NetDooka Framework Distributed via PrivateLoader Malware as
Part of Pay-Per-Install Service
By Aliakbar Zahravi, Leandro Froes ( words)
Published: 2022-05-05 · Archived: 2026-04-06 01:02:55 UTC
Malware
This report focuses on the components and infection chain of the NetDooka framework. Its scope ranges from the
release of the first payload up until the release of the final RAT that is protected by a kernel driver.
By: Aliakbar Zahravi, Leandro Froes May 05, 2022 Read time: 9 min (2379 words)
Save to Folio
We recently encountered a fairly sophisticated malware framework that we named NetDooka after the names of
some of its components. The framework is distributed via a pay-per-install (PPI) service and contains multiple
parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that
implements its own network communication protocol. During our analysis, we discovered that NetDooka was
being spread via the PrivateLoader malware which, once installed, starts the whole infection chain.
As previously described by Intel471, the PrivateLoader malware is a downloader responsible for downloading and
installing multiple malware into the infected system as part of the PPI service. Due to the way the PPI service
works, the exact payloads that would be installed might differ depending on the malware version. Some of the
known malware families that are reportedly being distributed via PPI services include SmokeLoader, RedLine, and
Anubis.
This report focuses on the components and infection chain of the NetDooka framework. Its scope ranges from the
release of the first payload, which drops a loader that creates a new virtual desktop to execute an antivirus software
uninstaller and interact with it by emulating the mouse and pointer position — a necessary step to complete the
uninstallation process and prepare the environment for executing other components — up until the release of the
final RAT that is protected by a kernel driver.
However, while we describe all the different features we found, NetDooka’s features might still vary depending on
the malware version since it is still in its development phase.
Attack overview 
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 1 of 25

Figure 1. Infection chain of the attack
The infection starts when a user inadvertently downloads PrivateLoader, usually through pirated software
downloads (as mentioned in the Intel471 report), followed by the installation of the first NetDooka malware, a
dropper component that is responsible for decrypting and executing the loader component.
The loader then performs certain checks to ensure that it is not running in a virtual environment, after which it
downloads another malware from the remote server. It might also install a kernel driver for future use.
The downloaded malware is another dropper component that is executed by the loader. This dropper is responsible
for decrypting and executing the final payload, a full-featured RAT containing multiple capabilities such as starting
a remote shell, grabbing browser data, taking screenshots, and gathering system information. It might also start the
installed kernel driver component to protect the dropped payload.
Loader analysis
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 2 of 25

Figure 2. NetDookaLoader flow chart (Click to enlarge)
Upon execution, the loader will deobfuscate strings, such as the command-and-control (C&C) server address, and
check for the command-line arguments that were passed. The malware accepts multiple arguments that indicate
what action should be taken.
Argument Function
001 Uninstalls Avira programs
004 Uninstalls Viper programs
006 Uninstalls Total 360 programs
007 Uninstalls ESET programs
008 Uninstalls GData programs
embedded Downloads the dropper component and renames it to reloadbitex.exe
correct Blocks antivirus vendor domains, install driver and delete loader
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 3 of 25

<No
ARG>
Downloads the dropper component, executes itself using the “embedded” and “correct”
arguments and creates a scheduled task for downloaded NetDookaDropper
Table 1. Command-line arguments and their functions
Figure 3. NetDookaLoader argument’s check
If no parameter is passed to the loader, it executes a function called “DetectAV()” that queries the registry to
automatically identify the antivirus products available in order to uninstall them. The malware does this by
creating a new virtual desktop using CreateDesktopA, which is used as a workspace for launching the proper
binary uninstaller program. This is accomplished through the use of CreateProcessA with the “create_no_window”
flag, as well as through the emulation of human interactions such as controlling the mouse to complete the
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 4 of 25

uninstallation process. Each antivirus uninstaller function has its own removal technique based on uninstallation
process. Figure 4 shows an example of the GData antivirus removal.
Figure 4. Uninstalling an antivirus program
The loader then creates a working directory in the %ProgramFiles% such as "ReservHardwareUpdater" or
"ExMultimediaStorage" (please note that the directory name could be in different samples) to keep a copy of itself
and other files, such as the next stage payload in there. After that, the malware executes the copy of itself with an
embedded/delected argument.
In some variants, the loader downloads the next stage's payload twice: once when the malware runs with no
parameters (this binary never runs such as "rsvr_updldr.exe") and once when the loaded executes a copy of itself
with an embedded/deletced parameter (this later on binary executes via scheduled task). 
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 5 of 25

Figure 5. NetDookaLoader downloading the next stage of the attack via bitsadmin.exe
Figure 6. Self-execution with “embedded” argument
The “embedded” argument is responsible for downloading the dropper component and saving it as
“%ProgramFiles%\ReservHardwareUpdater\reloadbitex.exe”.
The loader component executes itself again using the “correct” argument. Once this is done, it blocks antivirus
vendor domains by modifying the hosts file, redirecting their domains to “0.0.0.0” address and deletes itself using
the following command:
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 6 of 25

Figure 7. Blocking antivirus domains
In some variants of the malware, the loader installs a driver to act as a kernel-mode protection for the final payload
(RAT component). It accomplishes this by registering as a mini-filter driver and setting callback functions to
protect the malware against file deletion and process termination.
The driver binary is Base64-encoded within the loader and, once decoded, has its content written to the
“C:\Program Files\SolidTechnology\protdrv.sys” file. Although the loader creates a service to install the driver, it
does not start it. Instead, the driver start task is performed by the dropper component.
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 7 of 25

Figure 8. Driver installer function
At the end, the loader creates the following scheduled task for the downloaded dropper:
Figure 9. Create a scheduled task function (Click to enlarge)
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 8 of 25

Dropper analysis
We discovered two different dropper components involved in the NetDooka attack chain: One is installed by the
PrivateLoader that drops the NetDooka loader, while the other one drops the final RAT payload.
The dropper component is a small .NET binary responsible for decrypting and executing a payload it has
embedded. The malware starts by reading its own file content and looking for a specific byte sequence (in the
sample we analyzed, this was “\x11\x42\x91\x50\x7F\xB4\x6C\xAA\x75\x5E\x8D”) to get the bytes next to it.
The payload decryption is achieved by performing an XOR operation in the decrypted payload that uses a single-byte key and subtracts the index value from the final value for each decryption loop iteration. The key is resolved
by creating a prime number list of a specific size and iterating through it. For each iteration, the SHA-256 hash of
the current list element is generated and the first byte of the hash result is then added to a single-byte variable, with
the final sum being the XOR key.
Figure 10. The decryption routine used by NetDookaDropper
Once decrypted, the payload content is written to a file in the %Temp% directory and then executed via a new
process. Note that both the location and the file name might be different depending on the malware version.
Figure 11. The decrypted payload being executed
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 9 of 25

Although the malware has multiple versions exhibiting some differences in behavior such as the XOR key and
byte sequence being searched, the dropper’s goal is still the same for all NetDooka’s versions we found: Execute
an embedded payload within it. To automate the dropped payload extraction, we developed a Python script that can
be downloaded here.
As mentioned in the loader analysis section, some versions of the dropper component are responsible for starting
the driver component service. It’s important to mention that the dropper version that contains the driver start step
(performed before the final payload decryption and execution) is the one containing the final payload.
Figure 12. The dropper starting the driver component
Driver analysis
The driver component acts as a kernel-level protection for the RAT component. It does this by attempting to
prevent the file deletion and process termination of the RAT component. The driver registers itself as a mini-filter
driver to intercept I/O requests to the file system and set process callback functions to protect the RAT process.
During our analysis, we noticed that the driver based its process protection implementation in the Microsoft driver
example implementation and its file deletion protection in an open source project named “Prevent_File_Deletion.”
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 10 of 25

Figure 13. General view of the driver features
The driver registers as a mini-filter driver and starts it by using both the FltRegisterFilter and FltStartFiltering
functions. File systems are typical targets for I/O operations in order to access files. A file system filter is a
mechanism that a driver can use to intercept calls destined to the file system. A file system mini-filter is a model
created to replace the Windows legacy file system filter mechanism, possessing the advantage of being easier to
write — making it the preferred method of developing file system-filtering drivers.
When a mini-filter driver is registered, it can set callback functions to be executed before (PreOperation) and after
(PostOperation) I/O requests. For the file deletion protection, the malware registers a PreOperation callback
function during the filter registration to intercept I/O requests of specific types to the file system. In this case, the
malware intercepts file deletion operations.
Once a file deletion operation is requested, the callback function is called, and the driver checks if the destination
file has the name “ougdwieue.exe” (name of the final RAT payload). If so, it changes the permissions of the
request to prevent the target file from being deleted.
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 11 of 25

Figure 14. RAT file name being checked and access being denied
The process protection is achieved by setting a process notification callback routine via the
PsSetCreateProcessNotifyRoutine function, which would be called every time a new process is created. When the
callback is executed, the malware looks for the string “ougdwieue.exe” in the process command line to determine
whether or not the process is the expected target. 
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 12 of 25

Figure 15. The process command line being checked
The driver also sets another callback routine via ObRegisterCallback to check for process operations being
performed that involve a process handle creation or duplication.
With these two callbacks in place when a process is created, the driver can check if the process being created is in
fact the RAT process and the operation being performed is either a process handle creation or duplication. If so, the
driver changes the access permission to avoid applications that try to obtain a handle to the target process and
terminate it.
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 13 of 25

Figure 16. Process creation callback routine.
Figure 17. Access to the process handle being modified
RAT analysis
The final payload is a RAT that accepts commands from a remote server to execute a variety of functions such as
executing shell commands, performing distributed denial-of-service (DDoS) attacks, downloading and executing
files, logging keystrokes on the infected machine, and performing remote desktop operations. Figure 18 shows the
list of its functions.
Figure 18. NetDookaRAT functions
Upon execution, the malware employs various system checks to detect and avoid analysis environments.
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 14 of 25

Figure 19. Analysis environment evasion
The malware creates a mutex named “3f0d73e2-4b8e-4539-90fd-812330bb39c8” to mark its presence on the
system. In case it finds the same mutex in the system, it exits.
Before C&C communication, NetDooka generates a 16-byte random session and stores it in a file named
“config.cfg”. 
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 15 of 25

Figure 20. Initializing and configuring the C&C server
Figure 21. The session ID generator
It then initializes its network communication components and contacts its C&C server to register the victims and
retrieve commands. 
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 16 of 25

Figure 22. C&C communication
NetDookaRAT uses a custom protocol to communicate with the C&C server using the format shown in Figure 23.
Figure 23. The packet structure used in C&C communications
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 17 of 25

Each response splits into the header and data stream. The header stream contains the request type, the size and
options of the data to be sent while the data stream contains the return value of the specific function. Table 2 shows
a list of type values and their corresponding functions.
Type in decimal Type in hex Function
400 0x190 Exfiltrate system information
1000 0x3E8 Send session ID
10 0x0A Send message
8 0x08 Reverse shell
16 0x10 DDoS attack
19 0x13 Send file
5 0x05 Download file
20 0x14 Copy browser data
9 0x09 Copy browser data
18 0x12 Start HVNC
15 0x0F Send log
14 0x0E Microphone capture
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 18 of 25

17 0x11 Start virtual network computing (VNC)
13 0x0D Capture webcam
Table 2. The type values and their corresponding functions
The code snippets in Figure 24 demonstrate how the malware constructs and sends the request shown in Table 2. 
Figure 24. Packet creation for requests
The malware then starts to listen for incoming TCP connections to receive commands. It then parses the received
commands to execute them on the infected machine. Figure 25 shows the commands supported by the malware
while the code snippet in Figure 26 demonstrates how the malware performs these commands.
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 19 of 25

Figure 25. RAT commands and capabilities
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 20 of 25

Figure 26. Code snippet of the RAT commands
Conclusion
PPI malware services allow malware creators to easily deploy their payloads. The use of a malicious driver creates
a large attack surface for attackers to exploit, while also allowing them to take advantage of approaches such as
protecting processes and files, bypassing antivirus programs, and hiding the malware or its network
communications from the system, among others. Furthermore, with the RAT payload properly installed, malicious
actors can perform actions such as stealing several critical information from the infected systems, gaining remote
control access to the system, and creating botnet networks. Finally, NetDooka’s capabilities allow it to act as an
entry point for other malware.
A list of indicators in text format can be viewed here.
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 21 of 25

Indicators of Compromise (IOCs)
SHA-256 Detection name
PrivateLoader  
4d94232ec587f991017ed134ea2635e85c883ca868b96e552f9b5ac5691cdaf5 Trojan.Win32.STOP.EL
Driver  
81dbe7ff247d909dc3d6aef5b5894a153886955a9c9aaade6f0e9f47033dc2fb Trojan.Win64.PROTDRIVE.A
93[.]115[.]21[.]45 IoCs
Dropper
28ad0bc330c7005637c6241ef5f267981c7b31561dc7d5d5a56e24423b63e642 TrojanSpy.MSIL.DOTCRYPT.B
50ab75a7c8685f9a87b5b9eb7927ccb7c069f42fb7427566628969acdf42b345 TrojanSpy.MSIL.DOTCRYPT.B
85e439e13bcd714b966c6f4cea0cedf513944ca13523c7b0c4448fdebc240be2 TrojanSpy.MSIL.DOTCRYPT.B
c64a551e5b0f74efcce154e97e1246d342b13477c80ca84f99c78db5bfeb85ef TrojanSpy.MSIL.DOTCRYPT.B
8fa89e4be15b11f42e887f1a1cad49e8c9c0c724ae56eb012ac5e529edc8b15c TrojanSpy.MSIL.DOTCRYPT.B
531f6cb76127ead379d0315a7ef1a3fc61d8fff1582aa6e4f77cc73259b3e1f2 TrojanSpy.MSIL.DOTCRYPT.B
44babb2843da68977682a74675c8375da235c75618445292990380dbc2ac23af TrojanSpy.MSIL.DOTCRYPT.B
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 22 of 25

64be1332d1bf602aaf709d30475c3d117f715d030f1c38dee4e7afa6fa0a8523 TrojanSpy.MSIL.DOTCRYPT.B
91791f8c459f32dc9bf6ec9f7ee157e322b252bc74b1142705dcc74fe8eced7e TrojanSpy.MSIL.DOTCRYPT.B
a49769b8c1d28b5bb5498db87098ee9c67a94d79e10307b67fe6a870c228d402 TrojanSpy.MSIL.DOTCRYPT.B
43dcf8eea02b7286ba481ca84ec1b4d9299ba5db293177ff0a28231b36600a22 TrojanSpy.MSIL.DOTSPY.A
Loader
d20576f0bd39f979759cde5fb08343c3f22ff929a71c3806e8dcf0c70e0f308b Trojan.MSIL.DNRAT.A
76ed2ef41db9ec357168cd38daeff1079458af868a037251d3fec36de1b72086 Trojan.MSIL.DNRAT.B
40ee0bd60bcb6f015ad19d1099b3749ca9958dd5c619a9483332e95caee42a06 Trojan.MSIL.DNRAT.B
1cc21e3bbfc910ff2ceb8e63641582bdcca3e479029aa425c55aa346830c6c72 Trojan.MSIL.KILLAV.AF
2e37495379eb1a4dfae883d1e669e489877ed73f50ae26d43b5c91d6c7cb5792 Trojan.MSIL.KILLAV.AF
8ed34bfc102f8217dcd6e6bdae2b9d4ee0f3ab951d44255e1e300dc2a38b219e Trojan.MSIL.KILLAV.AF
5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54 Trojan.MSIL.KILLAV.AF
bfc99c3f76d00c56149efcf75fd73497ec62b1ed53e12d428cf253525f8be8d0 Trojan.MSIL.KILLAV.AF
ed98187a0895818dfa6b583463b8a6d13ebc709d6dd219b18f789e40a596e40e Trojan.MSIL.KILLAV.AF
94fb2969eae7cce75c44c667332dacace155369911b425c50476d90528651584 Trojan.MSIL.KILLAV.AF
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 23 of 25

07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4 Trojan.MSIL.KILLAV.AG
RAT
62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232 Backdoor.MSIL.DNRAT.A
73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5 Backdoor.MSIL.DNRAT.A
ab7d39e34ad51bc3138fb4d0f7dedc4668be1d4b54a45c385e661869267ef685 Backdoor.MSIL.DNRAT.B
c54a492d086930eb4d9cd0233a2f5255743b6dde22a042f2a2800f2c8fe82ce8 Backdoor.MSIL.DNRAT.B
f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70 Backdoor.MSIL.DNRAT.B
55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431 Backdoor.MSIL.DNRAT.B
ed092406a12d68eac373b2ddb061153cb8abe38e168550f4f6106161f43dcafe Backdoor.MSIL.DNRAT.C
ba563dfaf572aa5b981043af3f164a09f16a2cf445498d52b299d18bb37ce904 Trojan.MSIL.DNRAT.C
796df2ad288455a4047a503b671d5970788b15328ce15b512c5e3403b0c39a61 Trojan.MSIL.DNRAT.C
89[.]38[.]131[.]151 IoCs
Dropper
60bf7b23526f36710f4ef589273d92cc21d45a996c09af9a4be52368c3233af6 TrojanSpy.MSIL.DOTCRYPT.A
557f35cfdd1606d53d6a3ae8d9f86013b4953c5e1c6fabc2faa57d528c895694 TrojanSpy.MSIL.DOTCRYPT.A
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 24 of 25

Loader
cdf3aaa9134dc1c5523902afed3ff029574f9c13bc7105c77df70d20c9312288 Trojan.MSIL.VINDOR.A
85d3b0b00759d7b2c7810c65cdae7fcfe46f3a9aec9892c11156d61c99c2d92e Trojan.Win32.VINDOR.A
RAT
5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace Backdoor.MSIL.DNRAT.A
Domains and URLs
hxxp://212.193.30[.]21/
hxxp://93.115.21[.]45
hxxp://89[.]38[.]131[.]155
hxxp://data-file-data-18[.]com
hxxp://file-coin-coin-10[.]com
Tags
Source: https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
Page 25 of 25