netwire | b23e4ec41a7eaacf693fc9f0651c514720b0ba28773c85aa6b8aa682a42c3a23

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
Size

273KB
MD5

a97e85a40509f6bbc7427edf6a1db4c8
SHA1

f3e0bd2597e0d1f819337808dee52babc70f16f5
SHA256

b23e4ec41a7eaacf693fc9f0651c514720b0ba28773c85aa6b8aa682a42c3a23
SHA512

5f1559c5fa0f6f4fb378b28ed82e00ef6e64f635f91ed78e8acb683c550b2a9cb19e30ed7aaa9563cde8d804444dc5834cd7f953b2e60fafc775c0a5bd11dbaa
SSDEEP

6144:Q5NT96qD0nnPSe/NZ+CVtZsStyK7sSVR0ICW0SEMUSdGg1MRafm1QhO:U96q4nnPSeDtySo251MRafm1QU

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

46.20.33.82:3444

62.102.148.181:57980

46.165.208.108:3490

213.152.162.99:3829

109.163.226.153:3829

95.211.229.148:3939

31.171.155.48:3444

Attributes

activex_autorun
true
activex_key
{37BX32U8-4XG6-J37R-187I-4S4T4FD58C07}
copy_executable
true
delete_original
true
host_id
~PUMP~%Rand%
install_path
%AppData%\Microsoft\HKRUN.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
fUpgdpBV
offline_keylogger
true
password
123456
registry_autorun
true
startup_name
Microsoft
use_mutex
true

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2292-37-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2292-32-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2292-29-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2292-39-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/2576-48-0x0000000000450000-0x0000000000490000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HKRUN.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37BX32U8-4XG6-J37R-187I-4S4T4FD58C07}	HKRUN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37BX32U8-4XG6-J37R-187I-4S4T4FD58C07}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\HKRUN.exe\""	HKRUN.exe

Executes dropped EXE 2 IoCs

Processes:

HKRUN.exeHKRUN.exe

pid process

2576 HKRUN.exe
1896 HKRUN.exe
Loads dropped DLL 2 IoCs

Processes:

a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe

pid process

2292 a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
2292 a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe

pid	process
2576	HKRUN.exe
1896	HKRUN.exe

pid	process
2292	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
2292	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HKRUN.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\HKRUN.exe"	HKRUN.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exeHKRUN.exe

description	pid	process	target process
PID 2940 set thread context of 2292	2940	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
PID 2576 set thread context of 1896	2576	HKRUN.exe	HKRUN.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exea97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exeHKRUN.exe

description	pid	process	target process
PID 2940 wrote to memory of 2292	2940	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
PID 2940 wrote to memory of 2292	2940	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
PID 2940 wrote to memory of 2292	2940	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
PID 2940 wrote to memory of 2292	2940	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
PID 2940 wrote to memory of 2292	2940	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
PID 2940 wrote to memory of 2292	2940	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
PID 2940 wrote to memory of 2292	2940	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
PID 2940 wrote to memory of 2292	2940	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
PID 2940 wrote to memory of 2292	2940	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
PID 2292 wrote to memory of 2576	2292	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe	HKRUN.exe
PID 2292 wrote to memory of 2576	2292	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe	HKRUN.exe
PID 2292 wrote to memory of 2576	2292	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe	HKRUN.exe
PID 2292 wrote to memory of 2576	2292	a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe	HKRUN.exe
PID 2576 wrote to memory of 1896	2576	HKRUN.exe	HKRUN.exe
PID 2576 wrote to memory of 1896	2576	HKRUN.exe	HKRUN.exe
PID 2576 wrote to memory of 1896	2576	HKRUN.exe	HKRUN.exe
PID 2576 wrote to memory of 1896	2576	HKRUN.exe	HKRUN.exe
PID 2576 wrote to memory of 1896	2576	HKRUN.exe	HKRUN.exe
PID 2576 wrote to memory of 1896	2576	HKRUN.exe	HKRUN.exe
PID 2576 wrote to memory of 1896	2576	HKRUN.exe	HKRUN.exe
PID 2576 wrote to memory of 1896	2576	HKRUN.exe	HKRUN.exe
PID 2576 wrote to memory of 1896	2576	HKRUN.exe	HKRUN.exe

C:\Users\Admin\AppData\Local\Temp\a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
-m "C:\Users\Admin\AppData\Local\Temp\a97e85a40509f6bbc7427edf6a1db4c8_JaffaCakes118.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe"
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\HKRUN.exe
Filesize
273KB

MD5
a97e85a40509f6bbc7427edf6a1db4c8

SHA1
f3e0bd2597e0d1f819337808dee52babc70f16f5

SHA256
b23e4ec41a7eaacf693fc9f0651c514720b0ba28773c85aa6b8aa682a42c3a23

SHA512
5f1559c5fa0f6f4fb378b28ed82e00ef6e64f635f91ed78e8acb683c550b2a9cb19e30ed7aaa9563cde8d804444dc5834cd7f953b2e60fafc775c0a5bd11dbaa

Download Submit
memory/1896-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2292-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2292-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2292-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2292-37-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2292-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2292-29-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2292-23-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2292-39-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2576-51-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2576-50-0x0000000074D11000-0x0000000074D12000-memory.dmp

Filesize
4KB

Download
memory/2576-48-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/2576-71-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/2576-70-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2576-72-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2940-0-0x0000000074D11000-0x0000000074D12000-memory.dmp

Filesize
4KB

Download
memory/2940-2-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2940-52-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2940-49-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/2940-1-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download