Tried, Tested and Proven
The following is part 2 of a series of 2 blog posts, which will discuss how our analysis leads to the automation of the identification of all the locations containing encrypted data and all the calls to the decryption routine, allowing us to manipulate the malware into calling the decryption routing for all the encrypted data hence revealing all the malware’s prized secrets.Part 1 focussed on a maliciously dropped DLL file. If you have missed the first article, please click here!

As discussed in part one, there are about 700 different locations where the decryption routine is called, each using different keys and data length parameters. Revealing this hidden data is an important step. It aids us in understanding the hidden functionality of the malware, it also helps us understand the aim of the malware, giving us an insight into how it undertakes reconnaissance, how it communicates with its controllers and how it accesses information once in place. In order to be able to decrypt each of the encrypted data chunks we extracted a distinctive pattern (signature) based on the two code snippet examples mentioned in part one of this series, and then developed a script for the ODbgScript plugin (v1.82.6) that upon execution forced the malware to touch every single pattern that leads to data decryption, the malware was also patched to ensure the routine that erases the decrypted data from memory was bypassed. The script logs each VA where one of these two patterns is found including the return value in EAX Register and the decrypted data. Since the encrypted data was originally either Unicode or an ASCII string, the script also identifies and examines this data in decrypted form then outputs the results to a log. The obvious advantages of this technique are that once we have identified the code patterns used to call the decryption routine, we do not have to concern ourselves with the large number of different decryption keys that are used or the amount of different places in the code that the decryption routine is called from. All that remains is to allocate our own buffer for decryption and set up the thread context in such a way that the decryption function sends the decrypted data to our buffer rather than the original one.

Further Investigation..

Based on the decrypted data (Appendix A) we discovered that this specific trojan was not new. In fact, this specific malware family was encountered previously during an intrusion investigation by SK Communications [1]. Sometime later this malware still passes undetected by various AV vendors, even though it exhibits dangerous RAT functionality. This fact demonstrates the value malware authors place on the various AV-evasion techniques. In Appendix B we provide details of some of the malware’s function names along with other Windows APIs it dynamically imports. A full list of these is available and will be provided upon request, however due to the amount (circa 80 pages) these have been truncated for brevity. All the decrypted data mentioned in Appendices A and B has been recovered by using the script outlined earlier. If you wish to receive a copy of the script discussed in this two part series, please contact us at: labs@portcullis-security.com

Did you miss the first article? You can find it here: Part 1 – Destory RAT – Revealing the hidden data Written by: Kyriakos Economou of Portcullis.

Reference:

1.) Command Five Pty Ltd. (2011, September). SK Hack by an Advanced Persistent Threat. http://www.commandfive.com/papers/C5_APT_SKHack.pdf (accessed 7th of January, 2013)

Any questions/feedback?

If you have any further question/feedback regarding Forcing the malware towards self-decryption article, please do get in touch! We would like to hear your thoughts. You may contact us at: labs@portcullis-security.com

Appendix A

Here we present a small chunk of decryption results from our script. The script has logged the VA of the start of the pattern, the return value in EAX Register after the decryption routine has been called, and the decrypted data.

Script Log Window
Address Message
1000114B   $RESULT: Pattern_VA: 1000114B
1000116B   $RESULT: EAX: 10038A48
1000116B   $RESULT: Decrypted_Data : ServiceSession
1000116B
1000116B
100013EF   $RESULT: Pattern_VA: 100013EF
1000140F   $RESULT: EAX: 10038A24
1000140F   $RESULT: Decrypted_Data : SeDebugPrivilege
1000140F
1000140F
1000143A   $RESULT: Pattern_VA: 1000143A
1000145A   $RESULT: EAX: 100389FC
1000145A   $RESULT: Decrypted_Data : SeTcbPrivilege
1000145A
1000145A
10001911   $RESULT: Pattern_VA: 10001911
10001931   $RESULT: EAX: 100389E8
10001931   $RESULT: Decrypted_Data : 0
10001931
10001931
1000196C   $RESULT: Pattern_VA: 1000196C
1000198C   $RESULT: EAX: 100389E0
1000198C   $RESULT: Decrypted_Data : 1
1000198C
1000198C
100019C7   $RESULT: Pattern_VA: 100019C7
100019E7   $RESULT: EAX: 100389D4
100019E7   $RESULT: Decrypted_Data : 2

Appendix B

1.) Trojan’s main capabilities The following function names describe all the main capabilities of this trojan. If you take a look at the following list you will notice that it supports a quite big variety of remote commands that include running process information retrieval, remote shell creation, Telnet communication, process creation, interprocess communication through pipes, showing a message box with custom alerts, and self-update.

CXFuncScreen::ScreenCtrlEvt CXHideSet::HdSaveSet
CXFuncShell::ShellT1 CXSalvation::SalExceptionHandler
CXFuncShell::ShellT2 CXSessionServer::SsStartProc
CXFuncSystem::SysMessageBoxProc CXSessionServer::SsStartPipe
CXFuncTelnet::TelnetT1 CXSniffer::SnifferProc
CXFuncTelnet::TelnetT2 CXSoHttp::SoWorkProc
CXGather::GtProc CXOnline::OlStartProc
CXHide::HdUpdateSet CXOnline::OlStartProcPipe

ii) SQL capabilities The following SQL related Windows APIs clearly reveal that this trojan is also capable to execute SQL queries and send the results to whoever controls it.

SQLAllocHandle SQLMoreResults
SQLFreeHandle SQLNumResultCols
SQLSetEnvAttr SQLColAttributeW
SQLDriverConnectW SQLFetch
SQLDisconnect SQLGetData
SQLExecDirectW SQLGetDiagRecW

iii) Privilege escalation

SeTcbPrivilege
SeDebugPrivilege
SeShutdownPrivilege
SeTcpPrivilege ← typo from the author?!??! – non existent privilege type

iv) Remote Desktop

WTSRegisterSessionNotification
WTSUnRegisterSessionNotification
WTSEnumerateProcessesW
WTSFreeMemory
WTSGetActiveConsoleSessionId

v) Internet Communication

InternetOpenA InternetWriteFile
InternetConnectA InternetQueryOptionA
InternetCloseHandle InternetSetOptionA
InternetReadFile

vi) HTTP

HttpSendRequestA HttpAddRequestHeadersA
HttpSendRequestW HttpOpenRequestA
HttpSendRequestExA HttpEndRequestA
HttpSendRequestExW HttpQueryInfoA

vii) Network Resources Enumeration

WNetOpenEnumW
WNetEnumResourceW
WNetCloseEnum

viii) Process Related Enumeration

EnumProcesses
OpenProcess
EnumProcessModules

ix) Windows Registry

RegCreateKeyExW SHEnumKeyExW
RegSetValueExW SHEnumValueW
RegCloseKey SHDeleteValueW
RegOpenKeyExW SHDeleteKeyW
RegEnumKeyExW SHCopyKeyW
RegQueryValueExW SHGetValueW
RegEnumValueA ZwEnumerateKey (hooked)
RegQueryValueExA ZwEnumerateValueKey (hooked)
RegSetValueExA

x)Windows Service

SetServiceStatus StartServiceW
RegisterServiceCtrlHandlerExW DeleteService
OpenSCManagerW ChangeServiceConfigW
OpenServiceW EnumServicesStatusA
CloseServiceHandle ChangeServiceConfig2W
EnumServicesStatusW CreateServiceW
QueryServiceConfigW QueryServiceStatusEx
QueryServiceConfig2W EnumServicesStatusExA
ControlService EnumServicesStatusExW

xi) TCP/UDP

SetTcpEntry
GetTcpTable
AllocateAndGetTcpExTableFromStack
GetExtendedTcpTable

xii) Process Injection

OpenProcess
VirtualAllocEx
VirtualFreeEx
WriteProcessMemory
CreateRemoteThread

xiii) Authorization

ImpersonateLoggedOnUser DuplicateTokenEx
RevertToSelf AllocateAndInitializeSid
OpenProcessToken EqualSid
LookupPrivilegeValueW FreeSid
AdjustTokenPrivileges ConvertStringSidToSidA
GetTokenInformation LookupAccountSidW
SetTokenInformation GetLengthSid

xiv) File System

DeleteFileW GetFileSize
FindFirstFileW ReadFile
FindNextFileW SHFileOperationW
CreateFileA SfcIsFileProtected
CreateFileW GetFileAttributesW
GetFileTime GetFileVersionInfoSizeW
WriteFile GetFileVersionInfoW
SetEndOfFile ZwQueryDirectoryFile (hooked)
SetFileTime MoveFileExW
SetFilePointer CancelIo
FlushFileBuffers

xv) Keyboard/Mouse (keylogging)

mouse_event
keybd_event
GetAsyncKeyState
GetKeyState

xvi) Generic hooking

SetWindowsHookExW
UnhookWindowsHookEx

xvii) Windows Sockets

WSAGetLastError closesocket
WSAStartup ioctlsocket
WSACleanup getsockname
WSAIoctl bind
WSASend connect
WSARecv htons
WSAGetOverlappedResult recv
setsockopt inet_ntoa

xviii) Interprocess Commnunication

ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe

xix) Local Memory allocation – Access rights modification

VirtualAlloc
VirtualFree
VirtualProtect
HeapAlloc
HeapFree
LocalFree
WriteProcessMemory

x) Volume/Disk Management

QueryDosDeviceW
GetDriveTypeW
GetDiskFreeSpaceExW
GetVolumeInformationW

xi) Window Station/Desktop

GetProcessWindowStation
OpenWindowStationW
SetProcessWindowStation
CloseWindowStation

xii) System Information

GetComputerNameW
GetUserNameW
Categories