netwire | c64afd566b4daa00151c5c6835fc38069c6a7419590a8af40c8f4a6ff847870e

General

Target

735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe
Size

2.8MB
MD5

735eddee12acb57b02e33b06c3614ef7
SHA1

897921bf02dee9cc1b10755a5e38cdff631ad0ab
SHA256

c64afd566b4daa00151c5c6835fc38069c6a7419590a8af40c8f4a6ff847870e
SHA512

83bb98c4c04d100548e43956f3960b6dfafa8ad7cd8a57f0354de632fa3407d0e87fc6c691a999225689344c565320c6a17744230219d6e277209ea7ffd0fb15
SSDEEP

49152:SlvmAvSSFH6UsEnVVuoOajWETbaaCtF0ygG/D4R6yPLRpHd4OT6:8hFaOJOuDQXgG/D4wQRp9f

Score

10^/10

netwire botnet defense_evasion discovery rat stealer

Malware Config

Extracted

Family

netwire

C2

trololo.dynamic-dns.net:6273

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
RsNaujas
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
nesamone
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3252-20-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3252-48-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3252-53-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3252-302-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

Drops startup file 1 IoCs

Processes:

735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe.lnk	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

3252 svhost.exe

pid	process
3252	svhost.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

description pid process target process

PID 1464 set thread context of 3252 1464 735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe svhost.exe

description	pid	process	target process
PID 1464 set thread context of 3252	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	svhost.exe

Drops file in Windows directory 3 IoCs

Processes:

735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\chrome\chrome.exe:Zone.Identifier cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\chrome\chrome.exe:Zone.Identifier	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.execmd.exereg.exesvhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe

Modifies registry class 1 IoCs

Processes:

735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

NTFS ADS 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\chrome\chrome.exe:Zone.Identifier cmd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

pid process

1464 735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe
1464 735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\chrome\chrome.exe:Zone.Identifier	cmd.exe

pid	process
1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe
1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe
Token: 33	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

javaw.exe

pid process

4668 javaw.exe
4668 javaw.exe

pid	process
4668	javaw.exe
4668	javaw.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 1464 wrote to memory of 4668	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	javaw.exe
PID 1464 wrote to memory of 4668	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	javaw.exe
PID 1464 wrote to memory of 4640	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	cmd.exe
PID 1464 wrote to memory of 4640	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	cmd.exe
PID 1464 wrote to memory of 4640	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	cmd.exe
PID 4640 wrote to memory of 3496	4640	cmd.exe	reg.exe
PID 4640 wrote to memory of 3496	4640	cmd.exe	reg.exe
PID 4640 wrote to memory of 3496	4640	cmd.exe	reg.exe
PID 1464 wrote to memory of 3252	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	svhost.exe
PID 1464 wrote to memory of 3252	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	svhost.exe
PID 1464 wrote to memory of 3252	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	svhost.exe
PID 1464 wrote to memory of 3252	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	svhost.exe
PID 1464 wrote to memory of 3252	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	svhost.exe
PID 1464 wrote to memory of 3252	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	svhost.exe
PID 1464 wrote to memory of 3252	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	svhost.exe
PID 1464 wrote to memory of 3252	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	svhost.exe
PID 1464 wrote to memory of 3252	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	svhost.exe
PID 1464 wrote to memory of 3252	1464	735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\735eddee12acb57b02e33b06c3614ef7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\DBLauncher.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4668
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3496
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DBLauncher.jar

Filesize
2.1MB

MD5
8654e35df50a4c863bd2f109af9b4f31

SHA1
a99588782be6f1b39110b5b5254cd30f90642407

SHA256
5f37e9d0650702e37279d06fc8705843876f53570d69f3bcee06b350aaf078fd

SHA512
574f7f79b6072c70d06a0e31d8cb4e155cdb4b3b04c55b85682e5d05d0effadc1d848ad36c5366e0fcc0a0ae36bc69b3b32c1ae21cbf520f05e8727ed6724fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
1c9ff7df71493896054a91bee0322ebf

SHA1
38f1c85965d58b910d8e8381b6b1099d5dfcbfe4

SHA256
e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa

SHA512
aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

Download Submit
memory/1464-298-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/1464-1-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/1464-301-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/1464-2-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/1464-0-0x00000000754C2000-0x00000000754C3000-memory.dmp

Filesize
4KB

Download
memory/1464-297-0x00000000754C2000-0x00000000754C3000-memory.dmp

Filesize
4KB

Download
memory/3252-20-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3252-53-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3252-48-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3252-302-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4668-33-0x000002BC1E0A0000-0x000002BC1E0A1000-memory.dmp

Filesize
4KB

Download
memory/4668-299-0x000002BC1F970000-0x000002BC1FBE0000-memory.dmp

Filesize
2.4MB

Download
memory/4668-12-0x000002BC1F970000-0x000002BC1FBE0000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads