60798f62f9f07ef1b719710d45f43dd22db465890667a0b3b8823d81ff113545f7503ec21f9dd016130daee1db8f2d5e6b8593559a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\renjhnqd\renjhnqd.dll

Filesize
14KB

MD5
2bda6faeaff8fb19bc5cd088ea6ecc1a

SHA1
d00adb7509563938f51929abfde12a69e503bbff

SHA256
1e7af71e65962a215bb271f69329bd2456af113666cd788c1d2cc843c225fcf7

SHA512
54695d77d9d232b7983430ee975886bad4438ecba1b3ceb8aa4d5c1e938b8b3ff436c7fa441db0621891179444b52ce27da5ac998323fa9fdbba923ce80f2b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\renjhnqd\renjhnqd.pdb

Filesize
47KB

MD5
703c7a6a8fa39602ff865c127d4c03a4

SHA1
ffaf57a362bc5460b48f4d4ad4e42312cda97a4b

SHA256
224a9817ce5eb6ac76a713e5e1a95fe977954f08585da4e23543facbb4ca338c

SHA512
b189fe1ddbdc445bb12a0f164d0a9341798b68565f469d0e25b73820829e90b852dc62f436153613d967011264e27dc57f9afb86fc51d0c154177e1b6014ac27

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\renjhnqd\CSC3877AE8C7F2044808EEF903E6BB97B7E.TMP

Filesize
1KB

MD5
d0fe9b3c86d8e6ec31267aad39868831

SHA1
71f9ab36c3c3e3b85bf671491e75fc516555e303

SHA256
2027d224a18f2c42eca4f042ae20bbccf719838cb3d92d832519e53b9f3007b2

SHA512
0cb8d63868f0e5f947294a708f80366ddf53ac93db1bb528ee9b40c57c8fd5c9090d0378f3ffa3c2dbc8f1456ceb67550fdfa60eeb6904d7089fafc403349d2b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\renjhnqd\renjhnqd.0.cs

Filesize
26KB

MD5
6dcf7939bc91676f447cac21f6a8cddf

SHA1
0b97665ab9f4b6fb932fd9e627f74939c360574d

SHA256
e6304be05bfccf43f75546e8eaa8dd0303d75dbfdd85ebc11fadcebaecd2ebd0

SHA512
95a6e48fa4e092f9369b94d8b1690e17538082e3edfd8467e5c0b329cd29a279063a9bffb2fce052edf5cd4c4fa71a4900f64a8fadab8867aec95c72458788c6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\renjhnqd\renjhnqd.cmdline

Filesize
312B

MD5
5a6ba3b18c584a0d4de8bfcf138d80fd

SHA1
03152708dda09a2282488215c92b1d790853d894

SHA256
53f51ff07d06f918e936707929c4a8ee1b874f979da6807e786cab76e7fdf783

SHA512
7915307b88081fe9aff710282156fabb4037c3ef9524d3f20ad16a870e7a2549f2dce2ed7e76ad5b2f7e34d5bb7dc3ccb410e610aabc7bb5be8e68653218fd0e

Download Submit
memory/4372-19-0x00000000057C0000-0x0000000005852000-memory.dmp

Filesize
584KB

Download
memory/4372-23-0x0000000005A40000-0x0000000005A6C000-memory.dmp

Filesize
176KB

Download
memory/4372-1-0x0000000000DD0000-0x0000000000E34000-memory.dmp

Filesize
400KB

Download
memory/4372-17-0x0000000001930000-0x000000000193A000-memory.dmp

Filesize
40KB

Download
memory/4372-0-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/4372-20-0x00000000058D0000-0x0000000005902000-memory.dmp

Filesize
200KB

Download
memory/4372-21-0x0000000005A10000-0x0000000005A1C000-memory.dmp

Filesize
48KB

Download
memory/4372-5-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4372-24-0x0000000005F30000-0x0000000005FCC000-memory.dmp

Filesize
624KB

Download
memory/4372-30-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/5000-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5000-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5000-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5000-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing