Malware Config Extraction Diaries #1 – GuLoader08/09/2020
RYUK Ransomware Technical Analysis21/11/2020
When the software is infected, the attacker gains remote unauthorized access to the victim computer. Thanks to various functions and configurations on an easy-to-use interface, the victim’s credentials in the device, the victim’s keystrokes, the victim’s cameras (etc) can be accessed. Trojan that allows them to be done easily is called RAT (Remote Access Tool). There are many RATs on the market, such as: Alienspy, DarkcometRAT, njRAT, RemcosRAT, Back Orifice, CrossRAT. Many of them are available in cracked versions on the internet. We will soon extract the configurations of the called trojan njRAT together.
What is the njRAT?
njRAT, (also known as Bladabindi) was first found in 2013. It was made by a hacking organization called Sparclyheason. njRAT was often used against targets in the Middle East Countries.
You can get more detailed information about old njrat attacks from wikipedia.
Nowadays, njrat is embedded in downloaded cracked hacking tools and provides a larger domain by targeting other hackers. Another thing as you know, vulnerable wordpress sites were hacked and used as a command and control server, things are a bit reversible. njRAT threat actors make use of vulnerable WordPress installations. They maliciously modify files on various forums and websites to bait other hackers.
Cracked versions that you can find on the internet will most probably infect your computer or your vm.
- Remote into the victim’s desktop or active window
- Remotely execute a file from disk or URL
- Manipulate files
- Open a remote shell, allowing the attacker to use the command line
- Manipulate the system registry
- Record the computer’s camera and microphone
- Log keystrokes
- Steal passwords stored in browsers or in other applications
There are many versions of njrat. First of all, we analyze the samples of each version. Then, with the cracked versions we have, we create ourselves trojan and complete our analysis. Searching in memory for configurations we entered for samples we have created will make our search easier.We take the memdump of each version and determine the configuration areas. Let’s start.
Part One: Memory Dump
Here, the steps we have taken for the guloader, which is our previous review, we compare the memdump for each valid sample with each other and look for suitable patterns from which we can extract the configurations. First we look up for memdumps of samples we have created.
Here is the builder of njrat v0.7d golden edition. We see which configurations can be extracted from memory.
- C2 server and port
- Executable Name
- Victim Name
- Startup Process Name
- Registry Startup Key Name
- Dropped exe location
- Sleep BSOD Scheduled Task’s and Hide Server functions state
We put some strings on config areas then we’ll check the memdup of this variation.
The same (is on the Figure 2) pattern worked for all variants njrat 0.7 golden edition Here we determined the relevant configuration area, then we will try to capture a pattern that will be valid for other version samples. But it didn’t work for old versions. Because old versions of njrat configuration’s memory areas are different then version 0.7d golden edition. Now we look up older versions of njrat as “0.7d” or “0.3.5” or “0.3.6” or “0.4.1a” or “0.5.0E” or “0.6.4”. And we captured their sample’s memdumps. You can see the our pattern key for old versions on Figure 3.
“WRK.main” part is our pattern to dump older version configurations. We check the patterns for all dumps and we recognise there is no false positive result. The hardest part is parsing configurations. We’ll try to take every configuration part and print them on the screen. So time to coding.
Part Two: Writing the Extractor
As you can see configurations on the Figure 2 and the Figure 3. They are different. We should write two different extraction scripts for golden edition and older versions. Let’s get starting.
Here we are looking for our pattern hex as it is “WRK.m”. And we copy the entire configuration with a while loop. This is the only way to extract. You can use the find () function directly. Also using regular expressions is more advantaged.
Here the configuration, we can see the victim name as base64 encoded at the second line.
The version is on the third line.The executable name is coming after the version. The path is coming after the exe name. Registry key value coming after the path. C2 server, Port Network Separator, Install Flag and Registry Key Location coming after Registry key value.
The variable garbage bytes between them made it difficult for us to get rid of them. I decided to replace all the garbage bytes with a special character.
As we can see in the code here, while making configs readable, I put a special character instead of skipping the garbage bytes in between, and this made splitting easier. Now parsing the raw data becomes easier. We used Python’s re library to find the pattern compile and matching data. You can get more technical information about code from PART1.
We are checking the version to run correct code at Figure 6. Exception handling is very imported when splitting configurations. You need to test many samples and observe whether you have any problems while splitting configurations. In this way, we have a code that splits configurations well. Instead of splitting the data like this and printing it on the screen, you can also hold it in an array and print it.
Here you can see an exception added due to a character problem while splitting. Now time to write extractor script for version 0.7d golden edition which is the more tricky one. Here I had to write different functions to extract configurations for this version.Because the patterns I could capture between different samples contained only one piece of data.
We detect our pattern for golden edition in Figure 2. But it isn’t enough to extract all the config. We can only extract the exe name, the exe location, the victim name and the startup process name with this pattern. We need the more ex. c2 port reg key etc. Then I found specific patterns for the c2, the port and the reg key patterns are here.
Finally we can extract configurations correctly.
It is necessary to constantly develop different techniques to extract configurations on the examples you will see.