Monday, April 15, 2019

Analysis of .Net Deucalion IrcBot Sample Obfuscated with ConfuserEx+KoiVM

In this post I perform a quick analysis of a sample that seems to be an ircbot, named alphaircbot (based on the tags) or deucalion (based on the internal .net classes names and deobfuscated strings). The malware family itself doesn't seem specially interesting, however, it is obfuscated with ConfuserEx obfuscator + KoiVM virtualization.

It was quite hard for me to deal with the obfuscated code, and debug it with dnSpy or similar tools to get the original assembly. I decided to use Windbg's sos extension to walk the loaded assemblies and to find the dynamic assemblies belonging to the original malware code. With this extension it is possible to enum the method tables foreach assembly and the stacks foreach thread that is executing managed code, making easy to find jit generated code that belongs to the malware code (and interesting malware's data referenced by the jit generated code).

  • Original Packed Sample: 40e751c032c75d33c807219b2de6c584
  • Source Url: hxxp://54.38.22[.]53/spike/svchost.exe
  • Info Url: URLhaus
  • Automatic Generated Report: PepperMalware Report
  • Virustotal First Submission: 2018-06-10 16:37:46
  • Other AlphaIrcbot samples at Any.Run: 

  • asdjdsffdgnms.exe (2018-08-19 10:25:54)
  • KFDJfd.exe (2018-11-16 00:26:10)
  • jjunpkvyalquru.exe (2018-09-01 21:40:15) 

  • Any.Run Tags: alphaircbot
  • Related links:


  • Analysis

    • 1. Obfuscated loader
      • 1.1. ConfuserEx 1.0.0 + KoiVM
      • 1.1.1. Obfuscated code
      • 1.1.2. Dumping module from memory
      • 1.1.3. Reaching dynamic assemblies' code in memory with Windbg
        • List assemblies
        • List method tables
        • Enum threads, display threads' stacks and malware jit generated code
        • Following jit generated code's references to deobfuscated malware data
    • 2. Deucalion / AlphaIrcbot
      • 2.1. IoCs
      • 2.2. Unpacked strings
      • 2.3. Malware characteristics
        • 2.3.1. Irc server, channel and communications
        • 2.3.2. Reversing tools detection
      • 2.4. Yara rule

    1. Obfuscated loader

    1.1. ConfuserEx 1.0.0 + KoiVM

    ConfuserEx is an obfuscator for .NET applications with the following characteristics: Symbol renaming, WPF/BAML renaming, Control flow obfuscation, Method reference hiding, Anti debuggers/profilers, Anti memory dumping, Anti tampering (method encryption), Embedding dependency, Constant encryption, Resource encryption, Compressing output, Extensible plugin API.

    KoiVM is a virtual machine made to work on ConfuserEx that turns the .NET opcodes into new ones that only are understood by KoiVM machine. KoiVM would let virtualize every single method (including protections from ConfuserEx), or it would let just virtualize the methods that the user decides.

    1.1.1. Obfuscated code

    From my point of view, the analyzed sample is obfuscated with ConfuserEx and additionally, the full code (including protections from ConfuserEx) is virtualized with KoiVM. When I tried to decompile the sample's code with dnSpy, the decompiled code didn't fit the code described in some articles about deobfuscating ConfuserEx.

    After applying de4dot, we get Deucalion method a bit clearer, however sub-methods are still unable to be deobfuscated:

    1.1.2. Dumping module from memory

    Trying to debug / deobfuscate the obfuscator layer was crazy, most of the times the code was unable to be decompiled, dnSpy crashed, etc... Tools as DeconfuserEx didn't work for this sample, probably because of the KoiVM virtualization.

    We can try to dump the PE from memory with any debugger or tools like megadumper:

    However the module in memory is almost identical to the original one in disk. This is because the original code is unpacked and loaded as a dynamic assembly. We can explore in-memory assemblies with ProcessExplorer:

    1.1.3. Reaching dynamic assemblies' code in memory with Windbg

    Windbg makes easier to walk assemblies and parse .Net structures. It is necesary to load sos debugging extension. List assemblies

    Now it is possible to use the command !DumpDomain to display the loaded assemblies (from Microsoft documentation: DumpDomain enumerates each Assembly object that is loaded within the specified AppDomain object address. When called with no parameters, the DumpDomain command lists all AppDomain objects in a process).

    The command shows domain info:

    And the list of assemblies:

    Among the list of assemblies we can find the assemblies that were loaded dynamically: List method tables

    Having an assembly, it is possible to get info about it and list the method tables.

    Method table:

    Display jit generated code for a method: Enum threads, display threads' stacks and malware jit generated code

    Enumerate threads:

    Callstack for a thread running managed code: Following jit generated code's references to deobfuscated malware data

    Walking the threads and exploring the stacks and the jit generated code, we can reach jit generated code belonging the malware code. For example:

    Following the references to data from this code, we can find blocks of deobfuscated data used by the malware:

    In the previous capture, a pointer to an string used by the jit generated code is followed to the memory region where the data resides. The base of the region is got with the command !address, and dumped to disk with .writemem. Now it is possible to use sysinternals' strings.exe to get the strings into the dumped data.

    2. Deucalion / Alpha Ircbot

    2.1. IoCs

    • schtasks.exe /create /sc minute /mo 1 /tn "Dec<computer user name>" /tr <sample path>
    • SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
    •  -> irc server
    • #paradox  -> irc channel
    •  -> to get ip info
    • List of deobfuscated strings:

    2.2. Unpacked strings

    This is the list of unpacked strings:

    2.3. Malware characteristics

    Taking a look at the deobfuscated strings we can guess some characteristics of the malware.

    2.3.1. Irc server, channel and communications

    Bots connect ( irc server. This is a capture of the irc channel. The user KiloAlpha sends commands for the bots:

    Here is the list of commands (extracted from deobfuscated strings) that the CnC can send to the bots:

    • HTTP
    • DRAIN
    • POST
    • STOP
    • UPDATE
    • COOKIE
    • LIST
    • STATUS
    • RNHTTP
    • TCP
    • UDP
    • KILL
    • SAY
    • GEO

    I would say the bot does not perform too much checks to verify the origin of the command, I have not tried but I would bet it would be possible to inject commands to the bots.

    2.3.2. Reversing tools detection

    • vboxservice
    • wireshark
    • fidderl
    • charles
    • cheat
    • dnspy
    • megadump
    • olly
    • hack
    • de4dot
    • tcpdump
    • sniffer
    • sandbox
    • vmtool
    • ida
    • \dnSpy\dnSpy.xml
    • SELECT * FROM AntiVirusProduct

    2.4. Yara rule

    rule deucalion {
            $s1="schtasks.exe" wide ascii
            $s2="/delete /tn \"{0}\" /F" wide ascii
            $s3="/create /sc minute /mo 1 /tn \"{0}\" /tr \"{1}\"" wide ascii
            $s4="cmd.exe" wide ascii
            $s5="/C ping -n 3 -w 3000 > Nul & Del \"{0}\"" wide ascii
            $s6="BOTKILLER" wide ascii
            $s7="HTTP" wide ascii
            $s8="DRAIN" wide ascii
            $s9="HTTPSTRONG" wide ascii
            $s10="HTTPNULL" wide ascii
            $s11="POST" wide ascii
            $s12="SMARTBYPASS" wide ascii
            $s13="HTTPBYPASS" wide ascii
            $s14="STOPALL" wide ascii
            $s15="STOP" wide ascii
            $s16="PAGEHTTP" wide ascii
            $s17="DOWNLOAD_EXECUTE" wide ascii
            $s18="UPDATE" wide ascii
            $s19="COOKIE" wide ascii
            $s20="HTTPKILL" wide ascii
            $s21="REFERER" wide ascii
            $s22="BLAZING" wide ascii
            $s23="BACKEND" wide ascii
            $s24="INFORMATION" wide ascii
            $s25="LIST" wide ascii
            $s26="STATUS" wide ascii
            $s27="RNHTTP" wide ascii
            $s28="GAMETCP" wide ascii
            $s29="GAMEUDP" wide ascii
            $s30="SPLITPERCENT" wide ascii
            $s31="SPLITCPU" wide ascii
            $s32="| CORES: {0} | RAM: {1} GB | FLOODS RUNNING: {2} | ANTI VIRUS: {3} | COUNTRY: {4} | DEUCALION: {5} IRC |" wide ascii
            $s33="config\\machine.config" wide ascii
            (29 of them)

    No comments:

    Post a Comment