Pages: 5
Rating : ⭐⭐⭐⭐⭐
Price: $10.99
Page 1 Preview
see table for backdoor command and task reference

See table for backdoor command and task reference this example

b. Encrypt the information collected using a custom encryption were the key used is derived from the result of GetTickCount API. The encrypted data will be encrypted again using a bitwise NOT. c. Generate a CRC hash value of the encrypted information.

[Listing 11 - Captured packet received by the client]

The server is now ready to accept backdoor commands from the remote attacker.

3.5 Backdoor Communication Protocol 0x01: Execution of Client-Server Commands

During the 3-way handshake process, we discovered that the Win32/Hydraq backdoor constructs a custom packet. This is a communication protocol designed so that the client and server can recog-nize each other over the network. The information header format is different from each end point.

Client Command
Reference (DWORD)


Start / End
Flag (DWORD)
Size of Data
sent (DWORD)
Encryption Key (WORD)

00 00 00 00

01 00 00 00 B0 00 00 00 75 53 A1 00
Fields Offset Description


This field is a reference used for identifying the group of a specific backdoor command.


This field is a flag that signals the receiver start (1) or end (-1) of data.

Fields Offset Description

Data CRC


Encrypted Data


[Figure 02 - The client process the server information header.]

The constructed information header is 20 bytes in size with the following format. (Note: The values in Table 03 are for illustration purpose)

Server Information Reference (DWORD)
Start / End
Flag (DWORD)
Size of Data
sent (DWORD)
Encryption Key (WORD)
01 00 00 00 B0 00 00 00 75 53 A1 00

The difference between the client and server header information is the Server Info Reference (off-set 0x00) and Information Code (offset 0x04). Based on our simulation and code inspection, the backdoor client uses the following numeric codes to identify the content of the received informa-tion: (Note: The Backdoor Command and Task is discussed in section Backdoor Command Table)


Information Code (expected values)
Command Task
0x00 0x03 0x02 0x00
0x00 0x04 0x04 0x08
0x00 0x05 0x04 0x09

Read file information

0x00 0x06 0x07 0x0B

Receive VedioDriver

0x02 0x00 0x00 0x00
0x02 0x01 0x00 0x01
0x03 0x00 0x01 0x00
0x05 0x00 0x03 0x00
0x05 0x01 0x03 0x01

Registry keys

0x05 0x02 0x03 0x02

Deleted registry info

0x05 0x06 0x03 0x06
0x06 0x00 0x04 0x00
0x06 0x01 0x04 0x01
0x06 0x07 0x04 0x07
0x08 0x06 0x05 0x06

File CRC

0x09 0x01 0x06 0x01

File information

0x09 0x02 0x06 0x02
0x0C 0x02 0x08 0x00
0x14 0x04 0x09 0x01

3.6 Backdoor Command Reference

Aside from the malware code obfuscated with JMPs and NOPs, Win32/Hydraq also constructs a reference table that will be used by the Command Reference field found in the client’s informa-tion header to convert the actual commands.


3. Match the value obtained in Step 2 in the Table 05 to get the Actual Command.

To elaborate on this further, let’s take an example where the remote attacker requests information about the logical drive of the compromised system.

Command Reference Backdoor Command
0x00 0x00
0x01 0x01
0x02 0x02
0x03 0x03
0x04 0x04
0x05 0x0A
0x06 0x05
0x07 0x06
0x08 0x07
0x09 0x0A
0x0A 0x08
0x0B 0x0A
0x0C 0x0A
0x0D 0x0A
0x0E 0x0A
0x0F 0x0A
0x10 0x0A
0x11 0x0A
0x12 0x09

2.6 + (-2) = 4

[Table 05 - Backdoor Command Reference]

Command Reference Backdoor Command
0x04 0x04

You are viewing 1/3rd of the document.Purchase the document to get full access instantly

Immediately available after payment
Both online and downloadable
No strings attached
How It Works
Login account
Login Your Account
Place in cart
Add to Cart
send in the money
Make payment
Document download
Download File

Uploaded by : Joshua Hays

PageId: ELI073FB2B