netwire | d1be6471a46b5d2cae582b6bad0646cc3b59c85df440363a77f2bb41ab553e82

General

Target

JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe
Size

396KB
MD5

6c33cc232ababa439e295a455f3980a0
SHA1

774365e9521f8087145820b49814d28f37e5c65e
SHA256

d1be6471a46b5d2cae582b6bad0646cc3b59c85df440363a77f2bb41ab553e82
SHA512

48c9aa276dc7532766865b3159f5d2c9b9f8cb942060ddc1d311eff8a5d3e8a52fa0ae353975a6ea19625c5e7f9a285602784b3ae8f0b5c50f9bdda19c4ce347
SSDEEP

3072:LBB+77tPHkDLQ2AhPlG/1WBZf7qF/Z2iYmsdxDxUxt6mDLoGrww9JGbtENmszvZ+:Lf+7ODLQ2GEWBZE22lnNlRRP

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

23.95.88.13:3360

Attributes

activex_autorun
true
activex_key
{3GYL0VK1-5SB1-4X20-W6B8-PQP7L2B50166}
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
doctor
registry_autorun
true
startup_name
system
use_mutex
false

Signatures

NetWire RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/2084-3-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2084-5-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2084-7-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2340-26-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2340-29-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3GYL0VK1-5SB1-4X20-W6B8-PQP7L2B50166}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3GYL0VK1-5SB1-4X20-W6B8-PQP7L2B50166}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Deletes itself 1 IoCs

pid	Process
2340	Host.exe

Executes dropped EXE 2 IoCs

pid	Process
1484	Host.exe
2340	Host.exe

Loads dropped DLL 3 IoCs

pid	Process
2084	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe
2084	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe
1484	Host.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2372 set thread context of 2084	2372	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe	30
PID 1484 set thread context of 2340	1484	Host.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2372	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe
1484	Host.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2084	2372	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe	30
PID 2372 wrote to memory of 2084	2372	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe	30
PID 2372 wrote to memory of 2084	2372	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe	30
PID 2372 wrote to memory of 2084	2372	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe	30
PID 2372 wrote to memory of 2084	2372	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe	30
PID 2372 wrote to memory of 2084	2372	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe	30
PID 2372 wrote to memory of 2084	2372	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe	30
PID 2372 wrote to memory of 2084	2372	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe	30
PID 2372 wrote to memory of 2084	2372	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe	30
PID 2372 wrote to memory of 2084	2372	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe	30
PID 2372 wrote to memory of 2084	2372	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe	30
PID 2084 wrote to memory of 1484	2084	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe	31
PID 2084 wrote to memory of 1484	2084	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe	31
PID 2084 wrote to memory of 1484	2084	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe	31
PID 2084 wrote to memory of 1484	2084	JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe	31
PID 1484 wrote to memory of 2340	1484	Host.exe	32
PID 1484 wrote to memory of 2340	1484	Host.exe	32
PID 1484 wrote to memory of 2340	1484	Host.exe	32
PID 1484 wrote to memory of 2340	1484	Host.exe	32
PID 1484 wrote to memory of 2340	1484	Host.exe	32
PID 1484 wrote to memory of 2340	1484	Host.exe	32
PID 1484 wrote to memory of 2340	1484	Host.exe	32
PID 1484 wrote to memory of 2340	1484	Host.exe	32
PID 1484 wrote to memory of 2340	1484	Host.exe	32
PID 1484 wrote to memory of 2340	1484	Host.exe	32
PID 1484 wrote to memory of 2340	1484	Host.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Roaming\Install\Host.exe
    -m "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      -m "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c33cc232ababa439e295a455f3980a0.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Deletes itself
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
396KB

MD5
6c33cc232ababa439e295a455f3980a0

SHA1
774365e9521f8087145820b49814d28f37e5c65e

SHA256
d1be6471a46b5d2cae582b6bad0646cc3b59c85df440363a77f2bb41ab553e82

SHA512
48c9aa276dc7532766865b3159f5d2c9b9f8cb942060ddc1d311eff8a5d3e8a52fa0ae353975a6ea19625c5e7f9a285602784b3ae8f0b5c50f9bdda19c4ce347

Download Submit
memory/1484-21-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2084-3-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2084-5-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2084-7-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2340-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2340-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2372-2-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads