CIRCL analyzed a malware sample which was only sporadically detected by just a handful antivirus engines, based on heuristic detection. CIRCL analyzed the entire command structure of the malware and was able to attribute this specific malware to the malware NetWiredRC. The malware is a feature-rich Remote Access Tool, and compared to the identified predecessors, this specific version even implements more features.
|Type of Hash||Hash|
VirusTotal results for sample A
|Scanned: 2014-04-07 - 49 scans - 7 detections|
Signature check for sample A
|Signers||Avira Operations GmbH & Co. KG|
|VeriSign Class 3 Code Signing 2010 CA|
|VeriSign Class 3 Public Primary Certification Authority - G5|
|Signing date||10:52 AM 6/25/2012|
|Publisher||Avira Operations GmbH & Co. KG|
|Description||Avira Notification Tool|
|Product||Avira Free Antivirus|
Sections attributes in the file reveal a first hint on the maliciousness of the file: the .text section is writable and thus allows self-modifying code:
SECTION 1 (.text ): virtual size : 000314DA ( 201946.) virtual address : 00001000 section size : 00031600 ( 202240.) offset to raw data for section: 00000400 offset to relocation : 00000000 offset to line numbers : 00000000 number of relocation entries : 0 number of line number entries : 0 alignment : 0 byte(s) Flags E0000020: text only Executable Readable Writable SECTION 2 (.rdata ): virtual size : 0000E238 ( 57912.) virtual address : 00033000 section size : 0000E400 ( 58368.) offset to raw data for section: 00031A00 offset to relocation : 00000000 offset to line numbers : 00000000 number of relocation entries : 0 number of line number entries : 0 alignment : 0 byte(s) Flags 40000040: data only Readable SECTION 3 (.data ): virtual size : 00003A5C ( 14940.) virtual address : 00042000 section size : 00002200 ( 8704.) offset to raw data for section: 0003FE00 offset to relocation : 00000000 offset to line numbers : 00000000 number of relocation entries : 0 number of line number entries : 0 alignment : 0 byte(s) Flags C0000040: data only Readable Writable SECTION 4 (.rsrc ): virtual size : 000064D0 ( 25808.) virtual address : 00046000 section size : 00006600 ( 26112.) offset to raw data for section: 00042000 offset to relocation : 00000000 offset to line numbers : 00000000 number of relocation entries : 0 number of line number entries : 0 alignment : 0 byte(s) Flags 40000040: data only Readable
Debugging Sample A
We’re not going into detail about all the obfuscation layers and extraction routines sample A is using, but briefly outline the concept. After an anti-emulation stage, stage 2 decrypts the final malware, using the key 0x5A4C4D4D4C4D, which in ASCII is ZLMMLM.
Stage 2 (xor):
.text:0040227A xor: .text:0040227A lodsb .text:0040227B xor al, [ebx+edx] .text:0040227E inc edx .text:0040227F jmp short loc_40229B .text:00402281 loc_402281: .text:00402281 stosb .text:00402282 mov eax, edx .text:00402284 xor edx, edx .text:00402286 mov ebp, 6 .text:0040228B .text:0040228B loc_40228B: .text:0040228B div ebp .text:0040228D loop xor .text:0040228F mov eax, ebx .text:00402291 add esp, 6 .text:00402294 pop ebx .text:00402295 pop esi .text:00402296 pop edi .text:00402297 pop ebp .text:00402298 push eax .text:00402299 jmp short loc_4022A8 .text:0040229B ; --------------------------------------- .text:0040229B .text:0040229B loc_40229B: .text:0040229B test edx, edx .text:0040229D jnz short loc_402281 ... .text:004022A8 call $+5 .text:004022AD pop ebp
From the memory segment the code has been decrypted to, it is being written back to the .text section. Additional libraries are being loaded:
Finally, the instruction pointer is pointing back to the .text section at 0x00401FEC, which is the original entry point of this malware.
This binary has been isolated, extracted and named sample B:
|Type of Hash||Hash|
VirusTotal results for sample B
VirusTotal result for hash: 759545ab2edad3149174e263d6c81dce -> Hash was not found on VirusTotal.
Signature check for sample B
File is not signed.
Upon start, sample B, the actual malware, initializes memory, sets up Winsock by calling WSAStartup and decrypts the following strings:
|VM||Vmware check? Not used|
|-||literally as “-“|
|Password||literally as this string|
|HostId-%Rand%||format string for identifier file|
|mJhcimNA||Name of mutex|
|%AppData%\Microsoft\Crypto\Office.exe||Filename when made persistent|
|-||literally as “-“|
Then it starts to communicate with the Command and Control server, waiting for commands.
The commands are listed in the following table.
All commands have return codes. In case of success, the return code corresponds to command code. If the command fails, usually the return code is the incremented command code.
The following table shows the commands of the malware. If there is an interesting return code, it is mentioned with (r):
|1||(r) heartbeat (send back return code 1)|
|2||(r) socket created|
|4||(r) setting password failed|
|5||set password, identifier and fetch computer information (user, computername, windows version)|
|6||create process from local file or fetch from URL first and create process|
|7||create process from local file and exit (hMutex = CreateMutexA(0, 1, “mJhcimNA”))|
|8||(r) failed to create process|
|9||stop running threads, cleanup, exit|
|A||stop running threads, cleanup, sleep|
|B||stop running threads, delete autostart registry keys, cleanup, exit|
|C||add identifier (.Identifier) file|
|D||threaded: get file over HTTP and execute|
|E||fetch and send logical drives and types|
|10||locate and send file with time, attributes and size|
|13||(r) file information|
|14||unset tid for 0x12|
|14||(r) file not found (?)|
|16||write into file|
|17||close file (see 0x1F)|
|1E||create directory or send file to server|
|1F||close file (see 0x17)|
|20||start remote shell|
|21||write into WritePipe|
|22||reset tid for remote shell|
|22||(r) terminated remote shell|
|23||(r) failed to start remote shell|
|24||collect client information and configuration|
|25||(r) failed to get client information and configuration|
|26||get logged on users|
|26||(r) send logged on users|
|27||(r) failed to send logged on users|
|28||get detailed process information|
|29||(r) failed to get detailed process information|
|2B||(r) send windows|
|2C||make window visible, invisible or show text|
|2D||get file over HTTP and execute|
|2E||(r) HTTP connect failed|
|2F||set keyboard event “keyup”|
|30||set keyboard event $event|
|31||set mouse button press|
|32||set cursor position|
|33||take screenshot and send|
|35||(r) failed to take screenshot|
|36||locate and send file from log directory with time, attributes and size|
|38||check if log file exists|
|3A||read key log file and send|
|3C||(r) failed to read key log file|
|3D||fetch and send stored credentials, history and certificates from common browsers|
|3E||fetch and send stored credentials, history and certificates from common browsers|
|3F||fetch and send chat (Windows Live and/or Pidgin) credentials|
|40||fetch and send chat (Windows Live and/or Pidgin) credentials|
|41||fetch and send mail (Outlook and/or Thunderbird) credentials and certificates|
|42||fetch and send mail (Outlook and/or Thunderbird) credentials and certificates|
|44||get audio devices and formats|
|44||(r) audio devices and formats|
|45||(r) failed to get audio devices|
|46||start audio recording|
|47||(r) error during recording|
|48||stop audio recording|
|49||find file get md5|
|4C||unset tid for find file get md5 (0x49)|
Communication is performed via TCP/IP. First, the client registers itself at the server by sending
41 00 00 00 03 (...)
to the server, which in return replies with
41 00 00 00 05 (...)
There is a hearbeat communication going on by sending
01 00 00 00 02
to the remote site.
Outgoing communication can be detected by Network Intrusion Detection systems in order to detect compromised machines. Suricata rules are included in this report.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
- Mutex name “mJhcimNA”
- logfile per day, format DD-MM-YYYY (without extension)
- IP 188.8.131.52
- TCP port 3360
The following Suricata rule can be used to detect heartbeat and registration messages from a compromised client to the C&C server. The rules have only been tested mildly against live traffic and may produce a bunch of false positives. While keeping this fact in mind, you could limit the destination to the IP address and port given in this report. On the downside, you will lose the ability to track server/port changes the attacker may apply.
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( \ msg:"NetWiredRC heartbeat"; \ pkt_data; \ content:"|01 00 00 00 02|"; \ offset:0; \ depth:10; \ reference:url,https://www.circl.lu/pub/tr-23/; \ sid:70023;\ rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( \ msg:"NetWiredRC registration"; \ pkt_data; content:"|41 00 00 00 03|"; \ offset:0; \ depth:10; \ reference:url,https://www.circl.lu/pub/tr-23/; \ sid:70123;\ rev:1;)
- Similarity by network connection (same IP:PORT), strings
- MD5: 4af801e0de96814e9095bf78be790003
- SHA1: b2beb80f0b1ed9b1ccbb9ae765b68d6db432a532
- Attribution: Backdoor:Win32/NetWiredRC.B
- Similarity by network connection (same IP:PORT)
- MD5: 1d2f110f37c43a05407e8295d75a1974
- SHA1: d199349a3811c508ca620195327123600e1d9392
- By name NetWiredRC
- MD5: 1e279c58a4156ef2ae1ff55a4bc3aaf6
- SHA1: 40e8e3b5fce0cd551106ccb86fc83a0ca03c9349
- Quick analysis: previous version of this malware
- missing features: SOCKS, audio recording, find file by MD5
Decrypting NetWire C2 traffic
NetWire uses a proprietary protocol with encryption by default (AES-256-OFB). The Palto Alto Network threat intelligence team did a report on how to decrypt the traffic (as long as you know the key or you extracted it from the malware). The NetWiredDC Decoder is available on GitHub.
CIRCL recommends to review the IOCs of this report and compare them with servers in the infrastructure of your organization which produce log files including proxies, A/V and system logs.
In the case you have an infection, we recommend to capture the network traffic with the full payload as soon as possible. You might be able to decrypt the traffic later on.
Isolate the machine infected. Acquire memory (especially to get a malware sample and a potential encryption key) and disk. Reinstall the system after the forensic acquisition.
The server (184.108.40.206) used for this campaign is hosted at
inetnum: 220.127.116.11 - 18.104.22.168 netname: TILAA descr: Tilaa descr: This space is statically assigned country: NL admin-c: TLRL-RIPE tech-c: TLRL-RIPE status: ASSIGNED PA mnt-by: TILAA-MNT source: RIPE # Filtered role: Tilaa admin role address: Februariplein 14 address: 1011MT Amsterdam address: The Netherlands abuse-mailbox: firstname.lastname@example.org admin-c: TLDK-RIPE admin-c: TLGV-RIPE admin-c: TLRK-RIPE tech-c: TLDK-RIPE tech-c: TLGV-RIPE tech-c: TLRK-RIPE nic-hdl: TLRL-RIPE mnt-by: TILAA-MNT source: RIPE # Filtered % Information related to '22.214.171.124/21AS196752' route: 126.96.36.199/21 descr: Routed by Tilaa origin: AS196752 mnt-by: TILAA-MNT source: RIPE # Filtered
and reveals several open ports:
3360/tcp open unknown 3389/tcp open ms-wbt-server 5985/tcp open wsman 47001/tcp open unknown 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49158/tcp open unknown 49159/tcp open unknown 49160/tcp open unknown Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2008 (92%) OS CPE: cpe:/o:microsoft:windows_server_2008::sp1 OS fingerprint not ideal because: Host distance (11 network hops) is greater than five Aggressive OS guesses: Microsoft Windows Server 2008 SP1 (92%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: SCAN(V=6.40%E=4%D=4/23%OT=3360%CT=1%CU=32387%PV=N%DS=11%DC=I%G=N%TM=5357A5F8%P=x86_64-apple-darwin13.1.0) SEQ(SP=104%GCD=1%ISR=10C%TI=I%TS=7) OPS(O1=M5ACNW8ST11%O2=M5ACNW8ST11%O3=M5ACNW8NNT11%O4=M5ACNW8ST11%O5=M5ACNW8ST11%O6=M5ACST11) WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000) ECN(R=Y%DF=Y%T=80%W=2000%O=M5ACNW8NNS%CC=Y%Q=) T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=N) T4(R=N) T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=N) T7(R=N) U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=I%RUCK=0%RUD=G) IE(R=N) Uptime guess: 54.768 days (since Thu Feb 27 18:11:41 2014)
Ports might be used for several purposes/campaigns. Probing the ports gives the following result:
- 3360/tcp - C&C port for this campaign
- 3389/tcp - no reaction to crafted requests
- 5985/tcp - HTTP port
- 47001/tcp - HTTP port
- 49152/tcp - no reaction to crafted requests
- 49153/tcp - no reaction to crafted requests
- 49154/tcp - no reaction to crafted requests
- 49155/tcp - no reaction to crafted requests
- 49158/tcp - no reaction to crafted requests
- 49159/tcp - no reaction to crafted requests
- 49160/tcp - no reaction to crafted requests
The ports not reacting to crafted requests might be used for different campaigns for the same malware or for different versions of the malware family or even for other malware. We were not able to find a different sample of the malware that connects to a different port.
Starting of Friday 25 April, the C&C port is not active as the ISP took the appropriate action.
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
CIRCL thanks CERT Société Générale for sharing Sample A.
- Version 1.1 November 26, 2014 Decrypting NetWire C2 Traffic reference added
- Version 1.0 April 25, 2014 C&C (for the known TCP port) is no more active
- Version 0.9 April 23, 2014 Initial version (TLP:WHITE)