I know there are bunch of blogs out there regarding this malware, so I will just focus on some details how it generates its POST command.
Initial Analysis:
Of course this malware use obfuscation to make the dynamic analysis time consuming and hard, but as soon as you unpack the code you can see right away some string hint that this is a hancitor malware. |
| fig. 1 - hancitor known strings |
POST Command:
Hancitor knows to have 2 possible POST command that will be send to its C&C server depends on the OS VERSION, either x64 or x32 bit.x64 bit
GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x64)
x32 bit
GUID=%I64u&BUILD=%s&INFO=%s&IP=%s&TYPE=1&WIN=%d.%d(x32)
So lets discussed how it generated this POST DATA.
Generating Unique GUID=%I64u per machine:
In Generating this stuff, Hancitor malware first need to have the Physical address or MAC address of the infected machine by using GetAdaptersAddresses function that retrieves the addresses associated with the adapters on the local computer. |
| fig. 2 - parsing mac address |
Then it will get the volume serial number of the root drive of the infected machine by calling the GetVolumeInformationA function. afterwards the volume serial number will be xor to the last DWORD value of the Physical Address . The decimal value of this 8 bytes are the GUID data.
 |
| fig 3 - getting the volume serial number |
Generating IP=%s:
Hancitor was known malware that abuse api[.]ipify[.]org website that use to retrieved the external IP address of the infected machine. if the retrieving process failed, it will use the 0.0.0.0 that means all the IPv4 address on the current local machine. |
| fig. 4 - parsing the external IP address |
The BUILD=%s:
the build data is RC4 encrypted with the URL and C&C server of the hancitor malware where it may download other malware and send this POST command. This malware use 8 bytes of its data (0x99 5d db ac 0f 01 13 9d) to derive RC4 decryption key using cryptography API to decrypt this data. |
| fig. 5 -encrypted data |
 |
| fig. 6 - build data '11mnb09' |
Generating INFO=%s:
The INFO data is combination of Computer Name (using GetComputerNameA function) , Domain Name and Account Name. the last 2 information was parsed by this malware in a very interesting way. It tries to locate the "explorer.exe" process, set-up token it wants to parse into "TokenUser" and then trigger LookupAccountSidA to parse those information. so it use "@" as concat char for this 3 machine information.
"ComputerName @ DomainName//AccountName"
 |
| fig 7 - parsing DomainName and AccountName |
Generating WIN=%d.%d:
This is done by getting OS Version of the Machine and finding the MajorVersion and MinorVersion of it.
example: WIN=MajorVersion .MinorVersion
simplified:
 |
| fig. 8 - simplified description |
Conclusion:
Most of the time it is worth it to analyze the details of this POST command that show some interesting techniques how malware author parse some sensitive information of the infected machine in different way to hide from detection.md5: a1ac08123d98990c905e2608ce25d5e6
Sha1: 74188eaac4305ccbe62616fc75e8b676da262a80
Sha256 : 03933955105da6f2e446768096eba81079ebea51411083a88348a1e8ea466857
unpack version: https://www.virustotal.com/#/file/48007debec1d91ff7687611a56fb84a847d43a050a5eb08d202014c21c47fd70/detection
