netwire | 0e305f4c1bc84575b8a3c2e67e8bfe4a9580435aac0de239a97d535c75a22417

General

Target

f3c31b6b521ebc6457c7db4ebb2ff85f_JaffaCakes118.exe
Size

385KB
MD5

f3c31b6b521ebc6457c7db4ebb2ff85f
SHA1

d22d39dd8abf73e3ccc5b711f711e21ba178ce12
SHA256

0e305f4c1bc84575b8a3c2e67e8bfe4a9580435aac0de239a97d535c75a22417
SHA512

130b82c48fa2dec153b93c49e7e4c9a58aaba592562210dd65b9e46cc4ea7fd85558e052f0faa1e06ddd1c4a9ec7f6d1a4da02eb93ef71ce87ec43e41d5402d1
SSDEEP

6144:JF1JVcCGhDE3S8KssNxqqpSWsq4SupPW32yZ8YW+hJo00:nrVfGNEi8KrNxqOzfKPWfNJ1

Score

10^/10

netwire agilenet botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

194.68.59.62:3369

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Frank456
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/3424-15-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3424-20-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3424-18-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	f3c31b6b521ebc6457c7db4ebb2ff85f_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4832	taskmgr.exe
3424	taskmgr.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/2376-4-0x0000000002ED0000-0x0000000002EF0000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Local\\taskmgr.exe -boot"	taskmgr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4832 set thread context of 3424	4832	taskmgr.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3c31b6b521ebc6457c7db4ebb2ff85f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	f3c31b6b521ebc6457c7db4ebb2ff85f_JaffaCakes118.exe
Token: SeDebugPrivilege	4832	taskmgr.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 4200	2376	f3c31b6b521ebc6457c7db4ebb2ff85f_JaffaCakes118.exe	82
PID 2376 wrote to memory of 4200	2376	f3c31b6b521ebc6457c7db4ebb2ff85f_JaffaCakes118.exe	82
PID 2376 wrote to memory of 4200	2376	f3c31b6b521ebc6457c7db4ebb2ff85f_JaffaCakes118.exe	82
PID 2376 wrote to memory of 4904	2376	f3c31b6b521ebc6457c7db4ebb2ff85f_JaffaCakes118.exe	89
PID 2376 wrote to memory of 4904	2376	f3c31b6b521ebc6457c7db4ebb2ff85f_JaffaCakes118.exe	89
PID 2376 wrote to memory of 4904	2376	f3c31b6b521ebc6457c7db4ebb2ff85f_JaffaCakes118.exe	89
PID 2340 wrote to memory of 4832	2340	explorer.exe	91
PID 2340 wrote to memory of 4832	2340	explorer.exe	91
PID 2340 wrote to memory of 4832	2340	explorer.exe	91
PID 4832 wrote to memory of 3424	4832	taskmgr.exe	95
PID 4832 wrote to memory of 3424	4832	taskmgr.exe	95
PID 4832 wrote to memory of 3424	4832	taskmgr.exe	95
PID 4832 wrote to memory of 3424	4832	taskmgr.exe	95
PID 4832 wrote to memory of 3424	4832	taskmgr.exe	95
PID 4832 wrote to memory of 3424	4832	taskmgr.exe	95
PID 4832 wrote to memory of 3424	4832	taskmgr.exe	95
PID 4832 wrote to memory of 3424	4832	taskmgr.exe	95
PID 4832 wrote to memory of 3424	4832	taskmgr.exe	95
PID 4832 wrote to memory of 3424	4832	taskmgr.exe	95

C:\Users\Admin\AppData\Local\Temp\f3c31b6b521ebc6457c7db4ebb2ff85f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3c31b6b521ebc6457c7db4ebb2ff85f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\f3c31b6b521ebc6457c7db4ebb2ff85f_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\taskmgr.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4200
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\taskmgr.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4904

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\taskmgr.exe
  "C:\Users\Admin\AppData\Local\taskmgr.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Users\Admin\AppData\Local\taskmgr.exe
    "C:\Users\Admin\AppData\Local\taskmgr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\taskmgr.exe

Filesize
385KB

MD5
f3c31b6b521ebc6457c7db4ebb2ff85f

SHA1
d22d39dd8abf73e3ccc5b711f711e21ba178ce12

SHA256
0e305f4c1bc84575b8a3c2e67e8bfe4a9580435aac0de239a97d535c75a22417

SHA512
130b82c48fa2dec153b93c49e7e4c9a58aaba592562210dd65b9e46cc4ea7fd85558e052f0faa1e06ddd1c4a9ec7f6d1a4da02eb93ef71ce87ec43e41d5402d1

Download Submit
memory/2376-3-0x00000000054B0000-0x0000000005542000-memory.dmp

Filesize
584KB

Download
memory/2376-2-0x0000000005A60000-0x0000000006004000-memory.dmp

Filesize
5.6MB

Download
memory/2376-0-0x00000000753AE000-0x00000000753AF000-memory.dmp

Filesize
4KB

Download
memory/2376-4-0x0000000002ED0000-0x0000000002EF0000-memory.dmp

Filesize
128KB

Download
memory/2376-5-0x00000000753AE000-0x00000000753AF000-memory.dmp

Filesize
4KB

Download
memory/2376-6-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/2376-9-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/2376-11-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/2376-1-0x0000000000A40000-0x0000000000AA6000-memory.dmp

Filesize
408KB

Download
memory/3424-15-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3424-20-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3424-18-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4832-14-0x0000000006250000-0x00000000062EC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads