netwire | 886b49c0050de4f05f48028ebfd87d2b552ee61141dda7bd836b3f3129249a00

General

Target

7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
Size

4.8MB
MD5

7beb088d242e66f5cce11a084bff8c97
SHA1

fb1196b51f191f3c92e3d54dd649faac0451f395
SHA256

886b49c0050de4f05f48028ebfd87d2b552ee61141dda7bd836b3f3129249a00
SHA512

3e2a56254a3f3eb9aed67bd3a06b0d4023b6de45f503cf07de5c7417a59f6bd5ef1d821728cfb0a5fa31b15267cd65803db42252bb6199170c0305d58da98dd5
SSDEEP

3072:w30F9m8D+EVl+xF945o3xUvS36894wkpmf3cLsGrFKdAtaIuuaBktbVJgNZBu:w389R+Er+Fu5WUvg6rpmUXQRuaBhNZ

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

94.177.123.116:3368

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
win10ram
keylogger_dir
%AppData%\axe\
lock_executable
false
mutex
mxjvAOdg
offline_keylogger
true
password
Invalid123!
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2912-32-0x0000000000400000-0x00000000008C8000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire
Executes dropped EXE 2 IoCs

Processes:

BEAPRONED.exeBEAPRONED.exe

pid process

2260 BEAPRONED.exe
2912 BEAPRONED.exe
Loads dropped DLL 3 IoCs

Processes:

7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exeBEAPRONED.exe

pid process

1056 7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
1056 7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
2260 BEAPRONED.exe

pid	process
2260	BEAPRONED.exe
2912	BEAPRONED.exe

pid	process
1056	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
1056	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
2260	BEAPRONED.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

BEAPRONED.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Synkopr1 = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\BEAPRONED.vbs\""	BEAPRONED.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exeBEAPRONED.exe

description	pid	process	target process
PID 1732 set thread context of 1056	1732	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
PID 2260 set thread context of 2912	2260	BEAPRONED.exe	BEAPRONED.exe

Drops file in Windows directory 4 IoCs

Processes:

7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exeBEAPRONED.exeBEAPRONED.exe7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
File opened for modification	C:\Windows\win.ini	BEAPRONED.exe
File opened for modification	C:\Windows\win.ini	BEAPRONED.exe
File opened for modification	C:\Windows\win.ini	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

BEAPRONED.exeBEAPRONED.exe7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BEAPRONED.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BEAPRONED.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exeBEAPRONED.exeBEAPRONED.exe

pid	process
1732	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
1732	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
1056	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
1056	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
2260	BEAPRONED.exe
2260	BEAPRONED.exe
2912	BEAPRONED.exe
2912	BEAPRONED.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exeBEAPRONED.exeBEAPRONED.exe

pid	process
1732	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
1732	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
1056	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
1056	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
2260	BEAPRONED.exe
2260	BEAPRONED.exe
2912	BEAPRONED.exe
2912	BEAPRONED.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exeBEAPRONED.exeBEAPRONED.exe

pid	process
1732	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
1056	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
2260	BEAPRONED.exe
2912	BEAPRONED.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exeBEAPRONED.exe

description	pid	process	target process
PID 1732 wrote to memory of 1056	1732	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
PID 1732 wrote to memory of 1056	1732	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
PID 1732 wrote to memory of 1056	1732	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
PID 1732 wrote to memory of 1056	1732	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
PID 1056 wrote to memory of 2260	1056	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe	BEAPRONED.exe
PID 1056 wrote to memory of 2260	1056	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe	BEAPRONED.exe
PID 1056 wrote to memory of 2260	1056	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe	BEAPRONED.exe
PID 1056 wrote to memory of 2260	1056	7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe	BEAPRONED.exe
PID 2260 wrote to memory of 2912	2260	BEAPRONED.exe	BEAPRONED.exe
PID 2260 wrote to memory of 2912	2260	BEAPRONED.exe	BEAPRONED.exe
PID 2260 wrote to memory of 2912	2260	BEAPRONED.exe	BEAPRONED.exe
PID 2260 wrote to memory of 2912	2260	BEAPRONED.exe	BEAPRONED.exe

C:\Users\Admin\AppData\Local\Temp\7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7beb088d242e66f5cce11a084bff8c97_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Users\Admin\AppData\Local\Temp\BEAPRONED.exe
    "C:\Users\Admin\AppData\Local\Temp\BEAPRONED.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Users\Admin\AppData\Local\Temp\BEAPRONED.exe
      "C:\Users\Admin\AppData\Local\Temp\BEAPRONED.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BEAPRONED.exe

Filesize
4.8MB

MD5
d33769f0e4c4bdad17606ce73812752a

SHA1
a1cd055c65c8553eb4bcf8f370246e3ea4d4134d

SHA256
57b0ee6870acb9c988ab40f6bfb793df6c80bef599d5bc5ddc1b2a424fdb4478

SHA512
653e445add78cda8d4af3494e7c60a34d3e98d4b3b2996dde9c41eea70f3643fdfbac252d65fbe4cb220c7c3085ef9da19fecb8456764cd60e1e8432a2d9a25e

Download Submit
C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
memory/1056-19-0x0000000077310000-0x00000000774B9000-memory.dmp

Filesize
1.7MB

Download
memory/1732-3-0x0000000077311000-0x0000000077412000-memory.dmp

Filesize
1.0MB

Download
memory/1732-4-0x0000000077310000-0x00000000774B9000-memory.dmp

Filesize
1.7MB

Download
memory/1732-9-0x0000000077500000-0x00000000775D6000-memory.dmp

Filesize
856KB

Download
memory/1732-35-0x0000000077310000-0x00000000774B9000-memory.dmp

Filesize
1.7MB

Download
memory/2912-32-0x0000000000400000-0x00000000008C8000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads