- sha1: 60eaa4fd53b78227760864e6cf27b08bc4bdde72
Description
A Windows trojan written in C. It is a DLL with an encrypted payload.
Operating routine
During initialization, the trojan sequentially creates two threads: one to decrypt the data and the other to execute the payload.
Initially, the payload is encrypted with a key that is the path to the executable. During the first run, the trojan rebuilds the executable and covers it with another layer of encryption. This encryption binds the payload to the infected PC.
The preparation phase consists of the following steps
- A random salt is generated and stored in a new trojan body at a specific offset
- BIOS information is obtained
- This information is hashed using the salt generated in step 1, and the resulting hash is the key to encrypt the payload
- The payload is encrypted using a “custom” key
After this transformation, the trojan has two decryption stages:
Stage 1: Decryption using constants from the compromised PC
- The salt stored in the trojan body is taken at a specific offset
- The salt is used to create a hash of the BIOS information
- The payload is decrypted
Stage 2: Decryption of the payload encrypted with the default key
- The ImagePathName value is extracted from the RTL_USER_PROCESS_PARAMETERS struct - this field is a Unicode string whose length must be greater than 0x76 bytes (in our case the filename was %LOCALAPPDATA%\Yandex\YandexBrowser\Application\Wldp.dll)
- The last 0x76 bytes are read from the above value
- The hash of this value, which is the key for the symmetric algorithm, is generated
- The payload is decrypted
Encryption algorithm
A modified ChaCha20 algorithm is used as the symmetric encryption algorithm. The modification consists of an additional layer for key initialization: the input key undergoes 1 round of the algorithm, after which it becomes the key for the regular algorithm.
Hashing algorithm
A modified BLAKE2 algorithm is used as the hash function. The modification is that multiple repetitive hashes of the input data are used.
Payload
The payload is a shellcode generated using https://github.com/TheWover/donut/tree/master. This shellcode decrypts and downloads an MZPE file written in .NET, the main purpose of which is to launch a trojan downloaded from the Internet. The main body of the shellcode can be found at https://github.com/TheWover/donut/blob/master/loader_exe_x64.h.
The shellcode performs the following actions:
- Checks the flag responsible for executing the load in a separate or main thread
- Decrypts the MZPE file into a new allocated memory area
- Loads the ole32.dll, oleaut32.dll, wininet.dll, mscoree.dll, and shell32.dll libraries, using the LoadLibraryA function
- Loads the WldpQueryDynamicCodeTrust, WldpIsClassInApprovedList, EtwEventWrite and EtwEventUnregister functions, using the GetProcAddress function
- Initializes the AMSI interface
- Loads amsi.dll
- Loads the AmsiInitialize, AmsiScanBuffer and AmsiScanString functions
- Reads the value of the AMSI bypass flag; this flag is not set in this sample
- Downloads the .NET application
The .NET stager downloads other malware, saves it under the name “YandexUpdater.exe” and then launches it. At the time of our investigation, the file was no longer available on the server from which the malware was supposed to be downloaded, so we were unable to positively identify the downloaded software; however, we can assume that the file in question could be the same Trojan.Packed2.46324.
