netwire | b635b825c59ef2604faef4ff8d6f1b97ed7af8af134a5aa7eb518210ffbcd2f3

General

Target

2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe
Size

320KB
MD5

2512400a57cc5bcea15c91e25815ab7a
SHA1

6e7aeaa6cbba4a8b0436db04af9b9fe02f41a3d1
SHA256

b635b825c59ef2604faef4ff8d6f1b97ed7af8af134a5aa7eb518210ffbcd2f3
SHA512

675517534cbdd753fc91d6b887005e1bd437f2fffde6541df261d710803bfcef0a497b3bd491bea8a9db39d833563f7fac30238b35cde68812a26dcef8c58e71
SSDEEP

3072:Z8DWAEdnlqfDrImwhs3viexsI8EsnnuvGEO1g03ifNJcT2b/2v/cX1fmu8UO:aHgi3qeThsuCKfsTc23g1fmu8U

Score

10^/10

netwire botnet discovery rat stealer

Malware Config

Extracted

Family

netwire

C2

wealthyman.brasilia.me:39560

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
WEALTH
keylogger_dir
%AppData%\music\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2228-12-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
2228	Jotunnheim8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jotunnheim8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1856	schtasks.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2484	2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe
2484	2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe
2228	Jotunnheim8.exe
2228	Jotunnheim8.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2484	2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe
2484	2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe
2228	Jotunnheim8.exe
2228	Jotunnheim8.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2484	2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe
2228	Jotunnheim8.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2228	Jotunnheim8.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 1856	2484	2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe	30
PID 2484 wrote to memory of 1856	2484	2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe	30
PID 2484 wrote to memory of 1856	2484	2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe	30
PID 2484 wrote to memory of 1856	2484	2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe	30
PID 2484 wrote to memory of 2356	2484	2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe	32
PID 2484 wrote to memory of 2356	2484	2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe	32
PID 2484 wrote to memory of 2356	2484	2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe	32
PID 2484 wrote to memory of 2356	2484	2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe	32
PID 2284 wrote to memory of 2228	2284	taskeng.exe	35
PID 2284 wrote to memory of 2228	2284	taskeng.exe	35
PID 2284 wrote to memory of 2228	2284	taskeng.exe	35
PID 2284 wrote to memory of 2228	2284	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2512400a57cc5bcea15c91e25815ab7a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "linjetegningers" /TR "\"C:\Users\Admin\AppData\Local\Temp\Jotunnheim8.exe\""
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1856
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /run /tn "linjetegningers"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2356

C:\Windows\system32\taskeng.exe
taskeng.exe {EE399DBC-6DDD-47D0-B4C5-5D0E726D9180} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Local\Temp\Jotunnheim8.exe
  C:\Users\Admin\AppData\Local\Temp\Jotunnheim8.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jotunnheim8.exe

Filesize
320KB

MD5
5cf4dd1b2cfcb3b562265ee0091b8727

SHA1
7eaca940b79a29a9bceffaec457899322770f304

SHA256
a40e1ac0201681faec10849958ff967d3e96c1f207c3b05964ad834fbcecba69

SHA512
491cd562622988da03a86e28f0270f8316f71bd57f0ff998ceec75e13cc7429b50985ed6650ec49a1c5821e9a35c9aff200fcc00dc4118005afe52e214b8bb06

Download Submit
memory/2228-11-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/2228-12-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2228-19-0x0000000072940000-0x0000000072A60000-memory.dmp

Filesize
1.1MB

Download
memory/2228-20-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/2484-3-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/2484-4-0x0000000077BE0000-0x0000000077CB6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads