# Malware Discovered – SFG: Furtim Malware Analysis

**sentinelone.com/blogs/sfg-furtims-parent/**

By Joseph Landry and Udi Shamir


July 12, 2016


**Update, 14-July: There have been a number of stories published since the posting of this blog that have suggested this attack is**
specifically targeting SCADA energy management systems. We want to emphasize that we do not have any evidence that this is in fact
the case. The focus of our analysis was on the characteristics of the malware, not the attribution or target.

The Labs team at SentinelOne recently discovered a sophisticated malware campaign specifically targeting at least one energy
company. Upon discovery, the team reverse engineered the code and believes that based on the nature, behavior and sophistication of
the malware and the extreme measures it takes to evade detection, it likely points to a nation-state sponsored initiative, potentially

i i ti i E t E


-----

The malware is most likely a dropper tool being used to gain access to carefully targeted network users, which is then used either to
introduce the payload, which could either work to extract data or insert the malware to potentially shut down an energy grid. The exploit
affects all versions of Microsoft Windows and has been developed to bypass traditional antivirus solutions, next-generation firewalls,
[and even more recent endpoint solutions that use sandboxing techniques to detect advanced malware. (biometric readers are non-](https://www.sentinelone.com/cybersecurity-101/endpoint-security/)
relevant to the bypass / detection techniques, the malware will stop executing if it detects the presence of specific biometric vendor
software).

We believe the malware was released in May of this year and is still active. It exhibits traits seen in previous nation-state Rootkits, and
appears to have been designed by multiple developers with high-level skills and access to considerable resources.

We validated this malware campaign against SentinelOne and confirmed the steps outlined below were detected by our Dynamic
Behavior Tracking (DBT) engine.

## Malware Synopsis

This sample was written in a manner to evade static and behavioral detection. Many anti-sandboxing techniques are utilized. Analysts
relying solely on sandbox solutions may miss the full functionality of the sample.

**Update: JoeSandbox contacted us and said their sandbox will run this sample.**

Two known exploits (CVE-2014-4113 and CVE-2015-1701) were found in the sample, as well as one UAC bypass.

The sample appears to be targeting facilities that not only have software security in place, but physical security as well. ZKTeco
[(http://www.zkteco.com/) is a global manufacturer of access control systems including facial recognition, fingerprint scanners, and](http://www.zkteco.com/)
RFID. If the sample is run on a workstation with ZKTeco’s ZKAccess software installed, the process will prematurely terminate. These
systems would be heavily scrutinized by their administrators, and an infection on one of these machines would likely not go unnoticed.

Two hard coded MAC addresses are checked for by the sample. A MAC address is unique 6-byte number that is burned into the chips
of all network cards. The sample will prematurely terminate if the machine it is running on has one of these two MAC addresses.

Use of low-level API ( Nt* and Rtl* ) and direct system calls ( INT 2Eh and `CALL ntdll!KiFastSystemCall )`

[were used to bypass user-space hooks used by antivirus software and sandboxes. This also demonstrates the expertise of the author.](https://sentinelone.com/blogs/colossal-irony-popular-av-programs-vulnerable-breach/)
Many of these low-level APIs and system calls are undocumented/under-documented and can change between different versions of
Windows. To gain an understanding of these functions, one has to be familiar with the Windows Driver Development Kit (DDK), and
also reverse-engineered portions of the Windows operating system.

The use of indirect subroutine calls make manual static analysis nearly impossible, and manual dynamic analysis painful and slow. The
author took special care to keep this sample undetected for as long as possible.

The main goal of the sample analyzed is to run its final payload after silently removing a number of antivirus products.

## Overview of Execution

The sample starts by rigorously checking its environment. If in a sandbox or under manual inspection by an analyst, the sample will
prematurely terminate. If the sample finds specific antivirus software installed, it will carefully enable and disable specific functionality to
evade behavioral detection.

In many situations, the sample will distance itself from malicious behaviors by
invoking cmd.exe to do its dirty work. For example, modifying sensitive registry values are done by invoking cmd.exe /c reg.exe ….
Unfortunately for this sample, SentinelOne tracks the full context of processes to determine the root cause of malicious behavior.

ZKAccess

From this point on, the sample’s goal is to remove any antivirus software before running its final payload. To accomplish this goal, the
sample must be run as administrator. Two known local privilege escalation exploits are included in the sample (CVE-2014- 4113 and
CVE-2015-1701), as well as one UAC bypass, which are used to acquire administrator access. As a last resort, the sample will use a
UAC prompt to try and elevate itself to administrator. Once the sample is running as administrator, it will add the current user to the
local Administrator group, allowing it to maintain administrator access in the future.

The sample now writes its Native Application binary to disk. Unlike regular application code, this binary can only link to `ntdll.dll . It`
will run at a point in the boot-up process where some Windows subsystems are not yet initialized, and therefore can not call into normal
dlls like `kernel32.dll and` `user32.dll . This Native Application is hidden in an NTFS Alternative Data Stream (ADS) at the`


-----

path `C:\Windows\Temp:1 . By using ADS, the file will not be visible by normal file browsers, like` `explorer.exe . The Native`
Application is registered to run on boot-up altering the values `SetupExecute and` `BootExecute in the registry`
key `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\\ .`

To ensure the success of the Native Application, the sample will remove all filter drivers from running after reboot by removing their
associated registry entries. Filter drivers are use by anti-virus software to intercept file and network access to run static detection on the
contents of the traffic. These drivers are loaded early in the boot process, and could interfere with the execution of the Native
Application.

The system is now forced to reboot, allowing the Native Application to run. The Native Application also has similar checks to tell if it is
running in a sandbox, and will terminate prematurely when one is detected.

The Native Application’s goal is to remove any anti-virus software that is installed on the system and drop its final payload. By running
during the boot process, and after the preperation that was done in the previous stage, the Native Application has full control over the
system. Removing any anti-virus is trivial at this point because the anti-virus software is not running. The Native Binary writes the final
payload of the sample to disk under the filename `rdpinst.exe and registers it to be run later in the boot process by creating a`
registry value in \Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce .

## Architecture

There is one large structure that is allocated on the heap. This structure contains mostly function pointers to external libraries and
internal function pointers. This creates a problem for static analysis. There are many indirect calls (e.g. CALL EAX) obscuring the
program flow for static analysis. This structure is passed as the first parameter to almost every function in the binary.

A large chunk of the .data region is encrypted using RC4. This encrypted region contains the string literals for the sample, creating
another problem for static analysis and static detection. Before the process is terminated, this region is re-encrypted, possibly to deter
an analyst from recovering the unencrypted contents by using memory dumps.

Included in this encrypted region are three binary blobs that are also encrypted and compressed: final payload, a Windows Native API
application; A DLL with a UAC bypass; and a 64-bit executable an exploit for CVE-2014-4113.

## Reversing Techniques Used

To reverse the main sample, I developed a python script to patch out the blacklist and NOP out some test code. By placing a breakpoint
on the function that gets called to prematurely terminate the process, we were able to identify checks that failed by inspecting the return
address on the call stack.

Zeroing out the relocation size in the PE Data Directory also made jumping between IDA and OllyDBG easier because the base
address of the executable was not randomized.

Noting the destination address of indirect jumps in IDA comments made reviewing after debugging much simpler.

To debug the Native Application binary, I patched the PE Optional Header field `Subsystem field from 1 to 2. This changed the`
subsystem used by the binary from `Native to` `WindowsGUI . This will let the binary run after bootup is finished, instead of getting this`
error message:

double clicking on the Native Application

## “Packing”

The code of the main executable (.text segment) isn’t packed, but a region in the .data section is encrypted using RC4 with the
password “dqrChZonUF”. The RC4 implementation looks like a direct copy of the code found in the FreeBSD and XNU kernel:

The only modification to the BSD RC4 implementation is the pointer to the global struct containing the function pointers to the RC4
subroutines.

After decrypting this large section, all the string literals are uncovered.


-----

image of rc4 decrypt


Also, there are other regions inside of this decrypted region containing more encrypted blobs, like a Matryoshka doll. These contain a
Native executable, the UAC bypass DLL, and the 64-bit implementation of the exploit for CVE-2014-4113. Furthermore, the Native
binary contains another binary blob, that is the compressed and encrypted final payload.

[Team member, Caleb Fenton, correctly identified the compressed stream format used for these blobs as aPLib.](http://ibsensoftware.com/products_aPLib.html)


-----

aPLib decompress


Although RC4 isn’t an esoteric stream cipher, the decision by the author to use such a cipher shows a level of sophistication not seen in
typical crimeware.

## Anti-Debug, Anti-Sandbox, Anti-AV

The sample has an overwhelming number of checks to determine if it is in a sandbox, or if an antivirus application is installed. But why
would the author go through so much trouble to evade sandboxes and AV products?

The strategy used by the author seems to be this:

If we are running in a virtual machine, sandbox, or under manual inspection by an analyst, encrypt the .data section and terminate
prematurely.
If we are in an environment with Anti-Virus products installed, carefully enable and disable behaviors of the infection to avoid
behavioral detection.

The following is a list of checks the sample performs in the order that they are executed.

### CPUID Check

This test is the least invasive of all the tests performed. It also would be hard for a virtualization-based sandbox to detect, because the
CPUID instruction would be run on the physical CPU, and can’t be hooked.By running this test first, it will insure that the sandbox log
would not show any evidence of the process trying to inspect its environment. An analyst might dismiss the sample, because it doesn’t
appear to be trying to detect the sandbox or virtual machine.The x86 instruction CPUID will report back features of the CPU. This
instruction is normally used to check what features are supported by the CPU to avoid an “Invalid Instruction” exception before
executing feature specific code. The sample uses this instruction to find artifacts of a virtual machine.When the CPUID instruction is
executed and the register EAX set to 0x80000002, 0x80000003, or 0x80000004, the CPU fills registers EAX, EBX, ECX, and EDX with
the “Product Brand String.” If the brand string is found in the sample’s blacklist, the process will prematurely terminate.

Strings check by CPUID where EAX=0x8000000x:


-----

```
Common KVM processor
Common 32-bit KVM
Virtual CPU
Intel Celeron_4x0 (Conroe/Merom Class Core 2)
Westmere E56xx/L56xx/X56xx (Nehalem-C)
Intel Core 2 Duo P9xxx (Penryn Class Core 2)
Intel Core i7 9xx (Nehalem Class Core i7)
Intel Xeon E312xx (Sandy Bridge)
AMD Opteron 240 (Gen 1 Class Opteron)
AMD Opteron 22xx (Gen 2 Class Opteron)
AMD Opteron 23xx (Gen 3 Class Opteron)
AMD Opteron 62xx class CPU
Intel CPU version

```
Many of these CPU strings look legitimate, but are the exact strings used by KVM and QEMU.
```
# kvm -cpu ?
x86      qemu64 QEMU Virtual CPU version 2.4.0
x86      phenom AMD Phenom(tm) 9550 Quad-Core Processor
x86     core2duo Intel(R) Core(TM)2 Duo CPU   T7700 @ 2.40GHz
x86      kvm64 Common KVM processor
x86      qemu32 QEMU Virtual CPU version 2.4.0
x86      kvm32 Common 32-bit KVM processor
x86     coreduo Genuine Intel(R) CPU      T2600 @ 2.16GHz
x86       486
x86     pentium
x86     pentium2
x86     pentium3
x86      athlon QEMU Virtual CPU version 2.4.0
x86       n270 Intel(R) Atom(TM) CPU N270  @ 1.60GHz
x86      Conroe Intel Celeron_4x0 (Conroe/Merom Class Core 2)
x86      Penryn Intel Core 2 Duo P9xxx (Penryn Class Core 2)
x86     Nehalem Intel Core i7 9xx (Nehalem Class Core i7)
x86     Westmere Westmere E56xx/L56xx/X56xx (Nehalem-C)
x86   SandyBridge Intel Xeon E312xx (Sandy Bridge)
x86    IvyBridge Intel Xeon E3-12xx v2 (Ivy Bridge)
x86  Haswell-noTSX Intel Core Processor (Haswell, no TSX)
x86     Haswell Intel Core Processor (Haswell)
x86 Broadwell-noTSX Intel Core Processor (Broadwell, no TSX)
x86    Broadwell Intel Core Processor (Broadwell)
x86    Opteron_G1 AMD Opteron 240 (Gen 1 Class Opteron)
x86    Opteron_G2 AMD Opteron 22xx (Gen 2 Class Opteron)
x86    Opteron_G3 AMD Opteron 23xx (Gen 3 Class Opteron)
x86    Opteron_G4 AMD Opteron 62xx class CPU
x86    Opteron_G5 AMD Opteron 63xx class CPU
x86       host KVM processor with all supported host features (only available in KVM mode)

```
If the check passes, the string is stored in the global struct for later testing.

Furthermore, the CPUID instruction can be executed with the register EAX set to 0x40000000. This will return a string that can be set
by a hypervisor.

Blacklist for CPUID where EAX=0x40000000:
```
VMwareVMware
XenVMMXenVMM
KVMKVMKVM
prl hyperv
Microsoft Hv

```
More about the CPUID can be found in the Intel Instruction Set Reference starting on page 3179: http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-instruction-setreference-manual-325383.pdf

### Hostname Check

The sample contains a blacklist of hostnames. In the event the result of `GetComputerNameW() is found in the blacklist, again, the`
process terminates.
```
brbrb-d8fb22af1
jonathan-c561e0
avreview1-VMXP
vwinxp-maltest
avreview-VMSunbox
infected-system

```

-----

Googling these strings brings results that suggest that they are hostnames for sandboxes and honeypots. These hostnames are also
used in other malware samples as hostname blacklists.

### Filename Check

By a call to `GetModuleFileNameW() the sample check its filename to see if it is in a location commonly used by sandboxes:`

Full string case insensitive compare:
```
C:\xxx\sample.exe
C:\sample.exe
C:\Shared\dum._vxe
C:\SniferFiles\sample.exe
C:\virus\virus.exe
C:\virus.exe
c:\sampel.exe
C:\setup.exe
C:\runme.exe
c:\VMRun\Zample.exe
c:\FILE.EXE
C:\run\temp.exe
c:\taskrun\samples\rtktst.exe.exe
c:\artifact.exe
C:\manual\sunbox.exe
C:\1.exe

```
String find:
```
malware.exe
\virus\
admin\downloads\samp1e_
sample_execution
mlwr_smpl.exe

```
Any file in this format where ‘x’ is any character.
```
'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\\xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx'

```
[This format apears to be a GUID string. There must be some sandboxing technology that uses this format that the author was aware of.](https://en.wikipedia.org/wiki/Globally_unique_identifier)

Finally, it checks if a ‘Z:\’ drive is present, then checks for the file ‘Z:\VxStream’. This will detect if it is being run in the VxStream
Sandbox

### Look for DLLs associated with function hooking

User-space hooking is a technique used by anti-virus to detect what could be considered malicious behavior. The technique is also
used by sandboxes to record a log of runtime behaviors of a process. The most common way of hooking a process is to inject a DLL
into the process. This hooking DLL will patch system DLLs like kernel32.dll and ntdll.dll in memory. When the process being hooked
makes a call into these system DLLs, it will be redirected to a “detour” function inside of the injected hooking dll. If the function call is
determined to be benign, the control flow is allowed to continue into the system DLLs.

Anti-Virus products that utilize this technique tend to prefer hooking system DLLs like `kernel32.dll over` `ntdll.dll . This is`
because hooking `ntdll.dll is less reliable and requires more labor to write. The interface to` `ntdll.dll could change on the whim`
of Microsoft, and isn’t documented well. `kernel32.dll has a more predictable and constant interface and is well documented on`
MSDN.

A malicious program wanting to avoid detection at runtime by a user-space hook might have some success calling directly
into `ntdll.dll instead of` `kernel32.dll because the underlying` `ntdll.dll functions may not be hooked.`

The sample will look for injected DLLs associated with user-space hooks in its process space by making a call
to `ntdll!LdrGetDllHandle() instead of the more common` `kernel32!GetModuleHandle() . By calling directly into the ntdll`
implementation, hooks on the kernel32 layer can be avoided. If a DLL associated with hooking is discovered, the programs behavior
can be altered to specifically avoid detection by these products.

If a DLL is found, the result is stored so that future malicious functionality can be suppressed, or specific techniques to avoid detection
can be utilized.

The hooking DLL black-list:

**DLL File Name** **Vendor**


-----

**DLL File Name** **Vendor**

avcuf32.dll BitDefender

BgAgent.dll BullGuard

guard32.dll COMODO

wl_hook.dll Agnitum

QOEHook.dll Qurb

a2hooks32.dll Emsisoft

### Looking for Sandbox Artifacts on the File System

If any of this files or directories are found, the process terminates prematurely. These files appear to be associated with sandbox
software.
```
C:\agent\agent.pyw
C:\sandbox\starter.exe
c:\ipf\BDCore_U.dll
C:\cwsandbox_manager
C:\cwsandbox
C:\Stuff\odbg110
C:\gfisandbox
C:\Virus Analysis
C:\iDEFENSE\SysAnalyzer
c:\gnu\bin
C:\SandCastle\tools
C:\cuckoo\dll
C:\MDS\WinDump.exe
C:\tsl\Raptorclient.exe
C:\guest_tools\start.bat
C:\tools\aswsnx\snxcmd.exe
C:\Winap\ckmon.pyw
c:\tools\decodezeus
c:\tools\aswsnx
C:\sandbox\starter.exe
C:\Kit\procexp.exe
c:\tracer\mdare32_0.sys
C:\tool\malmon
C:\Samples\102114\Completed
c:\vmremote\VmRemoteGuest.exe
d:\sandbox_svc.exe

### Checking Number of CPU Cores

```
Remember how the CPUID “Product Brand String” was stored for later use? Here’s why. If the CPU should have more than 1 core, but
the operating system only reports 1 core, it’s likely running inside a virtual machine.

A call is made to `RtlGetNativeSystemInformation(SystemBasicInformation, ...) . This call will fill the contents of a` `struct`
```
SYSTEM\_BASIC\_INFORMATION struct. The sample checks the field \_SYSTEM\_BASIC\_INFORMATION.NumberOfProcessors and if

```
the value is 1 and the CPU Product Brand String reported should have more than one core, the process is terminated.

CPU brand strings that are checked:
```
'Intel(R) Core(TM) i7'
'Intel(R) Core(TM) i5'
'Intel(R) Core(TM) i3'
'Intel(R) Core(TM)2 Duo CPU'

```
NtQuerySystemInformation() _SYSTEM_INFORMATION_CLASS enum in ReactOS
source `RtlGetNativeSystemInformation() seems to be similar to` `NtQuerySystemInformation() documented on MSDN here.`

I found an unofficial source of the `struct SYSTEM_BASIC_INFORMATION here:` [http://masm32.com/board/index.php?topic=3400.0](http://masm32.com/board/index.php?topic=3400.0)

[ReactOS struct _SYSTEM_BASIC_INFORMATION](https://github.com/reactos/reactos/blob/b470751018d5658dd3c24c5050bd711b5776800b/reactos/sdk/include/psdk/winternl.h#L484)

### Yet Another DLL hooking blacklist

These DLLs are associated with software used to manually analyze samples.


-----

```
tracer.dll
SbieDll.dll
APIOverride.dll
NtHookEngine.dll
api_log.dll
LOG_API.DLL
LOG_API32.DLL

```
```
ntdll!LdrGetDllHandle()

```

If any of these DLLs are loaded, the process terminates.

### Kernel Driver Check

[ReactOS RtlGetNativeSystemInformation is just NtQuerySystemInformation](https://github.com/reactos/reactos/blob/0d677ac9e42ccad043debc212ed21d26e6f6af2b/reactos/dll/ntdll/def/ntdll.spec#L668)

[ReactOS SystemModuleInformation](https://github.com/reactos/reactos/blob/0d677ac9e42ccad043debc212ed21d26e6f6af2b/reactos/drivers/filesystems/udfs/Include/ntddk_ex.h#L22)

A call to `ntdll!RtlGetNativeSystemInformation(SystemModuleInformation, ...) is made. This returns a list of all loaded`
kernel drivers.

Each kernel module is compared to a blacklist that is organized by vendor.

If any of these drivers are found, the process will terminate.

???

taskrun\bruta\kbruta.sys
taskrun\bruta\TBM.sys
Sandbox, VM, and SysInternals drivers

vmx_svga.sys
vmmouse.sys
xennet.sys
CaptureProcessMonitor.sys
CaptureRegistryMonitor.sys
CaptureFileMonitor.sys
CWSandboxWatchdogDri (sic)
VBoxVideo.sys

If any of the following drivers are found, it is noted in the global struct, for later evasion techniques.

[Quick Heal (Indian)](http://www.quickheal.com/)

bdsnm.sys
bdsflt.sys
ggc.sys
catflt.sys
wsnf.sys
llio.sys
mscank.sys
EMLTDI.SYS
[ZoneAlarm](http://www.zonealarm.com/)

vsdatant.sys
[Qihoo 360 (Chinese)](https://www.360totalsecurity.com/)

360Box.sys
360Box64.sys
360Camera.sys
360Camera64.sys
360SelfProtection.sys
360AntiHacker.sys
360AntiHacker64.sys
360AvFlt.sys
[PC Tools (now part of Norton Security)](http://www.pctools.com/)

pctNdis.sys
pctNdisLW64.sys


-----

[Norton 360](https://us.norton.com/360)

360AvFlt.sys
360FsFlt.sys
[K7 Computing (Indian)](https://www.k7computing.com/)

K7Sentry.sys
K7FWFilt.sys
K7TdiHlp.sys
[Trust Port (Czech Republic)](http://www.trustport.com/)

tpsec.sys
[Privacyware (US)](http://www.privacyware.com/)

pwipf6.sys
[MicroWorld escan (US, India)](http://www.escanav.com/)

mwfsmflt.sys
ProcObsrvesx.sys
bdfsfltr.sys
econceal.sys
[Filseclab (Chinese)](http://www.filseclab.com/)

ffsmon.sys
fildds.sys
filmfd.sys
filppd.sys
[Kaspersky](http://kaspersky.com/)

kl1.sys
klif.sys
kltdi.sys
kneps.sys
klkbdflt.sys
klmouflt.sys
[G Data (German)](https://www.gdata-software.com/)

GDBehave.sys
GDNdisIc.sys
gdwfpcd64.sys
gdwfpcd32.sys
[Arcabit (Polish)](https://www.arcabit.pl/)

ABFLT.sys
[Avast (Czech Republic)](https://www.avast.com/)

aswMonFlt.sys
aswRvrt.sys
aswRdr2.sys
aswVmm.sys
aswNdisFlt.sys
aswSnx.sys
aswSP.sys
aswStm.sys
[Avira (German)](https://www.avira.com/)

avnetflt.sys
avkmgr.sys
avipbb.sys
avgntflt.sys
[ESET (Slovakia)](https://www.eset.com/)

EpfwLWF.sys
epfwwfp.sys
eamonm.sys
ehdrv.sys
epfw.sys
eelam.sys
[Baidu (Chinese)](http://antivirus.baidu.com/)

Bfilter.sys
Bfmon.sys
Bhbase.sys


-----

[AVG (Czech Republic)](http://www.avg.com/)

avgdiskx.sys
avgidsdriverlx.sys
avgtdix.sys
avgunivx.sys

### Anti-Process

This will only execute if something was found in the kernel module check. (???)

The process list is enumerated by calling RtlGetNativeSystemInformation(5)

[ReactOS 5 == proc info](https://github.com/reactos/reactos/blob/0d677ac9e42ccad043debc212ed21d26e6f6af2b/reactos/drivers/filesystems/udfs/Include/ntddk_ex.h#L16)

[MSDN SYSTEM_PROCESS_INFORMATION](https://msdn.microsoft.com/en-us/library/ms725506.aspx)

If a process with this filename is found, its process id is recorded, and later terminated.

This is where the author prepares an attack on the analyst’s psyche. So far, the process only detects sandbox, VM, and antivirus, but
this list of tools are usually run manually by an analyst. By detecting their presence but not immediately terminating them, instead
delaying the termination until a later part of the process, can give some analyst nightmares.

apispy.exe
autoruns.exe
autorunsc.exe
dumpcap.exe
emul.exe
fortitracer.exe
hookanaapp.exe
hookexplorer.exe
idag.exe
idaq.exe
importrec.exe
imul.exe
joeboxcontrol.exe
joeboxserver.exe
multi_pot.exe
ollydbg.exe
peid.exe
petools.exe
proc_analyzer.exe
procexp.exe
procmon.exe
regmon.exe
scktool.exe
sniff_hit.exe
sysanalyzer.exe
vmsrvc.exe
vmtoolsd.exe
vmusrvc.exe
vmwaretray.exe

For each process, a call to `QueryFullProcessImageNameW() is made and compared against a second blacklist. If any string in the`
blacklist occurs in the full image name, the process terminates.

THESE AREN’T SANDBOXES OR A/V, ARE THEY????

\oracle\product\
\OraHome_1\perl\
\dbhome_1\perl\bin
\ZKTeco\ZKAccess\
\oracle\FRHome_1\perl\
\Oracle\Middleware\


-----

### Is File Name [hash].exe Check

In the Anti-Virus industry, it is extreamly common to rename a sample’s filename to its [hash value. This is done to easily identify a](https://www.sentinelone.com/blog/what-is-hash-how-does-it-work/)
sample, and to store it with a unique filename. Typical hash algorithms that are used are MD5, SHA-1, and SHA-256.

This sample will read itself off of the disk, then calculate its checksum. Then it will see if the hex-string of the checksum is found in its
filename.


Check filename contains hex hash


### Is VMware Tools Installed Check

Next, the sample checks if these two directories exist. If either exist, the process is terminated.

C:\Program Files\VMware\VMware Tools
C:\Program Files (x86)\VMware\VMware Tools

### Hard Disk Vendor Check

The children of these two registry keys are enumerated:


-----

\Registry\Machine\SYSTEM\CurrentControlSet\Enum\IDE
\Registry\Machine\SYSTEM\CurrentControlSet\Enum\SCSI

The values are check against a blacklist containing virtualized hard disk vendors.

QEMU_
VMware
Ven_Red_Hat&Prod_VirtIO
DiskVBOX
DiskVirtual

If a value is found in the blacklist, the process is terminated.

### Misc Hardware Vendors and BIOS Checks

These hardware specific registry keys are check. If they exist, the process terminates.

\Registry\Machine\HARDWARE\ACPI\DSDT\VBOX__\VBOXBIOS
\Registry\Machine\SYSTEM\CurrentControlSet\Enum\ACPI\Hyper_V_Gen_Counter_V1
\Registry\Machine\SYSTEM\CurrentControlSet\Enum\ACPI\XEN0000
\Registry\Machine\SYSTEM\CurrentControlSet\Enum\XENBUS\CLASS_VBD&REV_02

In the same function, `\Registry\Machine\HARDWARE\DESCRIPTION\System\ is queried and checked against this blacklist:`

SystemBiosVersion

‘BOCHS – 1’
‘VBOX – 1’
‘PRLS – 1’
VideoBiosVersion

‘VirtualBox’

If any of these registry keys match, the process is terminated.

### Anti Network Interface Card (NIC) Check

This check is skipped if kernel modules associated with “Privacyware” where detected. I’m assuming “Privacyware” detects the API
calls in this check as malicious.

This function check the NICs that are installed, and calls to `IPHLPAPI!GetAdaptersInfo()`

Meeting these condition will cause a premature termination.

Realtek RTL8139 Family PCI Fast Ethernet NIC

also username is ‘antonie’
also ‘c:\downloads\’ exists
Realtek RTL8139C+ Fast Ethernet NIC

also username is ‘Antony’
also ‘c:\downloads\’ exists

These network cards will get terminated out-right:

VMware Accelerated AMD PCNet Adapter
Microsoft Virtual Machine Bus Network Adapter
Microsoft Hyper-V Network Adapter
Adaptador de red de bus de m?quina virtual de Microsoft

If the network card is NOT one of these, it will check the MAC address:

VMware Virtual Ethernet Adapter for VMnet8
VMware Virtual Ethernet Adapter for VMnet1
VirtualBox Host-Only Ethernet Adapter

These MAC addresses will result in a premature termination:

**MAC address** **OUI Information** **Notes**


-----

**MAC address** **OUI Information** **Notes**

`00:01:02:03:04:xx` 3COM defunt, obvious bogus mac address

`00:03:FF:xx:xx:xx` Microsoft Corporation doesn’t make physical hardware?

`00:0C:29:xx:xx:xx` VMware, Inc.

`08:00:27:xx:xx:xx` Cadmus Computer Systems [VirtualBox](http://comments.gmane.org/gmane.comp.emulators.virtualbox.devel/2199)

`00:07:e9:e4:ce:4d` Intel 0 results on google

`00:30:18:ab:d7:f2` Jetway Information Co., Ltd. 0 results on google

`00:ff:f2:f8:30:xx` Dell?? VirtualBox??

`00:50:56:xx:xx:xx` VMware, Inc.

`52:54:00:12:34:56` Realtek copypasta QEMU startup script?

`00:1c:42:xx:xx:xx` Parallels, Inc. VMware product

`00:15:5d:xx:xx:xx` Microsoft Corporation

`00:1d:d8:xx:xx:xx` Microsoft Corporation

I would like to know who owns the “00:07:e9:e4:ce:4d” and “00:30:18:ab:d7:f2”. If they are burnt onto a physical device, it’s either a
development machine, or a targeted machine to be specifically avoided.

### Window Title Check

Pairs of window class names and titles are check for, and if one is found, the samples’s process is terminated prematurely. These tools
are used by analysts and some are used by sandboxes.

**Window Class** **Window Title**

PROCEXPL sysinternals

PROCMON_WINDOW_CLASS sysinternals

Autoruns sysinternals

TCPViewClass sysinternals

0 TCPView – Sysinternals: www.sysinternals.com

0 File Monitor – Sysinternals: www.sysinternals.com

0 Registry Monitor – Sysinternals: www.sysinternals.com

0 Process Monitor – Sysinternals: www.sysinternals.com

gdkWindowToplevel Wireshark

API_TRACE_MAIN 0

0 Wget [100%%] http://tristan.ssdcorp.net/guid

0 C:\Program Files\Wireshark\dumpcap.exe

0 C:\wireshark\dumpcap.exe

0 C:\SandCastle\tools\FakeServer.exe

0 C:\Python27\python.exe

0 start.bat – C:\Manual\auto.bat

0 Fortinet Sunbox

0 PEiD v0.95

0 Total Commander 7.0 – Ahnlab Inc.


-----

**Window Class** **Window Title**

0 Total Commander 6.53 – GRISOFT, s.r.o.

0 Total Commander 7.56a – Avira Soft

0 Total Commander 7.56a – ROKURA SRL

0 C:\strawberry\perl\bin\perl.exe

ThunderRT6FormDC SysAnalyzer

TfrmMain All-Seeing Eye

Afx:400000:b:10011:6:350167 Malicious Code Monitor v1.7.6 For NT(x86) – ([email protected])

TApplication Mouse Move – by RJL Software, Inc.

SmartSniff SmartSniff

ConsoleWindowClass VxStream Kernel Service Manager

**Registry Key** **Notes**

\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Iris Network Traffic Analyzer

\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallWatch Pro 2.5

\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SysAnalyzer_is1


\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{13BE68B1-7498-48AB-9D22AD3AB6532531}

\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions

\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox
Guest Additions


API Monitor v2
Alpha


\Registry\Machine\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00 VirtualBox
Graphics Device
Drivers

\Registry\Machine\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00 VirtualBox Guest
Service Device
Drivers

\Registry\Machine\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00 S3 Video Card
(used by virtual
machines)

\Registry\Machine\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8&DEV_4005&SUBSYS_04001AB8&REV_00 Parallels Display
WDDM Device
Drivers

\Registry\Machine\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8&DEV_4000&SUBSYS_04001AB8&REV_00 Parallels Tool
Device Drivers

\Registry\Machine\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8&DEV_4006&SUBSYS_04061AB8&REV_00 Parallels Memory
Controller


\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{25AD16E5-F48B-4455-83D7849D600475A4}

\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Iris Network Traffic
Analyzer

\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SysAnalyzer_is1

\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\InstallWatch Pro 2.5

\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{13BE68B1-749848AB-9D22-AD3AB6532531}


Winalysis
WindowexeAllkiller
?

API Monitor v2
Alpha


-----

**Registry Key** **Notes**


\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{25AD16E5-F48B4455-83D7-849D600475A4}

### VMXh VMWare Check


Winalysis
WindowexeAllkiller
?


The sample checks for the presence of VMware, by trying to execute a Intel `IN instruction with EAX set to the value ‘VMXh’.`
The `IN instruction is a privileged instruction, and outside of the VMware guest, would result in a General Protection Fault exception.`
But inside a VMWare guest, the fault is not generated. VMWare uses this as a way for its guest software to communicate to the host. It
[is documented here.](https://sites.google.com/site/chitchatvmback/backdoor)

[The specific technique to detect VMWare is here.](https://www.aldeid.com/wiki/VMXh-Magic-Value)

This is how the sample implements the check:

VMXh

Because this portion must be written in assembly, I assume the NOPs are to thwart any static detection on the opcodes.

### Direct3D Video Card Check

Using the Direct3D interface, the sample is able to enumerate information about the installed video adapters. If the video cards are
vendors are in the blacklist, the process prematurely terminates.

Vendor Blacklist:

**VendorID** **Vendor Name** **Notes**

0x15ad VMWare Inc.

0x80ee Oracle Corp. Virtual Box

0x1013 Cirrus Logic Bochs and QEMU

Vendor Whitelist:

**VendorID** **Vendor Name**

0x8086 Intel

0x10de Nvidia

0x1002 AMD

Now, because there is a whitelist and a blacklist, there exists a possibility that the device was not in either list. In the event of this case,
the tie is settled by calling `GetCursorPosition() . If there are 15 mouse movements, then the sample assumes that it is not in a`
sandbox, and continues execution. If there isn’t 15 mouse movements, the sample just blocks, waiting for the movements to occur.
During this waiting period, the .data section is re-encrypted. If the sample where in a sandbox, it would be stuck in this loop, waiting.
When the sandbox times-out, it might dump the contents of memory. By re-encrypting the .data section, it will be encrypted in the data
dump.

A common feature of sandboxes is a “mouse mover.” The mouse mouse mover will make an application think there is a user on the
workspace by moving the mouse cursor around.

The sample also utilizes direct system calls to make the call to `GetCursorPosition() . This technique will bypass any user-space`
hooks that might try to move the mouse automatically.

Avoiding userspace hooks by doing manual syscall

## Native Application Binary

The beginning of this binary has many anti-VM and anti-sandboxing techniques. just like the previous binary. It also allocates a large
struct containing function pointers like the previous binary.


-----

This portion of the sample is encrypted and compressed in the .data segment. As mentioned before, it written to disk in a NTFS ADS
and at boot time before all the windows subsystems are loaded. If you have ever upgraded to windows 2000, you will remember that
the installation could upgrade the filesystem from FAT 32 to NTFS. This portion of the sample runs at the same point as the file system
upgrade code would run.

[An example project using this technique can be found on codeproject.com](http://www.codeproject.com/KB/threads/NativeThreadInjection.aspx?fid=1540562&df=90&mpp=25&noise=3&sort=Position&view=Quick&select=3038600%20target=)

The Native binary is written in the same style as the parent. A large struct is allocated on the heap that stores function pointers. It also
uses RC4 to encrypt its string literals, and contains the final payload compressed using aplib.

The goal of this portion of the sample is to remove a large number of anti-virus software. It will also modify the `host used by the DNS`
client. There are many records for anti-virus update servers that get set to `0.0.0.0, effectively stoping any view anti-virus installed`
from being able to update its definitions.

hostfile

It finishes by dropping the final payload to `%SystemRoot%\rdpinst.exe and ensuring that it runs later in boot-up by setting a registry`
value in \Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce .

## Final Payload

The payload shares some similarities with the other binaries, but unlike the past two, it doesn’t allocate a large struct and fill it with
function pointers.

The final payload collects recon from the infected machine and reports back to its C2 server over HTTP.

pcap showing http connection

One unique feature of all the traffic collected is that the HTTP host field is always `nullptr .`

## Sample Information

**Sha-256: 766e49811c0bb7cce217e72e73a6aa866c15de0ba11d7dda3bd7e9ec33ed6963**

- `638d549a24bb0a28e462c70880bf3f979f137cc6`: Main Sample

- `ce0633d8be65202870e7b916e7bec5a0218cbbbb`: Packed Native API Application binary

- 14598af84ee2dbd88d3fff0b60aba829a412dfbe3`: Packed rdpinst.exe (payload)

- `643b295ee6985251d771b7962f2b2fc69e36f5c2`: Packed UAC bypass dll

- `c803eb5e8a4a4e31e8168557d82ff54d68f3832d`: Packed 64-bit CVE-2014-4113 exploit
[If you would like to learn more about this specific attack and how you can prevent it, contact us and we’d be happy to advise on a one-](https://sentinelone.com/contact/)
to-one basis.


-----