WiryJMPer Dropper

WiryJMPer is a dropper trojan that uses a novel obfuscation method to disguise its operations on affected systems. It is infecting computers with a Netwire malicious payload hidden between two benign binaries and using obfuscation to fly under the radar of most anti-malware solutions.

At the time of publication, WiryJMPer is distributed as a binary file disguised as the legitimate application ABBC Coin Wallet (specifically version 3.9.1).

It is presently unclear how this application is delivered, although there are unconfirmed reports indicating it is downloaded from third-party hosting sites. This file contains a sizeable amount of content from the WinBin2Iso (version 3.16) file converter, and uses multiple JMP loop-handling instructions to prevent static analysis and security tools from detecting it’s presence.

When executed, WiryJMPer will create a bespoke virtual machine (VM) in memory to decrypt and combine several separate code sections contained within its binary to produce the intended payloads. Once these are installed, the VM is used to initiate a connection to a command and control server. WiryJMPer will also attempt to install legitimate versions of both ABBC Coin Wallet and WinBin2Iso.

NetWire (also known as Recam or NetWiredRC) is a remote access trojan (RAT) widely used since 2012 with remote control capabilities and a focus on keylogging and password-stealing that enables attackers to gain unauthorized access and remotely control their victims’ computers, among a host of other things.

Further details can be found here – https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/

Netwire C&C servers


Samples (SHA-256)

f1963b44a9c887f02f6e9574aea863974be57a033600047b8e0911f9dbcb9914 - Analyzed sample
7477159797a7f06e3c153662bfef624d056e64b552f455fe53e80f0afb0a1860 - ABBC Coin wallet
6daa1ff03fdbbb58b1f41d2f7dc550ee97fc5b957252b7f1703c81c50b3d406f - Netwire payload

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: