{
	"id": "8bc274b4-9f1a-4443-8ffb-044f701a8d50",
	"created_at": "2026-04-06T00:07:16.142303Z",
	"updated_at": "2026-04-10T03:21:21.708726Z",
	"deleted_at": null,
	"sha1_hash": "9c23a26bdba72deb80bc7d7e3f8b9de927c6d409",
	"title": "New Release: Decrypting NetWire C2 Traffic",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 247870,
	"plain_text": "New Release: Decrypting NetWire C2 Traffic\r\nBy Phil Da Silva, Rob Downs, Ryan Olson\r\nPublished: 2014-08-04 · Archived: 2026-04-05 19:07:33 UTC\r\nOn July 22, Palo Alto Networks threat intelligence team, Unit 42, released our first report on the evolution of\r\n“Silver Spaniel” 419 scammers.  Of particular note is how these actors use a Remote Administration Tool (RAT)\r\nnamed NetWire (part of the NetWiredRC malware family). This RAT gives a remote attacker complete control\r\nover a Windows, Mac OS X, or Linux system through a simple graphical user interface.\r\nTo better understand this RAT, our team reverse engineered the communication protocol that NetWire uses. Today\r\nwe have released a tool that decrypts NetWire traffic and outputs any commands issued by the attacker.\r\nNetWire Encrytion Protocol\r\nNetWire uses a custom, TCP-based protocol. The producer of the NetWire WorldWiredLabs, states that the tool\r\nuses 256-bit AES encryption, which we found to be accurate. The tool generates two encryption keys using a static\r\npassword that the attacker chooses when creating the NetWire binary. Each packet has the following structure:\r\n\u003c 4 Byte Little-Endian length \u003e \u003c 1 Byte Command \u003e \u003c Data \u003e\r\nThe shortest possible packet is the “HeartBeat” command, which NetWire generates every 10 seconds.\r\nKey Generation\r\nThe initial packet from the client to the server shows a data and command length of 65 bytes (0x41 listed at the\r\nbeginning of the packet) with a command byte of 0x03.\r\nWithin that data is a 32-byte seed value followed by a 16-byte initialization vector (IV) value.  The client then\r\ncombines the 32-byte seed value with the static password in a predetermined fashion to form an AES key.\r\nhttp://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/\r\nPage 1 of 3\n\nUpon receiving the initial packet, the server uses the seed value and password to generate the client’s session key.\r\nIt then generates its own 32-byte seed value to create it’s own session key and sends the seed value to the client.\r\nThe client combines this with the password and generates the same key. At this point, the key exchange is\r\ncomplete and both client and server hold the same two keys, which they can use to encrypt and decrypt traffic.\r\nWith the two keys in place, the malware uses the AES algorithm to encrypt traffic using Output Feedback (OFB)\r\nmode (Picture courtesy of Wikipedia).  The output of the block cipher encryption is eXclusive OR’ed (XOR’d)\r\nwith 16 bytes of ciphertext to decrypt.  Each subsequent block of ciphertext will use the previous encrypted data\r\nas the IV passed into the block cipher encryption function.\r\nCommand Parsing\r\nThe malware has a full suite of possible commands, 76 to be exact.  Upon receipt of a command from the server, a\r\nsingle function is called to decrypt the payload data and execute the received instruction. The value in the\r\ncommand byte determines which of the commands is run through a 76 way switch statement.  A complete list of\r\nthe possible commands available in NetWire was documented by CIRCL in April.\r\nNetWire Decoder\r\nThe NetWire decoder uses data from a packet capture file to generate the client and server session keys then\r\ndecode the remaining encrypted packets. The user needs to know the IP of the infected client, the port used by\r\nmalware and the encryption password to properly decode the traffic. This password is set to “Password” by\r\ndefault, but can be retrieved from NetWire binaries if the attacker used something more secure. The usage for the\r\ntool is show below.\r\nhttp://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/\r\nPage 2 of 3\n\nAt this time the tool works against the latest version of NetWire, 1.5c. We hope this tool will be valuable to\r\nincident responders and others who are plagued by NetWire infections.\r\nSource: http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/\r\nhttp://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/"
	],
	"report_names": [
		"new-release-decrypting-netwire-c2-traffic"
	],
	"threat_actors": [],
	"ts_created_at": 1775434036,
	"ts_updated_at": 1775791281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c23a26bdba72deb80bc7d7e3f8b9de927c6d409.pdf",
		"text": "https://archive.orkl.eu/9c23a26bdba72deb80bc7d7e3f8b9de927c6d409.txt",
		"img": "https://archive.orkl.eu/9c23a26bdba72deb80bc7d7e3f8b9de927c6d409.jpg"
	}
}