Backdoor.Win32.NETWIRED.FAY

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It steals certain information from the system and/or the user.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor drops the following files:

• %AppDataLocal%\Temp\Btfpp.lnk
• %AppDataLocal%\Temp\Btfpp\Jgog.png
• %AppDataLocal%\Temp\Btfpp\Jgoggug.exe
• %Public%\Nex.jpeg
• %User Profile%\Jgog\Jgogasx.exe
• %User Profile%\Jgog\Jgogwen.vbs
• %User Profile%\Jgog\Jgog_eno.hta
• %Public%\Clean.bat
• %Public%\SSPICLI.dll
• %Public%\perfmon.exe
• %Public%\Runex.bat
• %System%\perfmon.exe
• %System%\SSPICLI.dll

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following processes:

• %AppDataLocal%\Temp\Btfpp\Jgoggug.exe
• cmd /c ""%Public%\Runex.bat" "

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.)

It creates the following folders:

• %User Profile%\Jgog
• %AppData%\Logs

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Jgog
• hxXHmJQu

It injects threads into the following normal process(es):

• %System%\TapiUnattend.exe

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Autostart Technique

This Backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
Jgog = %User Profile%\Jgog\Jgog_eno.hta

Other System Modifications

This Backdoor adds the following registry entries:

HKEY_CURRENT_USER\Software\NetWire
HostId = Yecg2INK

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\-
StubPath = ""

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Lists running processes
• List drive information
• List TCP and UDP listening ports
• Get current window information
• Perform keylogging routine
• Get current IE Proxy Configuration
• Open specific files
• Get Logon sessions
• Access SQLite database

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• checker.rneik{BLOCKED}.com:11012

Dropping Routine

This Backdoor drops the following file(s), which it uses for its keylogging routine:

• %AppData%\Logs\{Current Date}

Information Theft

This Backdoor steals the following information:

• Credentials in the following protocol:
  
  • POP3
  • IMAP
  • HTTP
  • SMTP
  • EAS
• System Information:
  
  • Computer Name
  • Current User Name
  • OS Version
  • Product Version
  • Processor Information

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• Opera
• Internet Explorer
• Purple
• Google Chrome
• Chromium
• Comodo Dragon
• Brave
• Mozilla Seamonkey
• Mozilla Thunderbird

It attempts to steal stored email credentials from the following:

• Microsoft Outlook