1/16

Let's Learn: Lethic Spambot & Survey of Anti-Analysis
Techniques

vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html

Goal: Reverse the latest Lethic spambot, shared by Brad from Malware Traffic Analysis with
the focus on its plethora of various anti-analysis and anti-virtual machine checks.

 
Source:

Lethic original spambot
(e324c63717a4c2011fde7d1af0d8dbe8ddb0897fe4e7f80f3147a7498e2166fe)

 
Background

While analyzing the Lethic spambot (thanks to @malware_traffic), unpacked and reviewed
some of the bot internals. By and large, the spambot leverages process injection into
explorer.exe through usual WriteProcessMemory and CreateRemoteThread. This Lethic
hardcoded call back IP is 93[.]190[.]139[.]16. Another unique feature of this Trojan is
persistency in C:\RECYCLER\* as “backwindow32.exe” and usual registry RUN keys.

http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html
http://www.malware-traffic-analysis.net/2017/11/02/index.html
https://www.virustotal.com/#/file/e324c63717a4c2011fde7d1af0d8dbe8ddb0897fe4e7f80f3147a7498e2166fe/detection
https://twitter.com/malware_traffic/status/926235399500062721


2/16

Malware checks:
I. Wine check
II. Anti-analysis process check
III. Anti-analysis DLL check
IV. UserName check
V. Path string check
VI. Virtual Machine (VM) process check
VII. VM registry and VM CreateFile check
VIII. Anti-sleep bypass check
IX. Anti-debugger check
 
I. Wine check
The Lethic spambot checks for the presence of Wine on the victim machine as follows
checking the ntdll and kernel32 DLL's for the following functions via GetProcAddress API:

wine_get_version
wine_get_unix_file_name

A.     wine_get_version

https://1.bp.blogspot.com/-T8yA4Tz4fnM/Wf7Xebk4RFI/AAAAAAAAGIQ/jICMx8fkjV8pMg6FMoKaOUIcmpLqSLtUgCLcBGAs/s1600/Picture1.png


3/16

The pseudo-coded C++ function is as follows:

 
signed int anti_wine_get_version()

{

  HMODULE hModule;

  signed int v2;

 
  v2 = 0;

  hModule = GetModuleHandleA("ntdll.dll");

https://3.bp.blogspot.com/-vgnvPsIok-Y/Wf7YYqw_zTI/AAAAAAAAGIY/qfBWnFAn62MOeelujydyqHsI8zvfuPOWQCLcBGAs/s1600/Picture2.png


4/16

  if ( hModule && GetProcAddress(hModule, "wine_get_version") )

    v2 = 1;

  return v2;

}
B.     wine_get_unix_file_name

The pseudo-coded C++ function is as follows:
 signed int wine_get_unix_file_name()

{

  HMODULE hModule;

  signed int v2;

 
  v2 = 0;

  hModule = GetModuleHandleA("kernel32.dll");

  if ( hModule && GetProcAddress(hModule, "wine_get_unix_file_name") )

    v2 = 1;

  return v2;

} 
II. Anti-analysis process check

https://4.bp.blogspot.com/-K758jDqbeVA/Wf7YeFWiPCI/AAAAAAAAGIc/6AATauAt58sSZiboJ7dH94UNeN1OI_dWwCLcBGAs/s1600/Picture3.png


5/16

The Trojan checks for the following processes and suspends threads if they exist on the
host:

 
regmon.exe

filemon.exe

procdump.exe

procexp.exe

wireshark.exe

prcview.exe

sysinspector.exe

sniff_hit.exe

proc_watch.exe

apimonitor.exe

https://4.bp.blogspot.com/-J9kaUKOd6hE/Wf7ZyWujWwI/AAAAAAAAGIo/8CU8j6h7gGM4M9bQg41YAE7tB6_AOxfuQCLcBGAs/s1600/Picture4.png


6/16

tcpview.exe

petools.exe

vmtoolsd.exe

autoruns.exe
 The suspend thread function is as follows:

HANDLE __cdecl suspend_thread_function (int a1)

{

  HANDLE result;

  HANDLE hThread;

  THREADENTRY32 te;

  HANDLE hSnapshot;

 
  te.dwSize = 0;

  te.cntUsage = 0;

  te.th32ThreadID = 0;

  te.th32OwnerProcessID = 0;

  te.tpBasePri = 0;

  te.tpDeltaPri = 0;

  te.dwFlags = 0;

  result = CreateToolhelp32Snapshot(4u, 0);

  hSnapshot = result;

  if ( result != (HANDLE)-1 )

  {

    te.dwSize = 28;

    if ( Thread32First(hSnapshot, &te) )

    {



7/16

      do

      {

        if ( te.th32OwnerProcessID == a1 )

        {

          hThread = OpenThread(2u, 0, te.th32ThreadID);

          SuspendThread(hThread);

          CloseHandle(hThread);

        }

      }

      while ( Thread32Next(hSnapshot, &te) );

    }

    result = (HANDLE)CloseHandle(hSnapshot);

  }

  return result;

}
III. Anti-analysis DLL check
The malware checks for the presence of loaded DLL’s.



8/16

The list of all checked DLL is as follows:
api_log.dll

log_api32.dll

dir_watch.dll

pstorec.dll

vmcheck.dll

wpespy.dll

snxhk.dll
IV. UserName check
The malware checks for specific host usernames via retrieving them with GetUserName API
and converting them to upper case.

https://2.bp.blogspot.com/-P0yBItqHhBg/Wf7aHmnphzI/AAAAAAAAGIs/u49JfTKNR5kP7bSbLly68OILHA8hOjVvwCLcBGAs/s1600/Picture5.png


9/16

The list of the checked usernames is as follows:

MALTEST

TEQUILABOOMBOOM

SANDBOX

VIRUS

MALWARE
V. Path string check
The malware checks for specific path strings aliases via retrieving them with
GetModuleFileName API and converting them to upper case.

https://2.bp.blogspot.com/-Fs7mRiVDOqU/Wf7acHK4ubI/AAAAAAAAGI0/3mpuo1VwzfkoK9cCuv4mXXOOcKokMP_CQCLcBGAs/s1600/Picture6.png


10/16

The list of the checked path strings is as follows:
SAMPLE

MALWARE

SANDBOX

VIRUS
The malware also checks if it is named “sample.”

 
VI. Virtual Machine (VM) process check

https://4.bp.blogspot.com/-dcRu_LKqi5c/Wf7aq5gXceI/AAAAAAAAGI4/Mbr9C3OT7bc4RQ2YCEw4HYGxBm1zUAsXwCLcBGAs/s1600/Picture7.png
https://4.bp.blogspot.com/-HLHuNLUYg7Q/Wf7a5DlN-AI/AAAAAAAAGI8/1d2oNj3Ua5MVwzHm3wsoUvKPhfTkGTd3QCLcBGAs/s1600/Picture8.png


11/16

Lethic checks for the presence of the VM-related processes.

The full list of all checked processes is as follows:
vmusrvc.exe

vmsrvc.exe

xsvc_depriv.exe

xenservice.exe
VII. VM registry keys check
The malware checks for the registry artefacts associated with VM.

The following registry locations and values are checked:
A. HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id
0\Identifier

VMWARE
QEMU

B. HKLM\HARDWARE\Description\System\SystemBiosVersion
VBOX
QEMU

https://4.bp.blogspot.com/-nKd4_Vwj03Q/Wf7bNWs82II/AAAAAAAAGJE/td-xloJ5q0MtQwgCHUixOnYaB6Jb6HP5ACLcBGAs/s1600/Picture9.png
https://1.bp.blogspot.com/-7fRFbzApU7A/Wf7bkGZ6XLI/AAAAAAAAGJI/koGJ5ZJfPsc05APUlD0gigHULhKCK5b6gCLcBGAs/s1600/Picture10.png


12/16

C. HKLM\HARDWARE\Description\System\VideoBiosVersion
VIRTUALBOX
BOCHS

 
D. HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions

E. The malware tries to create a file “\\\\.\\VBoxGuest” and checks if it exists.

https://2.bp.blogspot.com/-1tN1QUputKQ/Wf7cUSTrrGI/AAAAAAAAGJQ/dDA9inA4730A63SM8q9-H6pW3irPFGykwCLcBGAs/s1600/Picture11.png
https://2.bp.blogspot.com/-nzQr6aIlsd4/Wf7cricvL5I/AAAAAAAAGJU/ZZzoXIawmx8Y7BBoyk2JnMwDZixvM_swACLcBGAs/s1600/Picture12.png


13/16

The C++ pseudocode is as follows:

signed int vm_createfile_check()

{

  signed int v1;

  HANDLE hObject;

 
  v1 = 0;

  hObject = CreateFileW(L"\\\\.\\VBoxGuest", 1u, 1u, 0, 4u, 0, 0);

  if ( hObject != (HANDLE)-1 )

  {

    CloseHandle(hObject);

    v1 = 1;

  }

  return v1;

}
VIII. Anti-sleep bypass check
The malware implements Sleep API patch/hook check preventing the analyst from
patching/hooking Sleep to a return.



14/16

The routine is as follows:

 
signed int anti_sleep_hook_check()

{

  DWORD v0;

  signed int v2;

 
  v2 = 1;

  v0 = GetTickCount();

  Sleep(500);

https://4.bp.blogspot.com/-ZOiWCXcdmtM/Wf7c62ImzbI/AAAAAAAAGJc/mu45BYZP9MAxtowqXhnCDKJdHlVDHVVfQCLcBGAs/s1600/Picture13.png


15/16

  if ( GetTickCount() - v0 <= 440 )

    Sleep(0);

  else

    v2 = 0;

  return v2;

}
IX. Anti-debugger check
The malware calls IsDebuggerPresent and CheckRemoteDebuggerPresent APIs to check
for the debugger presence.

The function in C++ is as follows:

https://1.bp.blogspot.com/-rwGXhicQYuM/Wf7dIZcNe9I/AAAAAAAAGJg/stKZ6m--qwwjc8kIzMLxO5_7FhrblUj5ACLcBGAs/s1600/Picture14.png


16/16

int anti_debugger_check()

{

  BOOL pbDebuggerPresent;

  int v2;

 
  pbDebuggerPresent = 0;

  v2 = 0;

  if ( IsDebuggerPresent() || CheckRemoteDebuggerPresent((HANDLE)0xFFFFFFFF,
&pbDebuggerPresent) && pbDebuggerPresent )

    v2 = 1;

  return v2;

}