Locate and send file with time, attributes and sizeĬollect client information and configuration Stop running threads, delete autostart registry keys, cleanup, exit
Set password, identifier and fetch computer information (user, computername, windows version)Ĭreate process from local file or fetch from URL first and create processĬreate process from local file and exit (hMutex = CreateMutexA(0, 1, “mJhcimNA”)) If there is an interesting return code, it is The following table shows the commands of the malware.
If the command fails, usually the return code is the incremented command code. In case of success, the return code corresponds to commandĬode.
The commands are listed in the following table.Īll commands have return codes. Then it starts to communicate with the Command and Control server, waiting for commands. WSAStartup and decrypts the following strings: String Upon start, sample B, the actual malware, initializes memory, sets up Winsock by calling Which is the original entry point of this malware. Additional libraries are being loaded:įinally, the instruction pointer is pointing back to the. text:0040229B -įrom the memory segment the code has been decrypted to, it is being written back to the After an anti-emulation stage, stage 2ĭecrypts the final malware, using the key 0x5A4C4D4D4C4D, which in ASCII is ZLMMLM. Sample A is using, but briefly outline the concept. We’re not going into detail about all the obfuscation layers and extraction routines text section is writable and thus allows self-modifying code: SECTION 1 (.text ): Sections attributes in the file reveal a first hint on the maliciousness of the file: VeriSign Class 3 Public Primary Certification Authority - G5 Remote Access Tool, and compared to the identified predecessors, this specific version even implements more features.
Of the malware and was able to attribute this specific malware to the malware NetWiredRC. CIRCL analyzed the entire command structure I'm guessing there is problem with the latest Malwarebytes database update.CIRCL analyzed a malware sample which was only sporadicallyĭetected by just a handful antivirus engines, based on heuristic detection. Tried Avast and Bitdefender, and they come back clean. Ran a scan and still saying that the phone is infected.
Now that the phone is setting up again (the phone is not rooted), I ran Malwarebytes and it's still giving me the save threat warning.ĭoes anyone know what could be causing this?Įdit: It seems I'm not the only person suffering from this issue: Įdit 2: Tried a full system wipe (including a fresh install of TWRP), installed Pixel Experience with just Malwarebytes as the only app. Settings, Live Wallpaper Picker etc.Įven though I don't use or install APKs outside of the Google Play Store, I decided to factory reset (including Advanced Wipe: System, Data, Cache and Dalvik/cache ) and restore with a fresh copy of Pixel Experience from xda. The applications area all system apps e.g. This morning I found that Malwarebytes was telling me that I had 59 instances of Android/. I have a XiaomiMi8 phone with the Pixel Experience ROM installed.