netwire | 57f192912a082c6e1050024c27208e34e3f0b1ab9260ccceb27d6801b86a4956

General

Target

1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe
Size

146KB
MD5

1dbf99bb878f7cad04ba363045556071
SHA1

0508e0920f58b8f625c8320c37a55865cc5bbd83
SHA256

57f192912a082c6e1050024c27208e34e3f0b1ab9260ccceb27d6801b86a4956
SHA512

0291b044599fa1541ffdeb373f1599eec891a3025480f49a20df91b4d4f1100d6cf1792badbeac41aeea8c917de1f56d6879e0789928e14215404dc447542252
SSDEEP

3072:WAsj8MBX8s0oXJi45DgoHh8Z6W9MNiAjlUByUyDKQlF1RkD37977:WAsBZM43Hh8QWNGKQlF1RkH977

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

6138.thruhere.net:6138

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
03
install_path
%AppData%\Skype\Skype.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
jwVDeYBU
offline_keylogger
true
password
zaq12wsxZ
registry_autorun
true
startup_name
Skypeupdates
use_mutex
true

Signatures

NetWire RAT payload 7 IoCs

rat

resource	yara_rule
behavioral1/memory/2332-21-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2332-17-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2332-28-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2332-26-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2696-68-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2696-71-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2696-73-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 2 IoCs

pid	Process
2728	Skype.exe
2696	Skype.exe

Loads dropped DLL 5 IoCs

pid	Process
2524	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe
2524	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe
2332	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe
2728	Skype.exe
2728	Skype.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skypeupdates = "C:\\Users\\Admin\\AppData\\Roaming\\Skype\\Skype.exe"	Skype.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 2332	2524	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe	31
PID 2728 set thread context of 2696	2728	Skype.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Skype.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000e0000000122ce-35.dat	nsis_installer_1
behavioral1/files/0x000e0000000122ce-35.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2332	2524	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2332	2524	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2332	2524	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2332	2524	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2332	2524	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2332	2524	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2332	2524	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2332	2524	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2332	2524	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe	31
PID 2332 wrote to memory of 2728	2332	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe	32
PID 2332 wrote to memory of 2728	2332	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe	32
PID 2332 wrote to memory of 2728	2332	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe	32
PID 2332 wrote to memory of 2728	2332	1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe	32
PID 2728 wrote to memory of 2696	2728	Skype.exe	33
PID 2728 wrote to memory of 2696	2728	Skype.exe	33
PID 2728 wrote to memory of 2696	2728	Skype.exe	33
PID 2728 wrote to memory of 2696	2728	Skype.exe	33
PID 2728 wrote to memory of 2696	2728	Skype.exe	33
PID 2728 wrote to memory of 2696	2728	Skype.exe	33
PID 2728 wrote to memory of 2696	2728	Skype.exe	33
PID 2728 wrote to memory of 2696	2728	Skype.exe	33
PID 2728 wrote to memory of 2696	2728	Skype.exe	33

C:\Users\Admin\AppData\Local\Temp\1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1dbf99bb878f7cad04ba363045556071_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Roaming\Skype\Skype.exe
    "C:\Users\Admin\AppData\Roaming\Skype\Skype.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Users\Admin\AppData\Roaming\Skype\Skype.exe
      "C:\Users\Admin\AppData\Roaming\Skype\Skype.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FustianClementineDefiniendum

Filesize
1KB

MD5
41be18e6c0663c6fcecbdd6a8e0cf9ad

SHA1
5fbaa8149a23fcc10dc316348a35c62acb74cc49

SHA256
84340669cbde5bed827c112e72f84fcec1f4902a6fb9495f11d7b47d4decdf6c

SHA512
bf010f26eae814c421a3c14e515481465ea507911740a753f3ac9dea7dd8cca6f22a25f6af318e5a0d621b46d3f5043b93e871d7b95b26240aeb2f545174b237

Download Submit
C:\Users\Admin\AppData\Roaming\Skype\Skype.exe

Filesize
146KB

MD5
1dbf99bb878f7cad04ba363045556071

SHA1
0508e0920f58b8f625c8320c37a55865cc5bbd83

SHA256
57f192912a082c6e1050024c27208e34e3f0b1ab9260ccceb27d6801b86a4956

SHA512
0291b044599fa1541ffdeb373f1599eec891a3025480f49a20df91b4d4f1100d6cf1792badbeac41aeea8c917de1f56d6879e0789928e14215404dc447542252

Download Submit
\Users\Admin\AppData\Local\Temp\jailer.dll

Filesize
68KB

MD5
b27418eaf58dd7af2a04e79396069737

SHA1
b2d50a8699a34ec2af3a08be4b9a00fd8c7a5985

SHA256
a1b7d3a3c2038d13e8b1b338c1027352133c8b77e0337c50d5852d4a4b310210

SHA512
0fa8757f6c67690f23574208db548705da23f0c7a8b5aa038876495d98748a046ca84486ae5900b8052ef2ca735ab4b9f6529c6e05a390cec8dd2c897f1bba6d

Download Submit
\Users\Admin\AppData\Local\Temp\nsoD2BC.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
memory/2332-11-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2332-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2332-13-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2332-17-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2332-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2332-34-0x0000000000401000-0x0000000000413000-memory.dmp

Filesize
72KB

Download
memory/2332-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2332-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2332-21-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2524-9-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/2696-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2696-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2696-73-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2728-49-0x0000000000560000-0x0000000000571000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads