netwire | 3a2e02b09f40f8f5a772867049e5afd1196d994ae1e78bca6de331684df44ef7

General

Target

JaffaCakes118_692f09862fc04949c9eb50373bd46ba0.exe
Size

356KB
MD5

692f09862fc04949c9eb50373bd46ba0
SHA1

f24b24219e66ff60c6779ac48cd51332b2217b79
SHA256

3a2e02b09f40f8f5a772867049e5afd1196d994ae1e78bca6de331684df44ef7
SHA512

e1b0e3e65f814320022d03411d055e13c0986c5c2a4494629ed71ca3515749084c3a4d5ef292bd7109a7cff73989a38feadefdb4ea1314d4756e12ee66c8eae3
SSDEEP

6144:YREth6OE4b+zQbO43MklZ6aMLZt4ArwRv47ocSpCXsEDiRWkqghKLCJD3monL:5X6BiyMMI04ArDx3Ds3KLCd2S

Score

10^/10

netwire botnet defense_evasion discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

teamviewer.ddns.net:3360

local.cable-modem.org:3360

tvnserver.serveftp.com:3360

Attributes

activex_autorun
true
activex_key
{14KSXKQ0-JJJT-Y358-8D63-IU887U6Y74EA}
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
eHCXhHXM
offline_keylogger
true
password
anjing
registry_autorun
true
startup_name
tvnservers
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2060-42-0x0000000000400000-0x0000000000418000-memory.dmp	netwire
behavioral2/memory/1728-55-0x0000000000400000-0x0000000000418000-memory.dmp	netwire
behavioral2/memory/1728-57-0x0000000000400000-0x0000000000418000-memory.dmp	netwire
behavioral2/memory/1728-59-0x0000000000400000-0x0000000000418000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14KSXKQ0-JJJT-Y358-8D63-IU887U6Y74EA}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14KSXKQ0-JJJT-Y358-8D63-IU887U6Y74EA}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_692f09862fc04949c9eb50373bd46ba0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	host32.exe

Executes dropped EXE 5 IoCs

pid	Process
1680	host32.exe
2060	Host.exe
1404	y5.exe
1728	Host.exe
3380	host32.exe

Loads dropped DLL 2 IoCs

pid	Process
2060	Host.exe
1728	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tvnservers = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\host32 = "\"C:\\windows\\host32.exe\""	host32.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\ws2help.dll	Host.exe
File opened for modification	C:\Windows\ws2help.dll	Host.exe
File created	C:\Windows\Wplugin.dll	Host.exe
File created	\??\c:\windows\host32.exe	host32.exe
File opened for modification	\??\c:\windows\host32.exe	host32.exe
File created	C:\Windows\Wplugin.dll	Host.exe
File opened for modification	C:\Windows\Wplugin.dll	Host.exe
File created	C:\Windows\explorer.exe.local	Host.exe

Hijack Execution Flow: DLL Search Order Hijacking 1 TTPs
Possible initial access via DLL redirection search order hijacking.
defense_evasion

DLL Search Order Hijacking
T1574.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	host32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_692f09862fc04949c9eb50373bd46ba0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	host32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2060	Host.exe
2060	Host.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 1680	3996	JaffaCakes118_692f09862fc04949c9eb50373bd46ba0.exe	83
PID 3996 wrote to memory of 1680	3996	JaffaCakes118_692f09862fc04949c9eb50373bd46ba0.exe	83
PID 3996 wrote to memory of 1680	3996	JaffaCakes118_692f09862fc04949c9eb50373bd46ba0.exe	83
PID 3996 wrote to memory of 2060	3996	JaffaCakes118_692f09862fc04949c9eb50373bd46ba0.exe	84
PID 3996 wrote to memory of 2060	3996	JaffaCakes118_692f09862fc04949c9eb50373bd46ba0.exe	84
PID 3996 wrote to memory of 2060	3996	JaffaCakes118_692f09862fc04949c9eb50373bd46ba0.exe	84
PID 3996 wrote to memory of 1404	3996	JaffaCakes118_692f09862fc04949c9eb50373bd46ba0.exe	85
PID 3996 wrote to memory of 1404	3996	JaffaCakes118_692f09862fc04949c9eb50373bd46ba0.exe	85
PID 3996 wrote to memory of 1404	3996	JaffaCakes118_692f09862fc04949c9eb50373bd46ba0.exe	85
PID 2060 wrote to memory of 1728	2060	Host.exe	86
PID 2060 wrote to memory of 1728	2060	Host.exe	86
PID 2060 wrote to memory of 1728	2060	Host.exe	86
PID 1680 wrote to memory of 3380	1680	host32.exe	87
PID 1680 wrote to memory of 3380	1680	host32.exe	87
PID 1680 wrote to memory of 3380	1680	host32.exe	87

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_692f09862fc04949c9eb50373bd46ba0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_692f09862fc04949c9eb50373bd46ba0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\host32.exe
  "C:\Users\Admin\AppData\Local\Temp\host32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\windows\host32.exe
    "C:\windows\host32.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3380
- C:\Users\Admin\AppData\Local\Temp\Host.exe
  "C:\Users\Admin\AppData\Local\Temp\Host.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Roaming\Install\Host.exe
    "C:\Users\Admin\AppData\Roaming\Install\Host.exe" -m C:\Users\Admin\AppData\Local\Temp\Host.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1728
- C:\Users\Admin\AppData\Local\Temp\y5.exe
  "C:\Users\Admin\AppData\Local\Temp\y5.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Hijack Execution Flow

1

T1574

DLL Search Order Hijacking

1

T1574.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Hijack Execution Flow

1

T1574

DLL Search Order Hijacking

1

T1574.001

Defense Evasion

Hijack Execution Flow

1

T1574

DLL Search Order Hijacking

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
161KB

MD5
38bd5310acf6d46a429c5eb67a1f1069

SHA1
7fd407511057684aa375d34c0a31106f7f1bbf92

SHA256
19b7d8286431d6a5310e966558240f8d5df37d7612ae4f90f9a262a214fefd9a

SHA512
4d0035e467e76a9975f6a4ee74ce4eb44974afbb1fdaf2cba43d3857fc5a9a247c5bcdee4cb0e06cf1d13d4f5dfd1462c4fdad13d8bd9fe81de4ad2798706e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\host32.exe

Filesize
28KB

MD5
94edfaaa711da61d93995f6cf17fe653

SHA1
96b052eceecde5433379efeeaf43b7082eb25015

SHA256
2b932f637b877c7f7419ddf56d428d880dccf72fbcd732bbc71ce998e0505929

SHA512
d36540b3e14ba0496376c29bf0ccd0e19c2990497f38a3b7cba47a065c7e001bda46438e616e3654cf67b93bbdc9a59f9ef62e3a985ce8a68fc6d00d8b1e7abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\y5.exe

Filesize
501KB

MD5
7efe771841d5c937a5e35862a87ab8d2

SHA1
6121183b7d7225092bc60a31945f25f704b41159

SHA256
059a51f87de4eb45786c2bd59c8e552edc30235f809ecd7f3bb11279443caa4d

SHA512
17ec8fd536e9cec1074fca0bffc5e5eafe6e079bc63e94a1692904867cd7ae883e6ea0c8e223c68da93d385402835a90e3a0d5118c6ea67bf4a68595021cec7b

Download Submit
C:\Users\Admin\AppData\Roaming\Wplugin.dll

Filesize
108KB

MD5
8847a8302dacc1d6fca61f125c8fe8e0

SHA1
f399142bbf03660bee1df555ebbf3acc8f658cf0

SHA256
9c2726defa122089f8251fa104f76d66830f448774ab9bd634adbb6e492e3943

SHA512
2b028bb4139c352b80db1509d1a3f479a8ef7e9b3b73ddbf62e2d83d4e59adf4a0bd6b9d68409bc0b6fafb7a5f56844fbfed6d00b824a6b370689801ce1c837f

Download Submit
memory/1680-53-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1728-55-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1728-57-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1728-59-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2060-42-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3380-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3380-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3380-64-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads