Let’s Learn: In-Depth Reversing Popular QuantLoader 1.45

Goal: Reverse the “sleepy” QuantLoader version 1.45 with the anti-virus check functions and process integrity check, its interesting file permission lock function amongst others.
Original find@Avman1995
Tools: Ollydbg, IDA

Malware Analysis Steps:
I.  Extract the payload following buffer in WriteProcessMemory and save data to a file. The packer is not sophisticated, so it is trivial to unpack and extract the original payload.

The sequence of Windows API calls is as follows:

  • CreateProcessA *(suspended)
  • SetThreadContext
  • ReadProcessMemory
  • VirtualAllocEx
  • WriteProcessMemory
  • ResumeThread

II. Go to Expression -> type “Sleep” and modify/patch 180 second sleep interval for 0 second sleep time.

III. QuantLoader’s strings are encoded/decoded using the hardcoded string value.
IV. The Decode function as it is viewed in IDA Pro in C++ pseudocode using the hardcoded  “b769929ffbdd0dc9fe159b6d8586bd58” string.
New parameters after the decode function (!):
V. When the QuantLoader starts it will copy itself to 

%APPDATA%\\svchost.exe OR %APPDATA%\Roaming\\svchost.exe where < BOTID> is an eight-digit ID generated for the bot. The payload is masked as svchost.exe.

The BOTID is created by extracting UID numbers only from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cryptography and copying only first 8 ones starting from the fifth one.

VI. Determines if the bot is 32-bit or 64-bit via 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86). 

If it exists, it is 64-bit, if it does not, it is 32-bit.


VI. The Quantloader also adds the firewall rule and executes it.
netsh.exe advfirewall firewall add rule "name=Quant" "program=c:\users\appdata\\svchost.exe" dir=Out action=allow
VII. Install for persistence as 

“QT”=c:\users\appdata\\svchost.exe” 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key.

Method of operation:
  • If there is no directory %AppData%\\, then the bot creates it.
  • If it is not in %AppData%\\svchost.exe, it registers this path in Windows Firewall and copies it there using the cmd command.
  • If the copy is successful, then:
  • *Removes Zone:Identifier from the malware, which removes the ‘flag’ that highlights it as “Downloaded from the Internet”
  • *Sets on the file permissions that prohibit everything, except reading; effective for persistence of the bot using using the calc command
  • *Run a copy using ShellExecute in SW_HIDE using “runas” then “open”
One of the most interesting functions is the User Account Control (UAC) integrity check one. Here is the pseudocode:
Simply put, if the UAC control is optimized to allow the run “runas” command without checking, the bot obtains elevated privileges.
    SHELLEXECUTEINFO si; 
    memset( &si, 0, sizeof( si ) ); 
    si.cbSize = sizeof( si ); 
    si.hwnd = 0; 
    si.lpVerb = “runas“; 
    si.lpFile = path; 
    si.nShow = SW_NORMAL; 
    si.fMask = SEE_MASK_NOCLOSEPROCESS; 
    bool res = ShellExecuteEx( &si ); 
VIII. Sets on the file permissions that prohibit everything, except reading; effective for persistence of the bot using using the calc command.

cmd /c echo Y|CACLS “c:\users\\appdata\roaming\\svchost.exe” /P “USER:R””

IX. The loader runs itself using ShellExecute’s “open” command and sleeps for one minute.
Finally, the QuantLoader decrypts its C2 addresses and sends a request to each of them containing the following fields:
  • “id” – the botid of the machine based on the “MachineGuid” registry value
  • “c” – the current number of C2s, the value will be “2”
  • “mk” – a hardcoded value likely a campaign identifier
  • “il” – an integrity value checker. If the bot gets elevated privileges, it is il=H, otherwise, it is il=L
  • “vr” – a bot version. This version is 1.45.
  • “bt” – a bit type of the operating system, i.e., 32-bit or 64-bit one.
The bot also queries for the following anti-virus installs:
  • Kaspersky -> SOFTWARE\KasperskyLab\LicStrg
  • Panda -> SOFTWARE\Panda Software\Setup
  • Norton Security -> SOFTWARE\Classes\Applications\NS.ex
  • Dr. Web -> SYSTEM\ControlSet001\services\DrWebLw
  • Bit Defender -> SOFTWARE\Bitdefender Agent\Install
  • Bullguard -> SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\bullguard.exe
QuantLoader’s decoded strings: 

“ProgramFilesDir (x86)”
“SOFTWARE\Microsoft\Windows\CurrentVersion”
“1.45”
“netsh advfirewall firewall add rule name=””
“” program=””
“” dir=Out action=allow”
“urlmon”
“URLDownloadToFileA”
“Qt”
“:Zone.Identifier”
“SOFTWARE\Microsoft\Cryptography”
“MachineGuid
“Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders”
“svchost.exe”
“kis”
“SOFTWARE\KasperskyLab\LicStrg”
“FirewallName”
“SOFTWARE\Panda Software\Setup”
“TaskbarGroupIcon”
“SOFTWARE\Classes\Applications\NS.exe”
“DisplayName”
“SYSTEM\ControlSet001\services\DrWebLwf”
“InstallPath”
“SOFTWARE\Bitdefender Agent\Install”
“SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\bullguard.exe”
“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“hxxp://trackingbase[.]net/track06858565670k64/index[.]php”
“?id=”
“&c=”
“&mk=”
“&il=”
“&vr=”
“&bt=”
“hxxp://college37672[.]website/track06858565670k64/index[.]php”
“?id=”
“&c=”
“&mk=”
“&il=”
“&vr=”
“&bt=”
Snort Rule
<!– /* Font Definitions */ @font-face {font-family:"Cambria Math”; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:-536870145 1107305727 0 0 415 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:-536870145 1073786111 1 0 415 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:””; margin:0cm; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:Calibri; msoascii-font-family:Calibri; msoascii-theme-font:minor-latin; msofareast-font-family:Calibri; msofareast-theme-font:minor-latin; msohansi-font-family:Calibri; msohansi-theme-font:minor-latin; msobidi-font-family:”Times New Roman”; msobidi-theme-font:minor-bidi; msofareast-language:EN-US;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-family:Calibri; msoascii-font-family:Calibri; msoascii-theme-font:minor-latin; msofareast-font-family:Calibri; msofareast-theme-font:minor-latin; msohansi-font-family:Calibri; msohansi-theme-font:minor-latin; msobidi-font-family:”Times New Roman”; msobidi-theme-font:minor-bidi; msofareast-language:EN-US;} @page WordSection1 {size:595.0pt 842.0pt; margin:2.0cm 42.5pt 2.0cm 3.0cm; mso-header-margin:35.4pt; mso-footer-margin:35.4pt; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} –>

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Possible QuantLoader 1.45 check-in alert”; flow:established,to_server; content:”/track06858565670k64/”; http_uri; content:”?id=”; http_uri; content:”&c=”; http_uri; content:”&mk=”; http_uri; content:”&il=”; http_uri; content:”&vr=”; http_uri; content:”&bt=”; http_uri; reference:url,http://www.vkremez.com/2017/07/lets-learn-in-depth-reversing-popular.html; classtype:Trojan-activity; rev:1;)

Indicators of Compromise 

MD5 (loader):
  • 23646295E98BD8FA022299374E4F76E0
C2:
  • hxxp://college37672[.]website/track06858565670k64/index[.]php
  • hxxp://trackingbase[.]net/track06858565670k64/index[.]php
<!–table {mso-displayed-decimal-separator:”\,”; mso-displayed-thousand-separator:\00A0;} @page {margin:.75in .7in .75in .7in; mso-header-margin:.3in; mso-footer-margin:.3in;} td {padding-top:1px; padding-right:1px; padding-left:1px; mso-ignore:padding; color:black; font-size:12.0pt; font-weight:400; font-style:normal; text-decoration:none; font-family:Calibri, sans-serif; mso-font-charset:0; mso-number-format:General; text-align:general; vertical-align:bottom; border:none; mso-background-source:auto; mso-pattern:auto; mso-protection:locked visible; white-space:nowrap; mso-rotate:0;} –>

<!– /* Font Definitions */ @font-face {font-family:"Cambria Math”; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:-536870145 1107305727 0 0 415 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:-536870145 1073786111 1 0 415 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:””; margin:0cm; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:Calibri; msoascii-font-family:Calibri; msoascii-theme-font:minor-latin; msofareast-font-family:Calibri; msofareast-theme-font:minor-latin; msohansi-font-family:Calibri; msohansi-theme-font:minor-latin; msobidi-font-family:”Times New Roman”; msobidi-theme-font:minor-bidi; msofareast-language:EN-US;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-family:Calibri; msoascii-font-family:Calibri; msoascii-theme-font:minor-latin; msofareast-font-family:Calibri; msofareast-theme-font:minor-latin; msohansi-font-family:Calibri; msohansi-theme-font:minor-latin; msobidi-font-family:”Times New Roman”; msobidi-theme-font:minor-bidi; msofareast-language:EN-US;} @page WordSection1 {size:595.0pt 842.0pt; margin:2.0cm 42.5pt 2.0cm 3.0cm; mso-header-margin:35.4pt; mso-footer-margin:35.4pt; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} –>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s