Disclaimer

Wednesday, January 23, 2019

Interesting Azorult Mutex Name that will be send as POST command

Azorult malware is a Delphi compiled banker Trojan that tries to spy to the infected machine like bit coin wallet, parsing web browser cookies, password and many more. In this article I will focus on the interesting behavior of this malware where it send its generated mutex name from the infected machine going to its C&C server.

Parsing System Info:

after  unpacking the actual code of this malware, the first subroutine of function it will execute is harvesting all its needed API dynamically. After that it will start to set-up now all the information it needed to generate its unique Mutex Name. This is by parsing the Machine GUID, Product Name, User Name and Computer Name of infected machine then convert it into ANSI string format using delphi internal API LStrFromWstr.

figure 1 - the machine information parse by Azorult

Hashing and Encrypt the string:


Then after having those 4 system information in ANSI format, it will hash it using simple hashing algorithm that show in figure 3.

figure 2 - hashing the system info.

figure 3 - hashing algorithm

 After that, it will concatenate those 4 ANSI string as 1 long string to compute the 5th hash value.

figure 4 - concatenation of the system info. string

It will separate those 5 hash value with '-' dash character and call the CreateMutex function.

figure 5 - adding delimiter for each hash value

figure 6 - create mutex
It will check if there is some error upon creating the Mutex, This is to make sure that only 1 instance of its code running in the infected machine. If no error occur it will decrypt the C&C URL link, convert all integer value in the hash value its created to hex string , xored it with  3 bytes hardcoded key to its code then send it as http POST request to the decrypted C&C server URL link.

Simplified Process:




Sha1: 35aedeadde9f2ca077b0e4093d72334a57531a9a
Md5: b3bc031fef0d0c41fd26b308c8cbc620
Sha256: 3a65b5735981f636fbaf9cff05e78f933d10b5191209eb077d4a29210c23e739

https://www.virustotal.com/#/file/3a65b5735981f636fbaf9cff05e78f933d10b5191209eb077d4a29210c23e739/detection

Yara Rule:


import "pe"

rule azorult_win32_unpack {
    meta:
        author =  "tccontre"
        description = "detecting azorult malware"
        date =  "2019-01-23"
        sha256 = "ae75cd28bc2309f085f79bc8bd480e797b5e42f852c40a8cc733e1a51a7c5fa9"
  
    strings:
        $mz = { 4d 5a }
      
        $s1 = "FROM moz_places, moz_historyvisits WHERE" fullword
      
        $c0 = "\\accounts.xml" fullword wide
        $c1 = "PortNumber" fullword wide
        $c2 = "\\places.sqlite" fullword wide

        $code1 = { 81 F1 8A 45 21 65 03 D9 8B CB C1 E1 0D 8B F3 C1 EE 13 0B CE 2B D9 42 48 }
               
    condition:
        ($mz at 0) and all of ($s*) and 2 of ($c*) and all of ($code*)
      
    }


"Reg Restore" Odyssey: Journey to Persistence And Evasion

The Windows Registry, a fundamental component of the Windows Operating System, empowers users to fine-tune system policies and manipulate lo...