Malware AnalysisReverse Engineering

Analysis of NetWiredRC trojan

NetWiredRC is a trojan used by APT33 group which allows remote unauthorized access and control of an affected computer. An attacker can perform more than 100 different actions on an infected computer using this remote access tool. This article includes  analysis of entire command and control structure of the malware. In this specific version of malicious sample it implements more features compared to its identified predecessors.

The executable sample can be found at app.any.run.

Hash of the executable sample :

41b22d484200b434a02c3b3a18ecb9defbc4582d864491d204f02ad25a46340e

Process Graph:

tns poison(1)

Import table:

  • ADVAPI32.dll
  • AVICAP32.dll
  • AVIFIL32.dll
  • COMCTL32.dll
  • GDI32.dll
  • IMM32.dll
  • KERNEL32.dll
  • MSIMG32.dll
  • OLEAUT32.dll
  • POWRPROF.dll
  • SHELL32.dll
  • SHLWAPI.dll
  • USER32.dll
  • UxTheme.dll
  • WS2_32.dll
  • comdlg32.dll
  • ole32.dll
  • pdh.dll

Sections:

screenshot from 2019-01-30 13-19-13

Indicators of Compromise (IOC):

  1. Drops file in C:\User\admin\AppData\Local\Temp\sample.exe
  2. Creates persistence using HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  3. Connects to a URL using unusual port suggesting a command and control server.screenshot from 2019-01-24 14-36-40

Deeper Analysis:

The malicious sample loads the dynamic link library and required API’s in traditional way using LoadLibraryExA, FindResource, and LoadResource as shown below

loadlibrary

The sample checks the presence of debugger and throws an exception if found using the following code segment.

isdebuggerpresent

It retrieves the path designated for temporary files and drops payload file in temp directory and a batch file.

gettemppath

It then uses command line to execute “cmd.exe “%TEMP%\aMCqY4E8M8.bat”” and delete batch file as “cmd.exe /c del “%TEMP%\aMCqY4E8M8.bat””

getcommandlinea

It queries registry to identify Language configurations, settings, windows version, computer name, installed applications, compatibility.

regenum

The sample also creates registry to achieve start-up persistence which allows it to auto-execute during system start-up.

regcreate

Command Structure Analysis

The sample uses following code segment to create Imagelist of screenshots taken on a regular time interval to create a bitmap. It captures screen and transmits it on real time to the connected command and control server.

capcreatecapturewindowsloadbitmapavifileopen

It also has ability to query, create, update database tables and contains some potential query strings in the sample.

tableaccess

The sample uses switch statement to parse the command received from command and control server which has more than 100 cases.

command_switch

The following table shows the some command ability associated with the malware. The attacker can run any of these commands on an infected machine using command and control server and the sample returns the results back to the command and control server.

screenshot from 2019-01-30 13-46-23Screenshot from 2019-01-30 13-47-13.png

Stay tuned for more analysis and other amazing stuff. If you love and support my work use the below link to buy me a coffee and help me with my research.

Buy me a coffeeBuy me a coffee

One thought on “Analysis of NetWiredRC trojan

Leave a Reply

Your email address will not be published. Required fields are marked *