netwire | aa678a0d186a699538402b004c68a19305ccc364f8d2b74eb07ccec9a0eecd55

General

Target

JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe
Size

687KB
MD5

8ec57ed96acbf703ffce25d772b9456b
SHA1

dc9b2ad36eca610c4648ad52d748321377c0d089
SHA256

aa678a0d186a699538402b004c68a19305ccc364f8d2b74eb07ccec9a0eecd55
SHA512

89613cf7e4999d36c27e6e871046cecfd0e81af66e0a3d4a8a28ad870d5ac09e631fb5e5495415472b79ebb779727a1086ffc5038e1a12cfcb71b76f09352a14
SSDEEP

12288:DAlwC3XcfrcZ68FCAYNETcGoImVs8J2mQ1+qSJ8l61wfgRyw:cwOkCdYNETcDIj8Q/1+rJAtfF

Score

10^/10

netwire botnet discovery persistence rat stealer upx

Malware Config

Extracted

Family

netwire

C2

corected0.duckdns.org:54213

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\FuTrU\Logs\
lock_executable
true
mutex
ueAtXIon
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2796-18-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral1/memory/2796-22-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral1/memory/2796-33-0x0000000000400000-0x0000000000423000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpTh = "C:\\Users\\Admin\\AppData\\Roaming\\winup.exe"	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2604 set thread context of 2252	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	30
PID 2604 set thread context of 2796	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	32

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2604-0-0x0000000000400000-0x000000000050C000-memory.dmp	upx
behavioral1/memory/2252-9-0x0000000000400000-0x000000000059C000-memory.dmp	upx
behavioral1/memory/2796-14-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2796-16-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2796-17-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2796-18-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2796-22-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2604-21-0x0000000000400000-0x000000000050C000-memory.dmp	upx
behavioral1/memory/2252-24-0x0000000000400000-0x000000000059C000-memory.dmp	upx
behavioral1/memory/2252-27-0x0000000000400000-0x000000000059C000-memory.dmp	upx
behavioral1/files/0x00080000000120fe-28.dat	upx
behavioral1/memory/2252-31-0x0000000000400000-0x000000000059C000-memory.dmp	upx
behavioral1/memory/2796-33-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier	csc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	csc.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier	csc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2252	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	30
PID 2604 wrote to memory of 2252	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	30
PID 2604 wrote to memory of 2252	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	30
PID 2604 wrote to memory of 2252	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	30
PID 2604 wrote to memory of 2252	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	30
PID 2604 wrote to memory of 2252	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	30
PID 2604 wrote to memory of 2252	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	30
PID 2604 wrote to memory of 2252	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	30
PID 2604 wrote to memory of 2796	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	32
PID 2604 wrote to memory of 2796	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	32
PID 2604 wrote to memory of 2796	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	32
PID 2604 wrote to memory of 2796	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	32
PID 2604 wrote to memory of 2796	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	32
PID 2604 wrote to memory of 2796	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	32
PID 2604 wrote to memory of 2796	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	32
PID 2604 wrote to memory of 2796	2604	JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ec57ed96acbf703ffce25d772b9456b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  upx.exe "C:\Users\Admin\AppData\Roaming\winup.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\winup.exe

Filesize
693KB

MD5
294aece855726bc21369c795a824be86

SHA1
e28d0a96c44f402ec6104eac400e8ea27ea5fa06

SHA256
df543009b338861df45e42171f35917468f38515d29f948d59b872c30b853e6a

SHA512
a1db601e7813e64425d867f327507fa2cc1a0fa4a0952ba0e41d9bf554d9335eacb8cf1106b565685c4f6d6d1f4512669df8052ce6ad429a3ca04034bff26fee

Download Submit
memory/2252-9-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2252-31-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2252-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2252-5-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2252-27-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2252-24-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2604-21-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2604-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2604-0-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2604-26-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2796-14-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2796-22-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2796-18-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2796-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2796-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2796-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2796-33-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads