My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2020-05-14

Virus description added:

Packer: absent

Compilation date : 06:45:11 14.01.2019

SHA1 hash :

  • 2930efc03e958479568e7930f269efb1e2bcea5a


BackDoor.Mikroceen.11 is a backdoor written in C++ and designed for 64-bit versions of the Microsoft Windows operating systems. Upon installing, it connects to the C&C server directly or using the proxy server and begins executing attackers’ commands. It can collect information about the infected computer and execute commands, redirecting the output of the command shell to the control server. It was used in targeted attacks [link to the study] on state institutions in Kazakhstan and Kyrgyzstan. In both incidents, this malware was installed on the domain controller.

Operating routine

The backdoor file represents a dynamic library with the single NwsapServiceMain export function. The sample in question was installed on the system as a service and located in the c:\windows\system32\nwsapagent.dll directory.

During the operation, it maintains an event log, which is stored in the %TEMP%\\WZ9Jan10.TMP file. The messages in this log are obfuscated, and their possible variants are shown below:

  • WvSa6a7i — launch of the trojan;
  • Dfi1r5eJ — direct connection to the C&C server;
  • PVrVoGx0 — connection to C&C server through previously defined proxy server;
  • Q29uUHJv — connection error;
  • 10RDu6mf — proxy server connection error;
  • 8sQqvdeX:%d — an error receiving the data from the C&C server;
  • Lw3s1gMZ — proxy server connection error;
  • IsEArF1k — successful connection;
  • CcFMGQb8 %s:%d — connection to the proxy server, recorded in the netlogon.cfg;
  • RWehGde0 %s:%d — — connection to the proxy server, received through the WZ9Jan10.TMP file parsing;
  • PV2arRyn %s:%d — connection to the proxy server, found through the tcptable;
  • W560rQz5 — SSL connection establishing.

All the relevant data, such as the C&C server address, is encrypted with a simple addition operation of the value with each byte of the string. The decrypting fragment is shown below:

for ( i = 0; i < lstrlenA(v4); ++i )
v4[i] += 32 - i;

BackDoor.Mikroceen.11 tries to directly connect to the C&C server. If failed, it tries to connect through the proxy server.

The connection is established when the trojan knows the proxy server address. Otherwise, it reads the %WINDIR%\\debug\\netlogon.cfg file, which must contain the IP:port line.

If the netlogon.cfg file is missing, or the trojan failed to connect to the address listed in it, the trojan reads the line from its own log file and parses IP:port from it.

If there is no connection, the trojan parses information about current connections and searches the connection with the MIB_TCP_STATE_ESTAB status and the following ports of the remote host: 80, 8080, 3128, 9080. Among the selected connections, it searches for the IP address from the following subnets:,, The suitable address found is used as a proxy server address.

After successfully connecting, the trojan collects information about the infected system and fills the following structure:

#pragma pack(push, 1)
struct st_info
  _WORD osproducttype;
  _WORD processorarch;
  _DWORD osservicepackmajor;
  _DWORD osvermajor;
  _DWORD osverminor;
  _DWORD default_lcid;
  _DWORD dword30001; // 30001
  char id[16]; // "wsx"
  char ip[16];
  char hostname[32];
#pragma pack(pop)

BackDoor.Mikroceen.11 sends this information to the C&C server and waits for the reply. When exchanging commands, the text protocol is used, and the names of the commands are obfuscated. The list of commands is shown in the table below:

The command An argument The description The reply
QHbU0hQo (file manager command) Reads the file First QWORD is the file size; next goes the file that was read with the 1024 bytes blocks
Ki0Swb7I Gets information about logical disks

A structure with the information about the disks, but not larger than 1024 bytes.

#pragma pack(push, 1)
        struct st_drive_info
          char cmdid[9]; // "fqbnWkSA"
          _WORD disks_count;
          _DWORD disk_types[disks_count];
        #pragma pack(pop)

string — is a command;
string — is a path to the file to read;
string — is a path to the file to write.

Launches the file manager
hwuvE43y (file manager command)

QWORD — is a file size;
BYTE[]— is the data to be written into the file.

Writes to the file QWORD — the file size if the latter already exists
h71RBG8X string — is a command Executes the command within the command shell; exit — closes the command shell
gRQ7mIYr string — is a path to the file Runs a file with CreateProcessA

4FJTUaUX if successful
KbZ5piK8 if failed

eYTS5IwW Ends the command shell process bo7aO8Nb (if command shell was not launched)
AmbZDkEx string — is a password The beginning of the exchange

kjoM4yJg (if the argument matches the line encoded into the file ("12345")) Mf7VLAnr (in all other cases)

5fdi2TfG Launches a command shell, redirecting the output to the server

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2023

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies