My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2020-12-20

Virus description added:

Packer: absent

Compilation date: 01.12.2016 05:57:59

SHA1 hash:

  • 4c871eae022c8088f6e8d46e17002cd0c0006650


A backdoor written in C++ and designed to run on 64-bit Microsoft Windows operating systems. It is used for targeted attacks on information systems, collecting information about an infected device, loading functional malicious modules, coordinating their work, and providing communication with the C&C server. In the infected system, it exists as a DLL file and is loaded by the system service using the DLL Hijacking method. After injection, it functions in the computer's RAM.

Operating routine

The backdoor is a malicious DLL file. The function names in its export table duplicate the exported functions of the apphelp.dll system library.


On the infected computer, the backdoor file was located in C:\Windows\System32\oci.dll catalog. The file’s original name from the export table is dll. It was loaded by the MSDTC system service using the DLL Hijacking method (Microsoft Distributed Transaction Coordinator Service).

From a functional point of view, the sample is a loader for the main payload, which is stored in the .data section as a DLL, with some elements of the DOS and PE headers equal to zero.



The loader operation

Loading is performed in a function designated as malmain_3 and called from the DLL entry point via two transitional functions.


First, the header signatures are checked. If they are not standard, the ERROR_BAD_EXE_FORMAT error value is set; however, this action does not affect the loader operation in any way.

The memory for the image is then allocated according to the IMAGE_NT_HEADERS64.OptionalHeader.SizeOfImage value, and the loader_struc auxiliary structure is formed.

struct loader_struc
  IMAGE_NT_HEADERS64 *pPE_header;
  LPVOID ImageBase;
  HMODULE *p_imported_modules
  QWORD number_of_imported_modules
  HMODULE (__stdcall *pLoadLibrary)(LPCSTR lpLibFileName);
  FARPROC (__stdcall *pGetProcAddress)(HMODULE hModule, LPCSTR lpProcName);
  BOOL (__stdcall *pFreeLibrary)(HMODULE hLibModule);
  QWORD unk;

This is followed by the standard process of loading the PE module into memory and calling the loaded module's entry point (DllMain) with the DLL_PROCESS_ATTACH argument, and after exiting it, calling it again with DLL_PROCESS_DETACH.

The main module operation

In the main module, the values of all signatures required for the correct file loading are equal to zero.

  • IMAGE_DOS_HEADER.e_magic
  • IMAGE_NT_HEADERS64.Signature
  • IMAGE_NT_HEADERS64.FileHeader.Magic

In addition, TimeDateStamp and section names also have a null value. The remaining values are correct, thus after manually editing the necessary signatures, the file can be downloaded for analysis as a proper PE module.

The analysis of the main module is complicated, since atypical methods of calling functions are periodically used. The UT hash library is used for storing and processing structures. It allows one to convert standard C structures to hash tables by adding a single member of the ut_hash_handle type. All library functions, such as adding elements, search, delete, etc., are implemented as macros, which leads them to be forcibly inlined by the compiler in the code of the main (calling) function.

The mbedtls library is used to interact with the C&C server.

DllMain function

At the beginning of execution, the Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f45853}, event, execution mode (from the configuration), and the command line are checked, then the operating threads are started.


The module has an embedded configuration with the following structure:

struct cfg_c2_block
    int type;
    char field_4[20];
    char addr[256];
struct cfg_proxy_data
    DWORD dw;
    char str[256];
    char proxy_server[256];
    char username[64];
    char password[32];
    char unk[128];
struct builtin_config
    int exec_mode;
    char url_C2_req[100];
    char hash_id[20];
    char string[64];
    char field_BC;
    cfg_c2_block srv_1;
    cfg_c2_block srv_2;
    cfg_c2_block srv_3;
    cfg_c2_block srv_4;
    cfg_proxy_data proxy_1;
    cfg_proxy_data proxy_1;
    cfg_proxy_data proxy_1;
    cfg_proxy_data proxy_1;
    int CA_cert_len;
    char CA_cert[cert_len];

The hash field contains a value that can be an identifier. This value is used when communicating with the C&C server and can be represented as a b2e4936936c910319fb3d210bfa55b18765db9cc string, which is the same length as the SHA1 hashes.

The string field contains a single character string: 1.

CA_cert is a certificate of the certificate authority in the DER format. It is used to establish a connection to the C&C server over the TLS 1.2 protocol.


Certificate information can be found in the notes to this description.

The DllMain function enables for the creation of multiple operating threads depending on a number of conditions.

  • Main thread — thread_1_main
  • New server request thread — thread_2_get_new_C2_start_communication
  • Encrypted module execution thread — thread_4_execute_encrypted_module

For execution, the value of the builtin_config.exec_mode parameter must be non-zero.

  • if the builtin_config.exec_mode value is 1 or 2, and the process command line contains the -k netsvcs substring, the main thread and the thread for getting the new C&C server address are started;
  • If builtin_config.exec_mode is equal to 2, a thread that decrypts and runs the module stored in the system is started;
  • If the value is 3, the main thread and the thread for getting the new C&C server address are started.

In the examined sample, the value of the exec_mode parameter is 3.

The main thread

First, the backdoor checks the OS version then prepares a structure for initializing functions and a structure for storing a certain configuration fields. The procedure looks artificially complicated.


3 pointers to functions are inserted to the funcs_struc structure of the funcs_1 type that will be called in turn inside the init_global_funcs_and_allocated_cfg function.


In the set_global_funcs_by_callbacks function, each initializer function is called in turn.

The general order of structure forming is as follows:

  1. Two structures are passed to each function: the first contains pointers to some functions; the second is empty.
  2. Each function transfers function pointers from one structure to another.
  3. After calling the initializer function, the function pointers are moved from the local structure to the global array of structures at a certain index.

As a result, after all the unusual transformations, a certain number of global structures that are combined into a single array remain.


Ultimately, the function call can be represented as follows.


The use of complex transformations like copying local structures with functions and transferring them to global structures is probably intended to complicate the analysis of a malicious sample.

The backdoor then uses the UT hash library to generate a hash table of service structures responsible for storing the network connection context, connection parameters, etc.

Below is the fragment of the hash table generation code.


It is worth noting that the hash table contains a signature value that allows one to determine the library used: g_p_struc_10->hh.tbl->signature = 0xA0111FE1;.

The backdoor in question is characterized by the distribution of relevant fields and data across several structures created specifically for this purpose. This feature makes it difficult to create meaningful names for structures during analysis.

After the preparatory steps, the backdoor proceeds to initialize the connection to the C&C server.

Initializing the connection to the C&C server

It is noteworthy that the program code associated with the network connection contains its own error codes, in addition to the codes from the mbedtls library.


A list of error codes found in the sample.

    ERROR_CODE_1392 = 0x1392,
    ERROR_BAD_ARGS = 0x5208,
    ERROR_CODE_520B = 0x520B,
    ERROR_CODE_520D = 0x520D,
    ERROR_CODE_59D8 = 0x59D8,
    ERROR_CODE_59DB = 0x59DB,
    ERROR_CODE_59DC = 0x59DC,
    ERROR_CODE_59DF = 0x59DF,
    ERROR_CODE_61A8 = 0x61A8,
    ERROR_CODE_61AB = 0x61AB,
    ERROR_CODE_61AC = 0x61AC,
    ERROR_CODE_61AD = 0x61AD,
    ERROR_CODE_61AF = 0x61AF,
    ERROR_CODE_61B0 = 0x61B0,
    ERROR_CODE_61B1 = 0x61B1,
    ERROR_CODE_6590 = 0x6590,
    ERROR_CODE_6592 = 0x6592,
    ERROR_BAD_ALLOC = 0x6593,

After a series of preparatory actions, the backdoor resolves the address of the C&C server stored in the configuration and retrieves the port. Addresses in the configuration are stored as strings: koran.junlper[.]com:80 and koran.junlper[.]com:443. Next, the program creates a TCP socket for the connection. After that, it creates a context for the secure connection and performs a TLS handshake.


After establishing secure connection, the backdoor expects a packet with a command from the C&C server. The program works with two packet formats:

  • The packet received after processing the TLS protocol is a "transport" packet.
  • The packet received after processing the transport packet is a "data" packet. It contains the command ID and additional data.

The transport packet header is represented by the following structure.

struct transport_packet_header
  DWORD signature;
  WORD compressed_len;
  WORD uncompressed_len;

The data is placed after the header and packed by the LZ4 algorithm. The backdoor checks the value of the signature field. It must be equal to 0x573F0A68.

After unpacking, the resulting data packet has a header in the following format.

struct data_packet_header
  WORD tag;
  WORD id;
  WORD unk_0;
  BYTE update_data;
  BYTE id_part;
  DWORD unk_1;
  DWORD unk_2;
  DWORD len;

The tag and id fields together define the backdoor action, which means they denote the command ID.

These header structures are used in both directions of interaction.

The order of processing server commands:

  • Client verification
  • Sending the information about the infected system
  • Processing commands by IDs

There is a variable that stores the state of the dialog in the structure responsible for communicating with the C&C server. Therefore, before directly executing commands, performing the first two steps is required, which can be considered as a second handshake.

A verification step

To perform the verification step, the values of the tag and id fields in the primary packet received from the C&C server must be equal to 1.

The verification process is as follows:

  1. The backdoor forms a buffer from an 8-byte array that follows the packet header and the hash_id field taken from the configuration. The result can be represented as the structure:
    struct buff
        BYTE packet_data[8];
        BYTE hash_id[20];
  2. The SHA1 hash of the data in the resulting buffer is calculated. The result is placed in the packet (after the header) and sent to the server.

Sending system information

The next packet received from the C&C server must have the tag value equal to 5 and id value equal to 3. The system data is formed as a sysinfo_packet_data structure.

struct session_info
  DWORD id;
  DWORD State;
  DWORD ClientBuildNumber;
  BYTE user_name[64];
  BYTE client_IPv4[20];
  BYTE WinStationName[32];
  BYTE domain_name[64];
struct sysinfo_block_2
  WORD field_0;
  WORD field_2;
  WORD field_4;
  WORD system_def_lang_id;
  WORD user_def_lang_id;
  DWORD timezone_bias;
  DWORD process_SessionID;
  BYTE user_name[128];
  BYTE domain_name[128];
  DWORD number_of_sessions;
  session_info sessions[number_of_sessions];
struct sysinfo_block_1
  DWORD unk_0; //0
  DWORD bot_id_created;
  DWORD dw_const_0; //0x101
  DWORD os_version;
  WORD dw_const_2; //0x200
  BYTE cpu_arch;
  BYTE field_13;
  DWORD main_interface_IP;
  BYTE MAC_address[20];
  BYTE bot_id[48];
  WCHAR computer_name[128];
  BYTE cfg_string[64];
  WORD w_const; //2
  WORD sessions_size;
struct sysinfo_packet_data
  DWORD id;
  sysinfo_block_1 block_1;
  sysinfo_block_2 block_2;

The field contains a 0x19C0001 constant.

Thesysinfo_packet_data.block_1.bot_id value is extracted from the registry. The backdoor locates it in the instance parameter of the SOFTWARE\Clients\Mail\Hotmail\backup key, which, in turn, depending on the privileges, can be located in the HKLM or HKCU sections.

If the value is missing, a random GUID is generated using UuidCreate, then formatted as a XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX string and saved. If the ID already existed, the sysinfo_packet_data.block_1.bot_id_created parameter is assigned the 1 value. If the ID was created, the parameter is assigned the 2 value.

The sysinfo_packet_data.block_1.cpu_arch parameter value:

  • 1 — x86
  • 2 — x64

The process of determining the MAC address and IP address values by the backdoor is noteworthy. First, the program searches for the network interface through which the largest number of packets passed, then gets its MAC address and searches for the IP address of this interface.


The OS version is encoded with a value from 1 to 13 (0 if an error occurs, starting with 5.0 and then ascending the version.

The sysinfo_packet_data.block_1.cfg_string field contains the string value from the backdoor configuration, which is equal to the character 1.

Processing commands

After the verification step and sending the system information, BackDoor.Spyder.1 begins processing the main commands. Unlike most backdoors, whose commands are quite specific (pick up a file, create a process, etc.), in this instance, they are more of a service nature and represent instructions for storing and structuring the received data. In fact, all these service commands are aimed at loading new modules in PE format, storing them, and calling certain exported functions. It is worth noting that the modules and their information are stored in memory in the form of hash tables using UT-hash.

tag id Description
6 1 Send the number of received modules to the server.
2 Save the parameters of the received module in memory.
3 Save the body of the module in the memory.
4 Load a previously saved module. The search is performed in the hash table by the ID obtained from the packet with the command. The module is loaded into memory, its entry point is called, then the addresses of the 4 exported functions are obtained, which are stored in the structure for further call. Call the exported function No.1.


5 Call the exported function No.4 of one of the loaded modules, then unload it.
6 Send in response a packet consisting only of the data_packet_header header, in which the unk_2 field is 0xFFFFFFFF.
7 Call the exported function No.2 of one of the loaded modules.
8 Call the exported function No.3 of one of the loaded modules.
5 2 Send information about the current connection parameters to the server.
4 - Presumably, the exported function No.1 can return a table of pointers to functions, and the program calls one of these functions at this command.

After processing each packet received from the server, the backdoor checks the difference between the two values of the GetTickCount result. If the value exceeds the specified reference value, it sends the 0x573F0A68 signature value to the server without any additional data and transformations.


New server request thread

BackDoor.Spyder.1 can request the address of the new C&C server if the url_C2_req URL is provided in the configuration. To request this URL, the program can use both the system proxy and the HTTP proxy provided in the configuration. The request is made using the InternetOpenUrlA WinHTTP API.

The response must be a Base64-encoded string between two markers: DZKS and DZJS. It should be noted that a similar algorithm and markers were used in the PlugX family (BackDoor.PlugX.28 and BackDoor.PlugX.38).

The decoded string is decompressed using the RtlDecompressBuffer function, resulting in the address of the new C&C server and the port to connect to.


Encrypted module execution thread

If the exec_mode configuration parameter is set to 2 and the command line contains -k netsvcs, the backdoor creates a separate thread to execute the module stored in the file.

To do this, the backdoor searches for the C:\Windows\System32\1.update file at first. If such a file exists, the program reads it and decrypts it.


This file contains the path to an encrypted file containing a DLL module that the backdoor reads, decrypts, and loads.


Features of the x86 version

The version of the backdoor designed to run on 32-bit Microsoft Windows operating systems is detected by Dr.Web as a BackDoor.Spyder.3 (83e47dbe20882513dfd1453c4fcfd99d3bcecc3d). The main difference of this modification is the presence of debug messages.


Messages are recorded on the log file located in the %WINDIR%\temp\deskcpl.ttf directory. Depending on the initialization parameters, they can be output using OutputDebufStringA or encrypted using a simple XOR operation with byte 0x62.


Messages related to communication with the C&C server and command processing are output using the OutputDebugStringA function. It is noteworthy that for such messages, the [Spyder] prefix is used.



Below is the information about the CA_cert certificate for establishing a connection with the C&C server:

SHA1 Fingerprint=BF:46:40:E4:AF:56:DB:E0:D0:86:6E:16:B0:3F:C7:23:77:26:14:31
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = SecureTrust CA, O = SecureTrust Corporation, C = US
            Not Before: Jan  1 00:00:00 2011 GMT
            Not After : Dec 31 23:59:59 2025 GMT
        Subject: CN = SecureTrust CA, O = SecureTrust Corporation, C = US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:
            X509v3 Key Usage: critical
                Digital Signature, Key Agreement, Certificate Sign, CRL Sign
            Netscape Cert Type:
                SSL Client, SSL Server, Object Signing, SSL CA, Object Signing CA
    Signature Algorithm: sha256WithRSAEncryption

List of 32-bit modification debug messages:

[work]dwDataLen=%d buf_temp=%d
[work]%s no exist
[work]get work err5
[aut]begin tid=%d.
[update_thread]begin tid=%d.
[update_thread]get_work ret=%d
[update_thread]wait for work thread exit...
[update_thread]work thread exit ok
[update_thread]load work failed
[pt]proxy_thread begin tid=%d.
[]dwMajorVersion=%d dwMinorVersion=%d
[work] DLL
[work] VBR/SRV
[wk]RtlGetCurrentUserToken ok
[wk]ImpersonateLoggedOnUser ok
[wk]OpenURL %s Ret=%d
[wk]GetConfigStrFromURL err
[wk]DecodeStrBuffer err
[wk]DecodeLen err
[]IsProxyEnable Ret=%d
[aut]GetConfigStrFromURL PROXY_NO Ret=%d
[aut]GetConfigStrFromURL PROXY_USER Ret=%d
[aut]JmpAddClientConfig %s with address: %s.
[aut]szWebURL Not Set
[aut]address_update_thread Exit.
[update_thread]get_work_path ret=%d
[pt]Using IE proxy setting.
[pt]IE proxy NOT setup.
[pt]SmpGetRegProxy Counts=%d
[pt]IE proxy type = %u NOT support, address: %s.
[pt]IE proxy type = %u, address: %s found.
[pt]Add proxy config %s, address=%s.
[work_thread]begin tid=%d
[wt]JmpAddClientConfig %s with address: %s.
[wt]JmpAddProxyConfig %s.
[wt]start Jumper error = %u.
[wt]Jumper start success!
[wt]tid=%d Exit
[Spyder] client module init error = %d.
[Spyder] register mod %d error = %u.
[spyder] alloc mem for ca cert failed.
[spyder] server address already exists in conf list.
[Spyder] alloc client error = %d.
[Spyder] ALLOC client uid = %u.
[Spyder] set ca for client id=%u error=%d
[Spyder] proxy setting exists, srv=%s
[spyder] use proxy [%s] to connect [%s] res = %u.
[Spyder] direct connect to %s error = %u.
[Spyder] connect to %s result = %u, protcol=%u.
[jmp] big packet: recv new big pkt while previous one not handled, old=%u, new=%u.
[jmp] packet size exceed limit = %#X, id=%u.
[jmp] failed to realloc packet buffer, error = %u, pkt id=%u.
[jmp] big packet recv completed, id=%u, size=%u, ext id=%u.
[Spyder] PAUSE ext = %u Before.
[Spyder] PAUSE ext = %u After.
[Spyder] UNINIT ext = %u Before.
[Spyder] UNINIT ext = %u After.
duplicate session id for ext type id = %u.
[Spyder] can't find recv item for type id = %u.
[Spyder] ext type id = %u recved = %u, new recv = %u, but total size = %u
[Spyder] ext type id = %u recv completed, total size = %u.
[Spyder] find ext with same type id = %u while updating, free old ext.
[Spyder] alloc mem for completed ext error = %u.
[Spyder] ext recv %s, free tem buffer, type id = %u.
[Spyder] ext type = %u already loaded, unlaod now for updating.
[Spyder] failed to unload ext from memory.
[Spyder] load ext id = %u into memory error.
[Spyder] MOD LOAD AT %p, size=%u.
[Spyder] alloc mem for loaded item failed, unload ext type id = %u.
[Spyder] inint module type = %u begin.
[Spyder] inint module type = %u end.
[Spyder] alloc mem for mod_pfn error = %u.
[Spyder] unlaod ext id = %u error.
[Spyder] unload_and_free_all_exts.
[Spyder] UNLOAD ext = %u BEFORE.
[Spyder] UNLOAD ext = %u AFTER.
[Spyder] FREE ext = %u AFTER.
[Spyder] free ext cache = %u .
[Spyder] free ext mem = %u .
[Spyder] link setup Result=%d, local = %#X:%u, remote = %#X:%u, uid=%u.
[Spyder] connected callback at %02u:%02u:%02u, id = %u.
[Spyder] Link disconnected at %02u:%02u:%02u, id = %u.
[Spyder] recv data size = %u invalid, from uid=%u.
[Spyder] receive challenge = %I64X.
[Spyder] failed to get host info.
[Spyder] send host info error = %u.
[jmp] LOGIN SUCCESS, link id = %u.
[jmp] internal data process error.
[jmp] unknown state = %u.
[jmp] core process data error, close link = %u.
[Spyder] ext summary size error = %u.
[Spyder] ext recv prepare failed.
[Spyder] EXTENSION recv BEGIN, type = %u.
[Spyder] dll payload recv error.
[Spyder] ext active begin.
[Spyder] ext active result = %s.
[Spyder] ext free cmd not handled.
[Spyder] unhandled ext sub cmd = %u.
[Spyder] call ext failed = %d, sub=%u.
[spyder] unhandled subcmd=%u in tunnel cmd.
[Spyder] unhandled main cmd = %u, sub cmd = %u.
[Spyder] Can't get link id for ext data delevery.
[Spyder] SEND_DATA via link id=%u error = %d.
[Spyder] client link disconnect id = %u.
[Spyder] client send data error = %#X, id = %u.
[Spyder] enum session error = %u.
[Spyder] get Host info error.
[Spyder] save sn value error = %u.
[Spyder] gszUniqueSN=%s
[Spyder] create guid error = %d.
[jmp] Get adapter info error = %u.
[jmp] adapters info buf size=%u, count=%u.
 Alloc buf for adapter info error = %u.
get adapter info with buf error = %u.
[jmp] IP=%s not match preset mac address, desc=%s.
[jmp] master adapter FOUND! IP = [%s], desc=%s.
[jmp] master adapter has more than one ip: %s.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android