Analysis Report

MAR-10382580-1.v1 – Unidentified RAT

Last Revised
Alert Code
AR22-174B

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

This report analyzes 8 unique files. 5 files are malicious loaders that contain an embedded executable. Two of the embedded executables are included in this report. The embedded executables are Remote Access Tool (RAT) that provides a vast array of Command and Control (C2) capabilities. These C2 capabilities include the ability to remotely monitor a system's desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads. The malware can also function as a proxy, allowing a remote operator to pivot to other systems.

The remaining file is a heavily encoded Java Server Pages (JSP) application that functions as a malicious webshell. This Java application will allow an operator to upload and download files from a target system and control the system via a reverse shell.

For a downloadable copy of IOCs, see: MAR-10382580-1.v1.stix.

Submitted Files (8)

28e4e7104cbffa97a0aa2f53b5ebcbcdba360ec416b34bb617e2f8891d204816 (error_401.jsp)

33b89b8915aaa59a3c9db23343e8c249b2db260b9b10e88593b6ff2fb5f71d2b (odbccads.exe)

3c2c835042a05f8d974d9b35b994bcf8d5a0ce19128ebb362804c2d0f3eb42c0 (fontdrvhosts.exe)

66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16 (winds.exe)

7ea294d30903c0ab690bc02b64b20af0cfe66a168d4622e55dee4d6233783751 (praiser.exe)

88a5e4b24747648a4e3f0a2d5282b51683260f9208b06788fc858c44559da1e8 (f7_dump_64.exe)

d071c4959d00a1ef9cce535056c6b01574d8a8104a7c3b00a237031ef930b10f (d071c4959d00a1ef9cce535056c6b0...)

f7f7b059b6a7dbd75b30b685b148025a0d4ceceab405e553ca28cacdeae43fab (SvcEdge.exe)

IPs (4)

134.119.177.107

155.94.211.207

162.245.190.203

185.136.163.104

Findings

66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16

Tags

remote-access-trojantrojan

Details
Name winds.exe
Size 850432 bytes
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 21fa1a043460c14709ef425ce24da4fd
SHA1 33638da3a83c2688e1d20862b1de0b242a22e87c
SHA256 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16
SHA512 00afc06c46397d106489c63492437100ae8a872169918c1b2a0c7acfcbe8b6c7b77e587f50551d33603693755081bafbaddfe62bfccb9a3803e940a9b9a5a30e
ssdeep 12288:nHphzO/LbA9xVeAayauoGqKv4Kyxa30vKc6wVqSfpOH8KAGG6SfUTuy4aN+h:JqGxMUKGqKv4OEvBHVqSfMFyUSjs
Entropy 7.555857
Antivirus
Adaware Gen:Variant.Ulise.345018
AhnLab Trojan/Win.Generic
Avira TR/Injector.vkchy
Bitdefender Gen:Variant.Ulise.345018
ESET a variant of Win64/Injector.HA.gen trojan
Emsisoft Gen:Variant.Ulise.345018 (B)
IKARUS Trojan.Win64.Injector
K7 Trojan ( 0058e94e1 )
McAfee RDN/Generic.dx
Zillya! Trojan.Chapak.Win32.92597
YARA Rules
  • rule CISA_10382580_03 : loader
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10382580"
           Date = "2022-05-02"
           Last_Modified = "20220602_1200"
           Actor = "n/a"
           Category = "Loader"
           Family = "n/a"
           Description = "Detects loader samples"
           MD5_1 = "3764a0f1762a294f662f3bf86bac776f"
           SHA256_1 = "f7f7b059b6a7dbd75b30b685b148025a0d4ceceab405e553ca28cacdeae43fab"
           MD5_2 = "21fa1a043460c14709ef425ce24da4fd"
           SHA256_2 = "66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16"
           MD5_3 = "e9c2b8bd1583baf3493824bf7b3ec51e"
           SHA256_3 = "7ea294d30903c0ab690bc02b64b20af0cfe66a168d4622e55dee4d6233783751"
           MD5_4 = "de0d57bdc10fee1e1e16e225788bb8de"
           SHA256_4 = "33b89b8915aaa59a3c9db23343e8c249b2db260b9b10e88593b6ff2fb5f71d2b"
           MD5_5 = "9b071311ecd1a72bfd715e34dbd1bd77"
           SHA256_5 = "3c2c835042a05f8d974d9b35b994bcf8d5a0ce19128ebb362804c2d0f3eb42c0"
           MD5_6 = "05d38bc82d362dd57190e3cb397f807d"
           SHA256_6 = "4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f"
       strings:
           $s0 = { B8 01 00 00 00 48 6B C0 00 C6 44 04 20 A8 B8 01 }
           $s1 = { 00 00 48 6B C0 01 C6 44 04 20 9A B8 01 00 00 }
           $s2 = { 48 6B C0 02 C6 44 04 20 93 B8 01 00 00 00 48 }
           $s3 = { C0 03 C6 44 04 20 9B B8 01 00 00 00 48 6B C0 }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2016-06-28 14:54:12-04:00
Import Hash 8b276f4187d986d845fbeca4606978e5
Company Name Sysinternals - www.sysinternals.com
File Description PsPing - ping, latency, bandwidth measurement utility
Internal Name PsPing
Legal Copyright Copyright (C) 2012-2016 Mark Russinovich
Original Filename psping.exe
Product Name Sysinternals PsPing
Product Version 2.10
PE Sections
MD5 Name Raw Size Entropy
f7563c080ebc1ddfde8cd35a391c013b header 1024 2.941811
dee2271d40bae0ee404bd93800669e7f .text 148992 6.183880
f9ca0448650e2c20a1c84bdf4d21e1f5 .rdata 76800 3.959956
ef7c0cd1e8c1cb59d89b9bb7cb3e38b7 .data 37888 4.076162
a94f35a1d82b7ea31758e552c5c8dd4d .pdata 7680 5.174204
0a5f1fe82123e133fb124fb65751dd19 .rsrc 574976 7.974682
b89ab7dbe7f05df8a1bebb81afcdbc9f .reloc 3072 5.054629
Relationships
66966ceae7... Connected_To 185.136.163.104
66966ceae7... Contains d071c4959d00a1ef9cce535056c6b01574d8a8104a7c3b00a237031ef930b10f
Description

This malware is a 64-bit Windows loader that contains an encrypted malicious executable. During runtime, this encrypted executable is decrypted and loaded into memory, never touching the system's hard disk. The encrypted executable is similar in functionality to the file "f7_dump_64.exe" (88a5e4b24747648a4e3f0a2d5282b51683260f9208b06788fc858c44559da1e8), described below. The malware embedded within this loader attempts to communicate with the hard-coded C2 Internet Protocol (IP) address 185[.]136[.]163[.]104. This malware provides a vast array of C2 capabilities including the ability to log keystrokes, upload and execute additional payloads, function as a proxy, and have graphical user interface (GUI) access over a target Windows system's desktop. Many of the structures utilized to implement the C2 capabilities in this malware appear to be derived from the same source code as "f7_dump_64.exe", however this malware utilizes much more complex obfuscation to hinder the analysis of its code structures.

Screenshots

Figure 1 - This screenshot illustrates the algorithm the malware uses to encrypt its inbound and outbound communications from the remote C2. This is a simple algorithm that relies primarily on incrementing through the target data and modifying each byte by either XOR'ing it with 0x10 or 0xe7. The basic arithmetic of the algorithm is to XOR every byte of the target data by 0x10 and then every other byte by 0xe7. Notably, outbound data appears to be prepended with a block of data that contains random bytes and is a random length. Therefore, the result of the encryption, even of the exact same data, will vary as the length of the prepended block will cause the 0xe7 XOR operation to occur on different bytes in the target data. If PCAP is collected, all observed communications between this RAT and its remote C2 may be decrypted by following this simple algorithm.

Figure 1 - This screenshot illustrates the algorithm the malware uses to encrypt its inbound and outbound communications from the remote C2. This is a simple algorithm that relies primarily on incrementing through the target data and modifying each byte by either XOR'ing it with 0x10 or 0xe7. The basic arithmetic of the algorithm is to XOR every byte of the target data by 0x10 and then every other byte by 0xe7. Notably, outbound data appears to be prepended with a block of data that contains random bytes and is a random length. Therefore, the result of the encryption, even of the exact same data, will vary as the length of the prepended block will cause the 0xe7 XOR operation to occur on different bytes in the target data. If PCAP is collected, all observed communications between this RAT and its remote C2 may be decrypted by following this simple algorithm.

Figure 2 - This screenshot illustrates the malware sending a great deal of target system information outbound. As illustrated, this system information contains the computer name, user name, MAC address, IP address, operating system version, processor version, and all currently running processes. The malware responds with this data when simply echoing back the outbound (encrypted) data illustrated in Figure 3 and Figure 4. Effectively, the malware says hello and if the same hello response is provided it will provide a great deal of information about the compromised system. As further illustrated, the outbound data is encrypted with the algorithm displayed in Figure 1.

Figure 2 - This screenshot illustrates the malware sending a great deal of target system information outbound. As illustrated, this system information contains the computer name, user name, MAC address, IP address, operating system version, processor version, and all currently running processes. The malware responds with this data when simply echoing back the outbound (encrypted) data illustrated in Figure 3 and Figure 4. Effectively, the malware says hello and if the same hello response is provided it will provide a great deal of information about the compromised system. As further illustrated, the outbound data is encrypted with the algorithm displayed in Figure 1.

Figure 3 - This screenshot illustrates the malware forming a block of data the implant will send to its remote C2 during its initial connection attempts. Note the phrase "hello" inside this initial block of data. Also, note the apparent random data prepended to the outbound "hello".

Figure 3 - This screenshot illustrates the malware forming a block of data the implant will send to its remote C2 during its initial connection attempts. Note the phrase "hello" inside this initial block of data. Also, note the apparent random data prepended to the outbound "hello".

Figure 4 - This screenshot illustrates the malware forming a block of data the implant will send to its remote C2 during its initial connection attempts. Note the phrase "hello" inside this initial block of data. Also note the apparent random data prepended to the outbound "hello". The purpose of this screenshot is to illustrate how the malware prepends a random block of data of a random size to the outbound data in an effort to make the entire packet more difficult to signature.

Figure 4 - This screenshot illustrates the malware forming a block of data the implant will send to its remote C2 during its initial connection attempts. Note the phrase "hello" inside this initial block of data. Also note the apparent random data prepended to the outbound "hello". The purpose of this screenshot is to illustrate how the malware prepends a random block of data of a random size to the outbound data in an effort to make the entire packet more difficult to signature.

Figure 5 - This screenshot illustrates the malware attempting to read a file named %Temp%\IDPE988.tmp. This file was not available for analysis therefore the contents are unknown.

Figure 5 - This screenshot illustrates the malware attempting to read a file named %Temp%\IDPE988.tmp. This file was not available for analysis therefore the contents are unknown.