# Reversing Bandios/Colony Malware **secrary.com/ReversingMalware/Colony_Bandios/** [cd ../reverse_engineering_malware 7 minutes read](https://secrary.com/ReversingMalware) [SHA256: 59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834](https://www.virustotal.com/#/file/59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834) [I found the sample on the ANY.RUN sandbox.](https://app.any.run/tasks/1aff9ff2-0b76-45b4-9e3d-b51796b637ad) On the `ANY.RUN sandbox we see that it spawns the child process with` `-install` argument, the child process creates several files under `%SYSTEM_DIRECTORY% :` ----- [If we run the same executable on hybrid-analysis we get almost nothing, it executes](https://www.hybrid-analysis.com/sample/59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834?environmentId=100) recursively and never ends: Let’s dive in deep and see what happens. ``` NOTE: I've renamed functions after analysis ``` After getting the necessary privileges it checks if `-install argument is there. if not, it` executes `copy_tmp_with_install_arg and` `collect_encrypt_send, otherwise` ----- Inside `copy_tmp_with_install_arg it copies itself to` `%TEMP% directory and executes` with the `-install argument:` ----- A very interesting fact is that there are two ways to execute application using the ``` CreateProcess function: CreateProcess(exePath, nullptr, ...); and CreateProcess(nullptr, exePath, ...);, if we run the program via the first method we get command line string with quotation ``` marks, otherwise we get one without it: ----- The sample calls the second variant and at the beginning of the process it checks the arguments without quotation marks, in the normal environment it works as expected but not on the `hybrid-analysis sandbox. Most likely,` `hybrid-analysis hooks` ``` CreateProcess at some level and after checking parameters it changes something and ``` passes arguments to lower functions, so, at the end, we get a different command line string, which causes infinite recursion in case of the sample. We can use this simple technique to bypass `hybrid-analysis sandbox ( any.run is` immune): ----- That s the reason why `hybrid-analysis fails. Let s back to our analysis.` ``` UPDATE 17.04.2018: The bypass on hybrid-analysis is fixed now ``` After executing child process with `-install parameter, it calls` `collect_encrypt_send` function and starts collection information about the system: Windows version: Installed browser: ----- ``` NOTE: A clean version of Windows 10 contains HKEY_CURRENT_USER\Software\Google\Chrome key, even if there is no Chrome installed, so this method is not reliable ``` Installed AV via checking `HKEY_LOCAL_MACHINE\\SOFTWARE\\%AV_NAME% key:` ----- MAC address of the adapter and system language: ----- It passes the collected information to the `machine_info_AES_base64 function, which` encrypts the content with `AES and encodes with` `base64 :` ----- Inside `machine_info_AES_base64 it calls` `CoCreateGuid to generate 8 bytes of random` data and adds another 8 bytes hardcoded value `1Q2a3k79 :` The sample uses `MD5 functions from` `advapi32.dll to calculate the` `md5 hash of the` abovementioned 16 bytes string ( 8_rand_bytes_8_hard_coded ) ----- After that, it uses the hash as the key to encrypt the system information using `AES` algorithm and encodes the encrypted content via `base64 :` ----- ``` NOTE : IDAScope plugin for IDA Pro is very useful to detect which cryptography algorithms ``` are used in a sample. It sends the encrypted and encoded data to `iostream.system.band/dump/io/time.php :` ----- The first 8 bytes are generated by the `CoCreateGuid call. There is simple code to decrypt` the traffic content: After sending system information, the parent process dies, but the child process continues execution with the `-install argument, and in this case, it executes the` ``` iaStorE_and_files function. ``` After calling the `GetNativeSystemInfo function, it extracts 32-bit or 64-bit executables` based on the `SYSTEM_INFO.dwOemId field` ----- After checking the system architecture it calls `write_spoolsr_and_MSdat and there it` decrypts `PE from` `byte_443870 (in case of a` `0x64-bit system) using` `0xDD as the key,` generates random `0x40 bytes and appends to the decrypted file, it saves the decrypted file` as `%SYS_DIR%\\spoolsr.exe and the encrypted file as` `%SYS_DIR%\\MS.dat :` Similarly, `KeyHook_usp20_n_dats extract, decrypt and creates following files:` ``` KeyHook64.dll, KH.dat, usp20.dll and UP.dat : ``` ----- ``` KeyHook64.dll is decrypted KH.dat, spoolsr.exe is decrypted MS.dat and usp20.dll is decrypted UP.dat . ``` After that, it extracts the data from resources ( 0x110 in case of `0x64 system and` `0x108` otherwise) of the sample and seems like it’s encrypted or compressed data: ----- And it calls `decompress_ with extracted data and length of the data,` `IDAscope tells us` that the function uses `ZLIB -related constants:` Seems like it’s a driver, saved under `C:\Windows\System32\drivers as` `iaStorE.sys :` ----- On a `0x64 system it installs the driver as a crash dump filter by simply adding the drive` name to the registry key ``` \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\DumpFilters, ``` on the next reboot, crashdmp.sys will load the filter driver into the dump stack, for more information about `Dump Filer Drivers, click` [here:](https://crashdmp.wordpress.com/components/dump-filter-drivers/) ----- On a `0x32 system it installs the driver via creating a service called` `iaStorE :` After extracting files and installing the driver, the sample exits. ----- All files are signed, including drivers, certificates are revoked by its issuer, but that s not a problem for Windows: Thank you for your time. Discuss on [Reddit](https://www.reddit.com/r/ReverseEngineering/comments/8cfjum/reversing_bandioscolony_malware_part_1/) -----