ShadowHammer Shellcode in RSRC ENTRY:
we all know that the shellcode will be trigger because of the patched API crt_ExitProcess. but I've been curious where the actual shellcode place within the file? and I found out that the shellcode was place in the .RSRC section entry. The RSRC Name Entry is "EXE"that contain the actual shellcode entry.figure 1 - shadowhammer shellcode in rsrc entry |
"crt_ExitProcess" Trigger The ShellCode:
The shellcode will be trigger because of patched crt_ExitProcess API within the file.figure 2 - the patched API |
The first part of the SHELLCODE is to allocate a memory to decrypt the size of encrypted code within shellcode. the size is "5600h" then it will add 10h to it then allocate another virtual memory.
figure 3 - size needed to be allocated for encrypted shellcode |
figure 4 - first memory allocation for decrypting the 10h bytes |
figure 5 - allocation for encrypted code in shellcode. |
The Decryption Routine:
The decryption used for this encrypted code is shown below:figure 5 - decryption routine |
Harvesting Needed API:
before harvesting API it will locate the kernel32.dll imagebase in PEB and resolve the API hash for "LoadLibraryEXA" and "GetProcAddress" then harvest more API in ntdll.dll, kernel32.dll, wininet.dll. IPHLPAPI.dllfigure 6 - needed module |
figure 7 -needed API |
Parsing MAC Address:
The shellcode parse the MAC address using "GetAdaptersAddresses" API that will retrieve addresses of all adapters in Local computer. then it will compute the MD5 of it and compare it to the list of MD5's in its code. The first call GetAdapterAddresses is intended failure to retrieved the needed memory size for IP_ADAPTER_ADDRESSES structures.figure 8 - retrieving adapters information and addresses |
figure 9 - looking for the MAC address and compute its md5 |
figure 10 - code snippet where it cmp the MAC md5 to the md5 list it has. |
MD5 LIST It Looks For:
figure 11 - the list of MD5 MAC Addresses |
code snippet how its initialized the md5 list of strings |
Payload:
if targetted MAC address as found it will download from its C&C server as payload of the attack.figure 12 - payload |
INI File:
If MAC address (MD5) of the machine is not in the list it will drop an idx.ini file that contain a current system date + 7 days ahead.figure 13 - computing the date |
figure 14 - idx.ini |
Conclusion:
In this malware sample we learn to be aware that even the normal update application can be compromise and teach us to took some further precaution in installing 3rd party application.import "pe"
rule shadow_hammer_win32_ {
meta:
author = "tcontre"
description = "detecting shadowhammer malware"
date = "2019-04-10"
sha256 = "9a72f971944fcb7a143017bc5c6c2db913bbb59f923110198ebd5a78809ea5fc"
strings:
$mz = { 4d 5a }
$code1 = { BA 7C C2 11 00 03 D0 8B 3A 89 7D F8 6A 40 68 00 }
$code2 = { C1 E0 07 B9 33 33 33 33 2B }
$code3 = { C1 E0 09 B9 44 44 44 44 2B }
condition:
($mz at 0) and 2 of ($code*)
}