netwire | f3287a6edd21a00a2b5c85cdf0dd9917567dea86fc2eed207f2fa63e19d7b27f

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe
Size

443KB
MD5

7d9bb96b136079089c40410575d02edb
SHA1

189f477ab2fd0129254543c1b141b9c2b38a138b
SHA256

f3287a6edd21a00a2b5c85cdf0dd9917567dea86fc2eed207f2fa63e19d7b27f
SHA512

ce82415b7fc877a2cb1485fa7f4caf1ed01daf07ce062b18736cef3fad93e256c4a8da282a10c2805e8615e587b479f3de13099d217457324df24a2d534060ad
SSDEEP

12288:pmPZVKvYtrdi9aDZSmlTb9blmRWwK/gH6quir:0PiqZkoTlf9dgHfuir

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

chriswork999.ddns.net:3366

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
19032020
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2608-8-0x0000000000400000-0x0000000000430000-memory.dmp	netwire
behavioral1/memory/2608-12-0x0000000000400000-0x0000000000430000-memory.dmp	netwire
behavioral1/memory/2608-13-0x0000000000400000-0x0000000000430000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\HkmdR = "C:\\GHPZRGFC\\HkmdRv\\HkmdRvqvl.vbs"	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

description pid process target process

PID 2740 set thread context of 2608 2740 7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

pid process

2740 7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

description	pid	process	target process
PID 2740 set thread context of 2608	2740	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe	RegSvcs.exe

pid	process
2740	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe

description	pid	process	target process
PID 2740 wrote to memory of 2608	2740	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe	RegSvcs.exe
PID 2740 wrote to memory of 2608	2740	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe	RegSvcs.exe
PID 2740 wrote to memory of 2608	2740	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe	RegSvcs.exe
PID 2740 wrote to memory of 2608	2740	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe	RegSvcs.exe
PID 2740 wrote to memory of 2608	2740	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe	RegSvcs.exe
PID 2740 wrote to memory of 2608	2740	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe	RegSvcs.exe
PID 2740 wrote to memory of 2608	2740	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe	RegSvcs.exe
PID 2740 wrote to memory of 2608	2740	7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7d9bb96b136079089c40410575d02edb_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\RegSvcs.exe"
2⤵
PID:2608

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2608-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2608-12-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2608-13-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2740-0-0x000000007414E000-0x000000007414F000-memory.dmp

Filesize
4KB

Download
memory/2740-1-0x0000000000B40000-0x0000000000BB4000-memory.dmp

Filesize
464KB

Download
memory/2740-2-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-3-0x0000000000710000-0x0000000000748000-memory.dmp

Filesize
224KB

Download
memory/2740-4-0x000000007414E000-0x000000007414F000-memory.dmp

Filesize
4KB

Download
memory/2740-5-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-10-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-11-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download