NetFucker[.]rar | Triage

Sharing

General

Target

NetFucker.rar
Size

4.3MB
MD5

e0329a0d56dc9ff25e8bc0ab4c17a266
SHA1

d87a74ba72d2b3252f6ee49212ea6ecb8a9ab2be
SHA256

5847592efae527d87f0d8df3a3a76154e030ff3988a3402d51c59db7b445142b
SHA512

41121f9fdbb7172e116f5d93d9b5fd04aee7b93b9a866d39a79f996ee49f7f57644dd9dcfa5e94fd4166f84a4370d8315991b0fe84563a41b79637b137a52d03
SSDEEP

98304:Fl66gACdbWh+Pns7KQ4BvGTv/ZP/aIbt2tumud6jNzPmX:F6npNn/7Bvs3ZPyetyuioX

Score

3^/10

Malware Config

Signatures

Unsigned PE 5 IoCs

Checks for missing Authenticode signature.

resource
unpack001/NetFucker/NetFucker.exe
unpack001/NetFucker/Protect32.dll
unpack001/NetFucker/Protect64.dll
unpack001/NetFucker/WinDivert.dll
unpack001/NetFucker/WinDivertSharp.dll

Files

NetFucker.rar
.rar

Password: password
NetFucker/NetFucker.exe
.exe windows:4 windows x64 arch:x64

Password: password

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.text
Size: 6.1MB - Virtual size: 6.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 251KB - Virtual size: 251KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
NetFucker/Protect32.dll
.dll windows:5 windows x86 arch:x86

Password: password

55f7dfaa5fbadfb4911ad11b60c65135

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

c:\MyProjects\svn\ILProtector\trunk\ILProtector\Output2010\Win32\Release\Protect32.pdb

Imports

kernel32

MapViewOfFile
UnmapViewOfFile
CreateFileW
GetFileSizeEx
GetLastError
SetLastError
CreateFileMappingW
CloseHandle
Sleep
QueueUserWorkItem
DeleteCriticalSection
LoadLibraryW
GetProcAddress
InterlockedCompareExchange
InterlockedDecrement
GetModuleFileNameW
QueryPerformanceCounter
EnterCriticalSection
LeaveCriticalSection
GetModuleHandleW
InitializeCriticalSection
LocalFree
FlushFileBuffers
SetStdHandle
WriteConsoleW
SetFilePointer
GetStringTypeW
InterlockedIncrement
EncodePointer
DecodePointer
HeapFree
HeapAlloc
MultiByteToWideChar
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCommandLineA
RaiseException
RtlUnwind
WideCharToMultiByte
LCMapStringW
GetCPInfo
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
IsProcessorFeaturePresent
HeapSize
ExitProcess
WriteFile
GetStdHandle
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetFileType
GetStartupInfoW
GetConsoleCP
GetConsoleMode
HeapCreate
HeapDestroy
GetACP
GetOEMCP
IsValidCodePage
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetTickCount
GetCurrentProcessId
HeapReAlloc

advapi32

CryptReleaseContext
CryptAcquireContextA
CryptGenRandom

oleaut32

SafeArrayDestroy
SysFreeString
SysAllocString
SafeArrayPutElement
SafeArrayGetUBound
SafeArrayGetElement
VariantInit
VariantCopy
VariantClear
SafeArrayGetLBound
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayCreateVector

winmm

timeGetTime

mscoree

CorBindToRuntimeEx

Exports

Exports

P0

Sections

.text
Size: 465KB - Virtual size: 464KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 90KB - Virtual size: 90KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 38KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 436B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 67KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
NetFucker/Protect64.dll
.dll windows:5 windows x64 arch:x64

Password: password

43c22e6f8eae03d27951cac470151b24

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

c:\MyProjects\svn\ILProtector\trunk\ILProtector\Output2010\x64\Release\Protect64.pdb

Imports

kernel32

MapViewOfFile
UnmapViewOfFile
CreateFileW
GetFileSizeEx
GetLastError
SetLastError
CreateFileMappingW
CloseHandle
Sleep
DeleteCriticalSection
GetModuleHandleW
LoadLibraryW
GetProcAddress
GetModuleFileNameW
QueryPerformanceCounter
EnterCriticalSection
LeaveCriticalSection
QueueUserWorkItem
InitializeCriticalSection
LocalFree
FlushFileBuffers
SetStdHandle
WriteConsoleW
SetFilePointer
GetStringTypeW
EncodePointer
DecodePointer
HeapFree
HeapAlloc
MultiByteToWideChar
GetSystemTimeAsFileTime
GetCurrentThreadId
FlsSetValue
GetCommandLineA
RaiseException
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlUnwindEx
WideCharToMultiByte
LCMapStringW
GetCPInfo
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlCaptureContext
HeapSize
ExitProcess
WriteFile
GetStdHandle
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetFileType
GetStartupInfoW
GetConsoleCP
GetConsoleMode
HeapSetInformation
GetVersion
HeapCreate
HeapDestroy
GetACP
GetOEMCP
IsValidCodePage
FlsGetValue
FlsFree
FlsAlloc
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetTickCount
GetCurrentProcessId
HeapReAlloc

advapi32

CryptReleaseContext
CryptAcquireContextA
CryptGenRandom

oleaut32

SafeArrayDestroy
SysFreeString
SysAllocString
SafeArrayPutElement
SafeArrayGetUBound
SafeArrayGetElement
VariantInit
VariantCopy
VariantClear
SafeArrayGetLBound
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayCreateVector

winmm

timeGetTime

mscoree

CorBindToRuntimeEx

Exports

Exports

P0

Sections

.text
Size: 482KB - Virtual size: 482KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 143KB - Virtual size: 142KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 42KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE

data
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 436B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
NetFucker/WinDivert.dll
.dll windows:4 windows x64 arch:x64

Password: password

4b5b0fb09f29ed8e5306bbb27b5ae668

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

CloseServiceHandle
ControlService
CreateServiceW
DeleteService
OpenSCManagerW
OpenServiceW
StartServiceW

kernel32

CloseHandle
CreateEventW
CreateFileW
DeviceIoControl
GetLastError
GetModuleFileNameW
GetOverlappedResult
SetLastError
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue

msvcrt

isalnum
isspace
isxdigit
strcmp
tolower

Exports

Exports

DivertClose
DivertGetParam
DivertHelperCalcChecksums
DivertHelperParseIPv4Address
DivertHelperParseIPv6Address
DivertHelperParsePacket
DivertOpen
DivertRecv
DivertSend
DivertSetParam
WinDivertClose
WinDivertDllEntry
WinDivertGetParam
WinDivertHelperCalcChecksums
WinDivertHelperParseIPv4Address
WinDivertHelperParseIPv6Address
WinDivertHelperParsePacket
WinDivertOpen
WinDivertRecv
WinDivertRecvEx
WinDivertSend
WinDivertSendEx
WinDivertSetParam

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 992B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 1024B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 512B - Virtual size: 360B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 512B - Virtual size: 288B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 16B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 1024B - Virtual size: 730B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 1024B - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 132B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
NetFucker/WinDivert64.sys
.sys windows:6 windows x64 arch:x64

7c9fea38756202fa53d3fb9ec37222c4

Code Sign

61:20:4d:b4:00:00:00:00:00:27
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:45

Not After

15/04/2021, 19:55

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

09:9e:36:c6:d4:6d:69:53:20:84:a1:45:3d:80:73:22
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

22/09/2017, 00:00

Not After

30/09/2020, 12:00

Subject

SERIALNUMBER=539 259 416 00029,CN=Ars Nova Systems,O=Ars Nova Systems,L=NANTES,C=FR,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3=#13024652

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

09:c0:fc:46:c8:04:42:13:b5:59:8b:af:28:4f:4e:41
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

04/01/2017, 00:00

Not After

18/01/2028, 00:00

Subject

CN=DigiCert SHA2 Timestamp Responder,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07/01/2016, 12:00

Not After

07/01/2031, 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:1f:98:00:c9:11:02:95:69:be:00:00:00:00:00:1f
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

05/10/2017, 17:44

Not After

05/10/2018, 17:44

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/10/2014, 20:31

Not After

15/10/2029, 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

14:aa:b2:a7:3f:ee:0f:ad:dd:0b:b2:72:ef:60:5e:b4:e9:79:5d:3f:24:d7:4a:01:4c:6f:fc:03:c4:d3:dd:52
Signer

Actual PE Digest

14:aa:b2:a7:3f:ee:0f:ad:dd:0b:b2:72:ef:60:5e:b4:e9:79:5d:3f:24:d7:4a:01:4c:6f:fc:03:c4:d3:dd:52

Digest Algorithm

sha256

PE Digest Matches

true

14:aa:b2:a7:3f:ee:0f:ad:dd:0b:b2:72:ef:60:5e:b4:e9:79:5d:3f:24:d7:4a:01:4c:6f:fc:03:c4:d3:dd:52
Signer

Actual PE Digest

14:aa:b2:a7:3f:ee:0f:ad:dd:0b:b2:72:ef:60:5e:b4:e9:79:5d:3f:24:d7:4a:01:4c:6f:fc:03:c4:d3:dd:52

Digest Algorithm

sha256

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

c:\windivert-1.4.0-rc\install\WDDK\amd64\WinDivert64.pdb

Imports

ntoskrnl.exe

RtlCopyUnicodeString
KeBugCheckEx
IoAllocateMdl
MmMapLockedPagesSpecifyCache
IoFreeMdl
MmBuildMdlForNonPagedPool
KeAcquireInStackQueuedSpinLock
RtlGetVersion
KeReleaseInStackQueuedSpinLock
ExFreePoolWithTag
ExUuidCreate
ExAllocatePoolWithTag

hal

KeQueryPerformanceCounter

ndis.sys

NdisAdvanceNetBufferDataStart
NdisRetreatNetBufferDataStart
NdisFreeNetBufferPool
NdisGetDataBuffer
NdisAllocateNetBufferPool
NdisAllocateNetBufferListPool
NdisFreeNetBufferListPool

fwpkclnt.sys

FwpsQueryPacketInjectionState0
FwpmCalloutDeleteByKey0
FwpsInjectNetworkReceiveAsync0
FwpmSubLayerAdd0
FwpsCalloutUnregisterByKey0
FwpmSubLayerDeleteByKey0
FwpsInjectionHandleDestroy0
FwpsFreeNetBufferList0
FwpmEngineClose0
FwpmTransactionBegin0
FwpmFilterAdd0
FwpmEngineOpen0
FwpmTransactionAbort0
FwpsCalloutRegister0
FwpsInjectForwardAsync0
FwpmFilterDeleteByKey0
FwpmCalloutAdd0
FwpsInjectNetworkSendAsync0
FwpmTransactionCommit0
FwpsInjectionHandleCreate0
FwpsAllocateNetBufferAndNetBufferList0

wdfldr.sys

WdfVersionBindClass
WdfVersionUnbindClass
WdfVersionBind
WdfVersionUnbind

Sections

.text
Size: 18KB - Virtual size: 18KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 516B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 246B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
NetFucker/WinDivertSharp.dll
.dll windows:4 windows x86 arch:x86

Password: password

dae02f32a21e03ce65412f6e56942daa

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Github\WinDivertSharp\WinDivertSharp\obj\Release\netstandard2.0\WinDivertSharp.pdb

Imports

mscoree

_CorDllMain

Sections

.text
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
NetFucker/everything.txt