alfa laboratory of tianrongxin

Posted by lipsius at 2020-03-15

Chen Fengfeng, Alfa laboratory, Tianrongxin

0 * 00 overview

This is a sample captured by @ neteagle. I'm curious to ask you to come and have a look and make a brief analysis. This is a backdoor program with infection function. We call it eraseme backdoor because of its propagation name eraseme_% d% d% d% d% d.exe. This is my first analysis report. Thank you for your guidance. If there is anything wrong in the analysis, please point out.

The sample mainly includes three procedures:

PE program (Pe0): shell program, mainly responsible for releasing Pe1

PE program (Pe1): core program, responsible for infection and control, use upx to reduce volume and release sys1

Driver (sys1): modify system TCPIP concurrent maximum connections

0 × 01 program operation process

1. Check whether the environment is in a normal environment. If there is file monitoring, process monitoring, Wireshark program running, or running in wmware or Sandboxie sandbox environment, exit directly; (PS: also check whether the current user is currentuser, guess that it can be a sandbox environment that will log in with currentuser name, let me know if you have a friend who knows)

Check if it is in VMWare

Detect Sandboxie

Find whether Wireshark, procomon, file monitor, registry monitor are executed

2. In the normal environment, decrypt its own resources, obtain Pe1, and inject it into the newly created process for execution;

3. Clean up the file open C: \ windows \ system32 \ cmd.exe / C del C: \ eraseme.Exe > nul

4. exit

1) Create EXE file to execute mutual exclusion

2) Through zwsystemdebugcontrol, hide the current process (XP is valid), create a thread to release the sys file to C: \ windows \ system32 \ drivers \ sysdrv32.sys, load the driver and run it.

3) Create a thread camouflage web server, randomly generate a port (1120 ~ 64535), listen, and receive the data at the beginning of the 'get' character. Will send its own binary data to the connection;

4) Establish a TCP connection with port 555 of C & C server After the connection is successful, send the relevant information of the machine, wait for the receiving command, and send the relevant information according to the command

5) Create a thread, traverse and search the intranet, and find all hosts of open 139 and 445 ports in the intranet. Then, the IPC $brute force cracking (with a simple dictionary, and new dictionary data can be distributed through remote control) is performed on these hosts. The cracking program copies it to the remote host, renames it as eraseme% d% d% d% d% d.exe (% d is a random number of 1-9), creates the service execution or uses the scheduled task execution, and sends it to the C & C server

”PRIVMSG #xploit :[ntpass(NetAddJob)] \\  $passwd$:$username$ [$share]”

“PRIVMSG #xploit :[ntpass(Service)] \\  $passwd$:$username$ [$share]“;。

6) Create a thread for U-disk monitoring. When a U-disk exists, it will copy itself to the root directory of the U-disk to generate files. And write the autorun.inf file in the root directory to execute the file automatically.

Power raising

Implementation process hiding

Check whether the active user name contains fields such as currentuser, sandbox, VMware, etc

Copy itself to system directory

Copy to C: \ windows \ system under XP\

Win7 copy to% appdata% \ Microsoft \ windows \ start menu \ programs \ start up\

1. Release sysdrv32.sys and modify the maximum concurrent connections of TCPIP. The default is 252

2. Listen to a random port under its IP. When there is a connection to send "get" data, first send http / 1.0 200 ok.. server: Private ..

Then send its binary data to the past

3. Send machine related information to the server, wait for the server to return data, and execute relevant commands according to the data

Send machine related information

Accept and execute instructions and codes sent by the server

4. Traverse the hosts with ports 445 and 139 in the LAN, and then propagate their files to the LAN hosts through IPC $

Traverse the built-in user name and password table, and propagate through IPC $after connecting successfully

5. Remote start

Start by creating a service

Send "privmsg ා xploit: [ntpass (service)] \ \ $passwd $: $username $[$share]" to C & C server;

Send "privmsg ා xploit: [ntpass (netaddjob)] \ \ $passwd $: $username $[$share]" to the C & C server by starting the scheduled task

6. When there is a mobile disk, it will copy itself to, the root directory of the mobile disk, write the autorun.inf file, and insert the system's direct execution sample

0 * 02 summary

After analysis, it can be seen that it has added a lot of virtual machine and sandbox checks, which can avoid the detection of some apt detection tools, but its avoidance method is relatively common; there are many functions in the code for XP, and it is spread through NetBIOS violent guessing, so guessing should be an early sample.