netwire | c64afd566b4daa00151c5c6835fc38069c6a7419590a8af40c8f4a6ff847870e

General

Target

735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe
Size

2.8MB
MD5

735eddee12acb57b02e33b06c3614ef7
SHA1

897921bf02dee9cc1b10755a5e38cdff631ad0ab
SHA256

c64afd566b4daa00151c5c6835fc38069c6a7419590a8af40c8f4a6ff847870e
SHA512

83bb98c4c04d100548e43956f3960b6dfafa8ad7cd8a57f0354de632fa3407d0e87fc6c691a999225689344c565320c6a17744230219d6e277209ea7ffd0fb15
SSDEEP

49152:SlvmAvSSFH6UsEnVVuoOajWETbaaCtF0ygG/D4R6yPLRpHd4OT6:8hFaOJOuDQXgG/D4wQRp9f

Score

10^/10

netwire botnet defense_evasion discovery rat stealer

Malware Config

Extracted

Family

netwire

C2

trololo.dynamic-dns.net:6273

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
RsNaujas
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
nesamone
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/2288-30-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2288-26-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2288-24-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2288-22-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2288-51-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2288-348-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe.lnk	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2288	svhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 2288	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	34
PID 2916 set thread context of 2288	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	34

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\chrome\chrome.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\chrome\chrome.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe
2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe
Token: 33	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2144	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2144	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2144	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2144	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2176	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	31
PID 2916 wrote to memory of 2176	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	31
PID 2916 wrote to memory of 2176	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	31
PID 2916 wrote to memory of 2176	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2500	2176	cmd.exe	33
PID 2176 wrote to memory of 2500	2176	cmd.exe	33
PID 2176 wrote to memory of 2500	2176	cmd.exe	33
PID 2176 wrote to memory of 2500	2176	cmd.exe	33
PID 2916 wrote to memory of 2288	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	34
PID 2916 wrote to memory of 2288	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	34
PID 2916 wrote to memory of 2288	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	34
PID 2916 wrote to memory of 2288	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	34
PID 2916 wrote to memory of 2288	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	34
PID 2916 wrote to memory of 2288	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	34
PID 2916 wrote to memory of 2288	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	34
PID 2916 wrote to memory of 2288	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	34
PID 2916 wrote to memory of 2288	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	34
PID 2916 wrote to memory of 2288	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	34
PID 2916 wrote to memory of 2288	2916	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\DBLauncher.jar"
  2⤵
  PID:2144
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DBLauncher.jar

Filesize
2.1MB

MD5
8654e35df50a4c863bd2f109af9b4f31

SHA1
a99588782be6f1b39110b5b5254cd30f90642407

SHA256
5f37e9d0650702e37279d06fc8705843876f53570d69f3bcee06b350aaf078fd

SHA512
574f7f79b6072c70d06a0e31d8cb4e155cdb4b3b04c55b85682e5d05d0effadc1d848ad36c5366e0fcc0a0ae36bc69b3b32c1ae21cbf520f05e8727ed6724fb7

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
memory/2144-345-0x0000000002570000-0x00000000027E0000-memory.dmp

Filesize
2.4MB

Download
memory/2144-31-0x0000000002570000-0x00000000027E0000-memory.dmp

Filesize
2.4MB

Download
memory/2288-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2288-22-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2288-348-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2288-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2288-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2288-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2288-151-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2288-18-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2288-20-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2288-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2288-51-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2916-0-0x0000000074C81000-0x0000000074C82000-memory.dmp

Filesize
4KB

Download
memory/2916-1-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-346-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-347-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-2-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing