Disclaimer

Wednesday, February 26, 2020

2 birds in one stone (AVE MARIA & WSHRAT in one package) ...

Now a days  RAT malware is so prevalent that exfiltrate user accounts or even part of a bigger APT attacks. Today I will share an interesting sample I saw in app.any.run during my research that contains 2 different malware in one package AVE MARIA Trojan Spy and WSHRAT malware.

so let's start...

Obfuscated WSHRAT: 

 The sample is a NSIS file that contain multi-component of WSHRAT and the AVE MARIA TrojanSpy. You can see the execution steps of the following malicious files in NSIS script.


figure 1: the nsis script that show the execution of the 2 malware

Encoded and Obfuscated WSHRAT VB SCRIPT:

The wshrat contains 5 components and 3 of them are vbscript encoded files namely list.vbe, ndch.vbe and reverse.vbe. Once those files are decoded it will end up to a encrypted vbscript that will be responsible for downloading another malware or updated copy of either wshrat or ave maria trojanspy in hxxp://107[.]189[.]7[.]176/crypter/arrays/178BFBFF00670F00-ZJebQfoiEVN.txt.

figure 2: the list.vbe as it decrypt its code.

The files ndch.vbe and reverse.vbe has the same structure and URL where it downloads as the list.vbe.There are just some changes on strings, filename and registries values in each file. before the URL link code, It will generate an executable from the array of hex values that are responsible for reflective code injection to the process it will create, in this case it is regasm.exe.


figure 3: the reflective loader executable that will inject the downloaded file to created regasm.exe process.

Obfuscated Script.JS and snp.vbs:

snp.files is a vbscript that will decode powershell script to download to its C&C server while the another interesting file is the .JS component name as Script.js. This file is the core of the WSHRAT. It contains several function or features that wshrat can do in the infected machine like, bypassing UAC, creating regrun registry, enumerate drives/ processes/ anti-virus, country, browser password grabber, download or upload  to C&C, elevate process and many more.

figure 4: different function and features of wshrat

It also has a feature to drop 3 wshrat .NET executable plugins for keylogging, reverseproxy and getRDP to the infected machine. It is in base64 format within the script.js file after decrypting it.

figure 5: wshrat plugins
below are some code snippet of each module that show there capability like reverse proxy connection, download latest keylogger or  use the offline keylogger available in the wshrat module and the screen capture and mouse event logger in RDP plugin.

figure 6: wshrat plugins

AVE_MARIA TrojanSpy:

The file "[2020] Amazon Gift Card Code Generator + Checker [CRACKED] [HQ] [VERY FAST].exe" is an ave_maria loader that will drop antimalware.exe which is the actual ave_maria Trojanspy. below is some snippet of the good string IOC found in its code.

figure 7: ave maria malware

HASHES:

main file:
file name: _[2020] Amazon Gift Card Code Generator _ Checker [CRACKED] [HQ] [VERY FAST].bin
sha1: 7950d1f858af31989bfce90630c794b1bf3ddce0
md5: b385599869067abd74ca94deaeb7d938
sha256: 3153245f0f81110e526d09e87afdcb4b169defbd35651f8a8b454f2119deef61
file size: 612 KB (626,688 bytes)

sample in app.any.run :

https://app.any.run/tasks/9d7acbc8-0c3f-4929-ba14-35a6c64c5224/

wshrat plugins:

filename: keylogger.bin
md5:7099a939fa30d939ccceb2f0597b19ed
sha1:37b644ef5722709cd9024a372db4590916381976
sha256:272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a

filename: rdp.bin
md5:ea57a0bb7b5c19e3f4c403a2c20dcb73
sha1: cec4cb73e3f7e2e33d8657648374435ebf808f50
sha256: d65a3033e440575a7d32f4399176e0cdb1b7e4efa108452fcdde658e90722653

filename: reverseproxy.bin
md5: a52192d5e613dced1e6ba4ea001a8295
sha1: 46f0f86b736fc2a5d4a9034d71db380a54a6e766
sha256: bb2bb116cc414b05ebc9b637b22fa77e5d45e8f616c4dc396846283c875bd129

sample in app.any.run :

 https://app.any.run/tasks/f444b39d-f54a-492f-b776-fa200e6bb201
https://malshare.com/sample.php?action=detail&hash=6fcf573046f8090e5fcd8417f3162e1c


ave maria malware:

filename:  [2020] Amazon Gift Card Code Generator + Checker [CRACKED] [HQ] [VERY FAST].exe1
md5: a93e249e5aa6b9c37afaca3da6f58cae
sha1: 5ba74ac26648817bca799d954c75741be4209d8f
sh256: 79c27360ee54bbd7362e7c75aac2bdd6b3dc3c8926e20ef35c07ca91807d993f


filename: antimalware.exe1
md5: a743ce5dddc2e1f464c7a1f48b1744f2
sha1: 6562eacc13c9d5ab01d0a27c1c5a8b7308728e64
sha256:  02551ee4acf529c74c89591cca1f65cf7c80201b2a8d9ee7e6d024c30eb17840

https://malshare.com/sample.php?action=detail&hash=21a44a76a2f61301d68c7d6cc2e38950

IOC strings:

41184:Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus.
41384:! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
79428:cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
79592:Software\Classes\Folder\shell\open\command
79636:DelegateExecute
79980:powershell Add-MpPreference -ExclusionPath
80040:find.exe
80052:find.db
80060:-w %ws -d C -f %s
72112:{Unknown}
72180:[ENTER]
72200:[BKSP]
72216:[TAB]
72228:[CTRL]
72244:[ALT]
72256:[CAPS]
72272:[ESC]
72284:[INSERT]
72304:[DEL]
72512:.tmp
72528:\Google\Chrome\User Data\Default\Login Data
72616:Software\Microsoft\Windows\CurrentVersion\App Paths\
72724:Path
72736:softokn3.dll
72764:msvcp140.dll
72792:mozglue.dll
72816:vcruntime140.dll
72852:freebl3.dll
72876:nss3.dll
73248:Internet Explorer
73284:Profile
73300:firefox.exe
73324:\firefox.exe
73352:\Mozilla\Firefox\
73388:profiles.ini
73416:\logins.json
73496:thunderbird.exe
73528:\Thunderbird\
73556:Could not decrypt
73592:Account Name
73620:Email
73632:POP3 Server
73656:POP3 User
73676:SMTP Server
73700:POP3 Password
73728:SMTP Password
73756:HTTP Password
73784:IMAP Password
73816:Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
73992:Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
74176:Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
74424:Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
74608:Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
76734:@\cmd.exe
78344:SOFTWARE\Microsoft\Cryptography
78408:MachineGuid
78524:root\CIMV2
78552:SELECT Name FROM Win32_VideoController
78632:WQL
78656:ntdll.dll
78824:Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
79016:C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe
79152:Software\Microsoft\Windows\CurrentVersion\Explorer\
79256:inst
79268:InitWindows
79296:Software\Microsoft\Windows\CurrentVersion\Run\
79392::Zone.Identifier
79488:SOFTWARE\_rptls
79520:Install
79536:\System32\cmd.exe
79576:WM_DSP
79650:e\sdclt.exe
79844:FriendlyName
79888:Grabber
80022: WM_FIND
80086:Asend.db
87130:WM_DSP
90608:Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
90844:ellocnak.xml
90872:\pkgmgr.exe
90896:/n:%temp%\ellocnak.xml
90944:Hey I'm Admin
93386:WM_DISP
95560:SOFTWARE\_rptls

YARA:

 

 import "pe"

rule ave_maria_loader {

    meta:
        author =  "tcontre"
        description = "detecting ave_maria_loader"
        date =  "2020-02-26"
        sha256 = "79c27360ee54bbd7362e7c75aac2bdd6b3dc3c8926e20ef35c07ca91807d993f"

    strings:

        $mz = { 4d 5a }
        $s1 = "Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus." fullword
        $s2 = "Best regards 2 Tommy Salo" fullword
        $s3 = "Dziadulja Apanas" fullword
    
    condition:
        ($mz at 0) and all of ($s*)

    }



 import "pe"

rule ave_maria_malware {
    meta:
        author =  "tcontre"
        description = "detecting ave_maria"
        date =  "2020-02-26"
        sha256 = "02551ee4acf529c74c89591cca1f65cf7c80201b2a8d9ee7e6d024c30eb17840"

    strings:
        $mz = { 4d 5a }

        $a1 = "AVE_MARIA" fullword
        $s1 = "cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q " fullword
        $s2 = "SELECT * FROM logins" fullword
        $u1 = "Ave_Maria Stealer" fullword wide
        $u2 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" fullword wide
        $u3 = "Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}" fullword wide

    
    condition:
        ($mz at 0) and ($a1) and 1 of ($s*) and 1 of ($u*)

    }


 import "pe"

rule wsh_rat_plugins {
    meta:
        author =  "tcontre"
        description = "detecting wshrat_plugins"
        date =  "2020-02-26"
        sha256_rdp = "d65a3033e440575a7d32f4399176e0cdb1b7e4efa108452fcdde658e90722653"
        sha256_reverseproxy = "bb2bb116cc414b05ebc9b637b22fa77e5d45e8f616c4dc396846283c875bd129"
        sha256_keylogger = "272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a"

    strings:
        $mz = { 4d 5a }

        $code_reverse_proxy = {25 28 1C 00 00 0A 0C 00 02 7B 0E 00 00 04 6F 40 00 00 0A 00 02 7B 0F 00 00 04 6F 40 00 00 0A 00 28 20 00 00 0A DE 00 }
        $wsh_rvp1 = "WSH Inc" fullword
        $wsh_rvp2 = "ReverseProxy.pdb" fullword
       
        $code_rdp = {5A 28 3A 00 00 0A B7 6F 3C 00 00 0A 00 73 3D 00 00 0A 13 05 07 11 05 28 3E 00 00 0A}
        $wsh_rdp1 = "WSHRat Plugin" fullword
        $wsh_rdp2 = "open-rdp" fullword wide
       
        $code_key = {9A 02 17 9A 28 4F 00 00 0A 6F 50 00 00 0A 00 72 CD 00 00 70 02 18 9A 72 23 01 00 70 28 51 00 00 0A }
        $wsh_key1 = "Keylogger.pdb" fullword
        $wsh_key2 = "open-keylogger" fullword wide
       
    
    condition:
        ($mz at 0) and 1 of ($code*) and 2 of ($wsh*)

    }















"Reg Restore" Odyssey: Journey to Persistence And Evasion

The Windows Registry, a fundamental component of the Windows Operating System, empowers users to fine-tune system policies and manipulate lo...