[With high profile threats like Regin, mistakes are incredibly rare. However, when it comes to humans](http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/)

writing code, some mistakes are inevitable. Among the most interesting things we observed in the Regin

malware operation were the forgotten codenames for some of its modules.

These are:

Hopscotch

Legspin

Willischeck

U_STARBUCKS

We decided to analyze two of these modules in more detail - Hopscotch and Legspin.

Despite the overall sophistication (and sometimes even over-engineering) of the Regin platform, these

tools are simple, straightforward and provide interactive console interfaces for Regin operators. What

makes them interesting is the fact they were developed many years ago and could even have been created

before the Regin platform itself.

## The Hopscotch module

MD5 6c34031d7a5fc2b091b623981a8ae61c

Size 36864 bytes

Type Win32 EXE

Compiled 2006.03.22 19:09:29 (GMT)

This module has another binary inside, stored as resource 103:

MD5 42eaf2ab25c9ead201f25ecbdc96fb60

Size 18432 bytes

Type Win32 EXE

Compiled 2006.03.22 19:09:29 (GMT)

This executable module was designed as a standalone interactive tool for lateral movement. It does not

contain any exploits but instead relies on previously acquired credentials to authenticate itself at the

remote machine using standard APIs.

The module receives the name of the target machine and an optional remote file name from the standard

input (operator). The attackers can choose from several options at the time of execution and the tool

provides human-readable responses and suggestions for possible input.

|MD5|6c34031d7a5fc2b091b623981a8ae61c|
|---|---|
|Size|36864 bytes|
|Type|Win32 EXE|
|Compiled|2006.03.22 19:09:29 (GMT)|

|MD5|42eaf2ab25c9ead201f25ecbdc96fb60|
|---|---|
|Size|18432 bytes|
|Type|Win32 EXE|
|Compiled|2006.03.22 19:09:29 (GMT)|


-----

Authentication Mechanism (SU or NETUSE) [S]/N:

Continue? [n]:

A File of the same name was already present on Remote Machine - Not deleting...

The module can use two routines to authenticate itself at the target machine: either connecting to the

standard share named "IPC$" (method called "NET USE") or logging on as a local user ("SU", or "switch

user") who has enough rights to proceed with further actions.

It then extracts a payload executable from its resources and writes it to a location on the target machine.

The default location for the payload is: \\%target%\ADMIN$\SYSTEM32\SVCSTAT.EXE. Once

successful, it connects to the remote machine's service manager and creates a new service called "Service

Control Manager" to launch the payload. The service is immediately started and then stopped and deleted

after one second of execution.

The module establishes a two-way encrypted communication channel with the remote payload

**SVCSTAT.EXE using two named pipes. One pipe is used to forward input from the operator to the**

payload and the other writes data from the payload to the standard output. Data is encrypted using the

RC4 algorithm and the initial key exchange is protected using asymmetric encryption.

**\\%target%\pipe\{66fbe87a-4372-1f51-101d-1aaf0043127a}**

**\\%target%\pipe\{44fdg23a-1522-6f9e-d05d-1aaf0176138a}**

Once completed, the tool deletes the remote file and closes the authenticated sessions, effectively

removing all the traces of the operation.

The SVCSTAT.EXE payload module launches its copy in the process dllhost.exe and then prepares the

corresponding named pipes on the target machine and waits for incoming data. Once the original module

connects to the pipe, it sets up the encryption of the pipe communication and waits for the incoming

shellcode.

The executable is injected in a new process of dllhost.exe or svchost.exe and executed, with its input and

output handles redirected to the remote plugin that initiated the attack. This allows the operator to control

the injected module and interact with it.

## The Legspin module

MD5 29105f46e4d33f66fee346cfd099d1cc

Size 67584 bytes

T Wi EXE

|MD5|29105f46e4d33f66fee346cfd099d1cc|
|---|---|
|Size|67584 bytes|


-----

This module was also developed as a standalone command line utility for computer administration. When

run remotely it becomes a powerful backdoor. It is worth noting that the program has full console support

and features colored output when run locally. It can even distinguish between consoles that support

Windows Console API and TTY-compatible terminals that accept escape codes for coloring.

**_"Legspin" output in a standard console window with color highlighting_**

In addition to the compilation timestamp found in the PE headers, there are two references that point to

2003 as its true year of compilation. The program prints out two version labels:

2002-09-A, referenced as "lib version"

2003-03-A

In addition the program uses legacy API functions, like "NetBIOS" that was introduced in Windows 2000

and deprecated in Windows Vista.

Once started and initialized, it provides the operator with an interactive command prompt, waiting for

incoming commands. The list of available commands is pretty large and allows the operators to perform

many administrative actions. Some of the commands require additional information that is requested

from the operator, and the commands provide a text description of the available parameters. The program

is actually an administrative shell that is intended to be operated manually by the attacker/user.

**Command** **Description**

d Ch t ki di t

|Command|Description|
|---|---|


-----

|dir ls dirl dirs|List files and directories|
|---|---|
|tar|Find files matching a given mask and time range, and write their contents to a XOR-encrypted archive|
|tree|Print out a directory tree using pseudographics|
|trash|Read and print out the contents of the Windows "Recycle Bin" directory|
|get|Retrieve an arbitrary file from the target machine, LZO compressed|
|put|Upload an arbitrary file to the target machine, LZO compressed|
|del|Delete a file|
|ren mv copy cp|Copy or move a file to a new location|
|gtm|Get file creation, access, write timestamps and remember the values|
|stm|Set file creation, access, write timestamps to the previously retrieved values|
|mtm|Modify the previously retrieved file timestamps|
|scan strings|Find and print out all readable strings from a given file|
|more|Print out the contents of an arbitrary file|
|access|Retrieve and print out DACL entries of files or directories|
|audit|Retrieve and print out SACL entries of files or directories|
|finfo|Retrieve and print out version information from a given file|


cs Dump the first 10,000 bytes from an arbitrary file or from several system files:

advapi32.dll


-----

ntdll.dll
ntoskrnl.exe
win32k.sys
cmd.exe
ping.exe
ipconfig.exe
tracert.exe
netstat.exe
net.exe
user32.dll
gdi32.dll
shell32.dll

lnk Search for LNK files, parse and print their contents

info Print out general system information:

CPU type
memory status
computer name
Windows and Internet Explorer version numbers
Windows installation path
Codepage

dl Print information about the disks:

Type
Free/used space
List of partitions, their filesystem types

ps List all running processes

logdump Unfinished, only displays the parameter description

reglist Dump registry information for a local or remote hive

windows Enumerate all available desktops and all open windows

view List all visible servers in a domain

domains List the domain controllers in the network

shares List all visible network shares

regs Print additional system information from the registry:

IE version
Outlook Express version
Logon default user name
System installation date
BIOS date
CPU frequency
System root directory

ips List network adapter information:

DHCP/static IP address
Default gateway's address

|Col1|netstat.exe net.exe user32.dll gdi32.dll shell32.dll|
|---|---|
|lnk|Search for LNK files, parse and print their contents|
|info|Print out general system information: CPU type memory status computer name Windows and Internet Explorer version numbers Windows installation path Codepage|
|dl|Print information about the disks: Type Free/used space List of partitions, their filesystem types|
|ps|List all running processes|
|logdump|Unfinished, only displays the parameter description|
|reglist|Dump registry information for a local or remote hive|
|windows|Enumerate all available desktops and all open windows|
|view|List all visible servers in a domain|
|domains|List the domain controllers in the network|
|shares|List all visible network shares|
|regs|Print additional system information from the registry: IE version Outlook Express version Logon default user name System installation date BIOS date CPU frequency System root directory|


-----

|who|List the names of current users and the domains accessed by the machine|
|---|---|
|net nbtstat tracert ipconfig netstat ping|Run the corresponding system utility and print the results|
|tel|Connect to a given TCP port of a host, send a string provided by the operator, print out the response|
|dns arps|Resolve a host using DNS or ARP requests|
|users|List information about all user accounts|
|admins|List information about user accounts with administrative privileges|
|groups|List information about user groups|
|trusts|List information about interdomain trust user accounts|
|packages|Print the names of installed software packages|
|sharepw|Run a brute-force login attack trying to obtain the password of a remote share|
|sharelist|Connect to a remote share|
|srvinfo|Retrieve current configuration information for the specified server|
|netuse|Connect, disconnect or list network shares|
|netshare|Create or remove network shares on the current machine|
|nbstat|List NetBIOS LAN adapter information|
|run|Create a process and redirect its output to the operator|
|system|Run an arbitrary command using WinExec API|
|exit|Exit the program|
|set|Set various internal variables used in other shell commands|
|su|Log on as a different user|
|kill|Terminate a process by its PID|
|kpinst|Modify the registry value: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] System This value should normally point to "lsass.exe".|
|svc drv|Create, modify or remove a system service|
|help ?|Print the list of supported commands|


The Legspin module we recovered doesn't have a built-in C&C mechanism. Instead, it relies on the Regin

platform to redirect the console input/output to/from the operators.

## Conclusions

Unlike most other Regin modules, Legspin and Hopscotch appear to be stand-alone tools developed much


-----

that not all Regin deployments contain the Legspin module; in most cases, the attackers manage their

victims through other Regin platform functions.

This means that Legspin could have been used independently from the Regin platform, as a simple

backdoor together with an input/output wrapper.

Although more details about Regin are becoming available, there is still a lot that remains unknown. One

thing is already clear – what we know about Regin is probably already retired information that has been

replaced by new modules and techniques as time passes.


-----