On August 4, Unit 42, the Palo Alto Networks threat intelligence team, released a tool to decrypt the traffic from a Remote Administration Tool (RAT) named NetWire (part of the NetWiredRC malware family). For details of the encryption protocol used please see our earlier post here.
The previously released protocol decoder and parser was originally built as a stand-alone module. As part of Unit 42’s mission to contribute to the security community, we have developed, and are releasing today, a version of the NetWire decryption tool that works within ChopShop, a great open source tool from MITRE that provides a framework for protocol analysis. To use the tool, simply grab the public_tools repo from the Unit 42 GitHub repository. Be sure to point your ChopShop command to that directory using the -M flag.
We hope that this integration of the decryptor tool with ChopShop will provide value to incident responders and security researchers.
Usage
$ chopshop -M <netwire chopshop directory> -f <pcap file> "host 192.168.180.80 and port 2930" “netwire"
Example Output
Starting ChopShop
Initializing Modules ...
Initializing module 'netwire'
Running Modules ...
[2014-05-06 18:33:52 PDT] --------------------------------
[2014-05-06 18:33:52 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:33:52 PDT] Server Count: 69
[2014-05-06 18:33:52 PDT] Client Count: 0
[2014-05-06 18:33:52 PDT] Server offset: 0
[2014-05-06 18:33:52 PDT] Client offset: 0
[2014-05-06 18:33:52 PDT]
[2014-05-06 18:33:52 PDT] Client Key Generated
[2014-05-06 18:33:52 PDT]
[2014-05-06 18:33:54 PDT] --------------------------------
[2014-05-06 18:33:54 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:33:54 PDT] Server Count: 0
[2014-05-06 18:33:54 PDT] Client Count: 69
[2014-05-06 18:33:54 PDT] Server offset: 69
[2014-05-06 18:33:54 PDT] Client offset: 0
[2014-05-06 18:33:54 PDT]
[2014-05-06 18:33:54 PDT] Server Key Generated
[2014-05-06 18:33:54 PDT]
[2014-05-06 18:33:54 PDT] --------------------------------
[2014-05-06 18:33:54 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:33:54 PDT] Server Count: 69
[2014-05-06 18:33:54 PDT] Client Count: 0
[2014-05-06 18:33:54 PDT] Server offset: 69
[2014-05-06 18:33:54 PDT] Client offset: 69
[2014-05-06 18:33:54 PDT]
[2014-05-06 18:33:54 PDT] client -> server
[2014-05-06 18:33:54 PDT] Command: 05 => set password, identifier and fetch computer information such as user, computername, windows version
[2014-05-06 18:33:54 PDT] Payload: '\x0101056300RENEWAL\x07Administrator @ John-PC\x0718\x072014-05-07 08:33:50\x07\x08>"(Cks\x00E\x1a\xfe\xd9\x88}\xdc9'
[2014-05-06 18:34:02 PDT] --------------------------------
[2014-05-06 18:34:02 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:02 PDT] Server Count: 0
[2014-05-06 18:34:02 PDT] Client Count: 5
[2014-05-06 18:34:02 PDT] Server offset: 138
[2014-05-06 18:34:02 PDT] Client offset: 69
[2014-05-06 18:34:02 PDT]
[2014-05-06 18:34:02 PDT] client -> server
[2014-05-06 18:34:02 PDT] Command: 01 => heartbeat
[2014-05-06 18:34:02 PDT] Payload: ''
[2014-05-06 18:34:02 PDT] --------------------------------
[2014-05-06 18:34:02 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:02 PDT] Server Count: 5
[2014-05-06 18:34:02 PDT] Client Count: 0
[2014-05-06 18:34:02 PDT] Server offset: 138
[2014-05-06 18:34:02 PDT] Client offset: 74
[2014-05-06 18:34:02 PDT]
[2014-05-06 18:34:02 PDT] client -> server
[2014-05-06 18:34:02 PDT] Command: 01 => heartbeat
[2014-05-06 18:34:02 PDT] Payload: ''
[2014-05-06 18:34:12 PDT] --------------------------------
[2014-05-06 18:34:12 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:12 PDT] Server Count: 5
[2014-05-06 18:34:12 PDT] Client Count: 0
[2014-05-06 18:34:12 PDT] Server offset: 143
[2014-05-06 18:34:12 PDT] Client offset: 74
[2014-05-06 18:34:12 PDT]
[2014-05-06 18:34:12 PDT] client -> server
[2014-05-06 18:34:12 PDT] Command: 02 => Socket created
[2014-05-06 18:34:12 PDT] Payload: ''
[2014-05-06 18:34:13 PDT] --------------------------------
[2014-05-06 18:34:13 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:13 PDT] Server Count: 0
[2014-05-06 18:34:13 PDT] Client Count: 5
[2014-05-06 18:34:13 PDT] Server offset: 148
[2014-05-06 18:34:13 PDT] Client offset: 74
[2014-05-06 18:34:13 PDT]
[2014-05-06 18:34:13 PDT] client -> server
[2014-05-06 18:34:13 PDT] Command: 01 => heartbeat
[2014-05-06 18:34:13 PDT] Payload: ''
[2014-05-06 18:34:13 PDT] --------------------------------
[2014-05-06 18:34:13 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:13 PDT] Server Count: 5
[2014-05-06 18:34:13 PDT] Client Count: 0
[2014-05-06 18:34:13 PDT] Server offset: 148
[2014-05-06 18:34:13 PDT] Client offset: 79
[2014-05-06 18:34:13 PDT]
[2014-05-06 18:34:13 PDT] client -> server
[2014-05-06 18:34:13 PDT] Command: 01 => heartbeat
[2014-05-06 18:34:13 PDT] Payload: ''
[2014-05-06 18:34:19 PDT] --------------------------------
[2014-05-06 18:34:19 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:19 PDT] Server Count: 0
[2014-05-06 18:34:19 PDT] Client Count: 5
[2014-05-06 18:34:19 PDT] Server offset: 153
[2014-05-06 18:34:19 PDT] Client offset: 79
[2014-05-06 18:34:19 PDT]
[2014-05-06 18:34:19 PDT] client -> server
[2014-05-06 18:34:19 PDT] Command: 41 => fetch and send mail Outlook, Thunderbird credentials and certificates
[2014-05-06 18:34:19 PDT] Payload: ''
[2014-05-06 18:34:19 PDT] --------------------------------
[2014-05-06 18:34:19 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:19 PDT] Server Count: 5
[2014-05-06 18:34:19 PDT] Client Count: 0
[2014-05-06 18:34:19 PDT] Server offset: 153
[2014-05-06 18:34:19 PDT] Client offset: 84
[2014-05-06 18:34:19 PDT]
[2014-05-06 18:34:19 PDT] client -> server
[2014-05-06 18:34:19 PDT] Command: 41 => fetch and send mail Outlook, Thunderbird credentials and certificates
[2014-05-06 18:34:19 PDT] Payload: ''
[2014-05-06 18:34:26 PDT] --------------------------------
[2014-05-06 18:34:26 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:26 PDT] Server Count: 0
[2014-05-06 18:34:26 PDT] Client Count: 5
[2014-05-06 18:34:26 PDT] Server offset: 158
[2014-05-06 18:34:26 PDT] Client offset: 84
[2014-05-06 18:34:26 PDT]
[2014-05-06 18:34:26 PDT] client -> server
[2014-05-06 18:34:26 PDT] Command: 3d => fetch and send stored credentials, history and certificates from common browsers
[2014-05-06 18:34:26 PDT] Payload: ''
[2014-05-06 18:34:26 PDT] --------------------------------
[2014-05-06 18:34:26 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:26 PDT] Server Count: 5
[2014-05-06 18:34:26 PDT] Client Count: 0
[2014-05-06 18:34:26 PDT] Server offset: 158
[2014-05-06 18:34:26 PDT] Client offset: 89
[2014-05-06 18:34:26 PDT]
[2014-05-06 18:34:26 PDT] client -> server
[2014-05-06 18:34:26 PDT] Command: 3d => fetch and send stored credentials, history and certificates from common browsers
[2014-05-06 18:34:26 PDT] Payload: ''
[2014-05-06 18:34:29 PDT] --------------------------------
[2014-05-06 18:34:29 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:29 PDT] Server Count: 0
[2014-05-06 18:34:29 PDT] Client Count: 5
[2014-05-06 18:34:29 PDT] Server offset: 163
[2014-05-06 18:34:29 PDT] Client offset: 89
[2014-05-06 18:34:29 PDT]
[2014-05-06 18:34:29 PDT] client -> server
[2014-05-06 18:34:29 PDT] Command: 01 => heartbeat
[2014-05-06 18:34:29 PDT] Payload: ''
[2014-05-06 18:34:29 PDT] --------------------------------
[2014-05-06 18:34:29 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:29 PDT] Server Count: 5
[2014-05-06 18:34:29 PDT] Client Count: 0
[2014-05-06 18:34:29 PDT] Server offset: 163
[2014-05-06 18:34:29 PDT] Client offset: 94
[2014-05-06 18:34:29 PDT]
[2014-05-06 18:34:29 PDT] client -> server
[2014-05-06 18:34:29 PDT] Command: 01 => heartbeat
[2014-05-06 18:34:29 PDT] Payload: ''
[2014-05-06 18:34:39 PDT] --------------------------------
[2014-05-06 18:34:39 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:39 PDT] Server Count: 5
[2014-05-06 18:34:39 PDT] Client Count: 0
[2014-05-06 18:34:39 PDT] Server offset: 168
[2014-05-06 18:34:39 PDT] Client offset: 94
[2014-05-06 18:34:39 PDT]
[2014-05-06 18:34:39 PDT] client -> server
[2014-05-06 18:34:39 PDT] Command: 02 => Socket created
[2014-05-06 18:34:39 PDT] Payload: ''
[2014-05-06 18:34:39 PDT] --------------------------------
[2014-05-06 18:34:39 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:39 PDT] Server Count: 0
[2014-05-06 18:34:39 PDT] Client Count: 5
[2014-05-06 18:34:39 PDT] Server offset: 173
[2014-05-06 18:34:39 PDT] Client offset: 94
[2014-05-06 18:34:39 PDT]
[2014-05-06 18:34:39 PDT] client -> server
[2014-05-06 18:34:39 PDT] Command: 01 => heartbeat
[2014-05-06 18:34:39 PDT] Payload: ''
[2014-05-06 18:34:39 PDT] --------------------------------
[2014-05-06 18:34:39 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:39 PDT] Server Count: 5
[2014-05-06 18:34:39 PDT] Client Count: 0
[2014-05-06 18:34:39 PDT] Server offset: 173
[2014-05-06 18:34:39 PDT] Client offset: 99
[2014-05-06 18:34:39 PDT]
[2014-05-06 18:34:39 PDT] client -> server
[2014-05-06 18:34:39 PDT] Command: 01 => heartbeat
[2014-05-06 18:34:39 PDT] Payload: ''
[2014-05-06 18:34:49 PDT] --------------------------------
[2014-05-06 18:34:49 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:49 PDT] Server Count: 5
[2014-05-06 18:34:49 PDT] Client Count: 0
[2014-05-06 18:34:49 PDT] Server offset: 178
[2014-05-06 18:34:49 PDT] Client offset: 99
[2014-05-06 18:34:49 PDT]
[2014-05-06 18:34:49 PDT] client -> server
[2014-05-06 18:34:49 PDT] Command: 02 => Socket created
[2014-05-06 18:34:49 PDT] Payload: ''
[2014-05-06 18:34:51 PDT] --------------------------------
[2014-05-06 18:34:51 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:51 PDT] Server Count: 0
[2014-05-06 18:34:51 PDT] Client Count: 5
[2014-05-06 18:34:51 PDT] Server offset: 183
[2014-05-06 18:34:51 PDT] Client offset: 99
[2014-05-06 18:34:51 PDT]
[2014-05-06 18:34:51 PDT] client -> server
[2014-05-06 18:34:51 PDT] Command: 01 => heartbeat
[2014-05-06 18:34:51 PDT] Payload: ''
[2014-05-06 18:34:51 PDT] --------------------------------
[2014-05-06 18:34:51 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:34:51 PDT] Server Count: 5
[2014-05-06 18:34:51 PDT] Client Count: 0
[2014-05-06 18:34:51 PDT] Server offset: 183
[2014-05-06 18:34:51 PDT] Client offset: 104
[2014-05-06 18:34:51 PDT]
[2014-05-06 18:34:51 PDT] client -> server
[2014-05-06 18:34:51 PDT] Command: 01 => heartbeat
[2014-05-06 18:34:51 PDT] Payload: ''
[2014-05-06 18:35:01 PDT] --------------------------------
[2014-05-06 18:35:01 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:35:01 PDT] Server Count: 5
[2014-05-06 18:35:01 PDT] Client Count: 0
[2014-05-06 18:35:01 PDT] Server offset: 188
[2014-05-06 18:35:01 PDT] Client offset: 104
[2014-05-06 18:35:01 PDT]
[2014-05-06 18:35:01 PDT] client -> server
[2014-05-06 18:35:01 PDT] Command: 02 => Socket created
[2014-05-06 18:35:01 PDT] Payload: ''
[2014-05-06 18:35:02 PDT] --------------------------------
[2014-05-06 18:35:02 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:35:02 PDT] Server Count: 0
[2014-05-06 18:35:02 PDT] Client Count: 5
[2014-05-06 18:35:02 PDT] Server offset: 193
[2014-05-06 18:35:02 PDT] Client offset: 104
[2014-05-06 18:35:02 PDT]
[2014-05-06 18:35:02 PDT] client -> server
[2014-05-06 18:35:02 PDT] Command: 01 => heartbeat
[2014-05-06 18:35:02 PDT] Payload: ''
[2014-05-06 18:35:02 PDT] --------------------------------
[2014-05-06 18:35:02 PDT] addr: (('192.168.180.80', 49157), ('69.65.7.136', 2930))
[2014-05-06 18:35:02 PDT] Server Count: 5
[2014-05-06 18:35:02 PDT] Client Count: 0
[2014-05-06 18:35:02 PDT] Server offset: 193
[2014-05-06 18:35:02 PDT] Client offset: 109
[2014-05-06 18:35:02 PDT]
[2014-05-06 18:35:02 PDT] client -> server
[2014-05-06 18:35:02 PDT] Command: 01 => heartbeat
[2014-05-06 18:35:02 PDT] Payload: ''
Shutting Down Modules ...
Shutting Down NetWire
Module Shutdown Complete ...
ChopShop Complete