cd ../../Reversing Malware

Reversing Bandios/Colony Malware [PART 1]

6 minutes read

SHA256: 59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834

I found the sample on the ANY.RUN sandbox.

1

On the ANY.RUN sandbox we see that it spawns the child process with -install argument, the child process creates several files under %SYSTEM_DIRECTORY%:

2

If we run the same executable on hybrid-analysis we get almost nothing, it executes recursively and never ends:

3

Let’s dive in deep and see what happens.

NOTE: I've renamed functions after analysis

After getting the necessary privileges it checks if -install argument is there. if not, it executes copy_tmp_with_install_arg and collect_encrypt_send, otherwise iaStorE_and_files will be executed.

4

Inside copy_tmp_with_install_arg it copies itself to %TEMP% directory and executes with the -install argument:

5

A very interesting fact is that there are two ways to execute application using the CreateProcess function:

CreateProcess(exePath, nullptr, ...); and CreateProcess(nullptr, exePath, ...);, if we run the program via the first method we get command line string with quotation marks, otherwise we get one without it:

create_process_diff

The sample calls the second variant and at the beginning of the process it checks the arguments without quotation marks, in the normal environment it works as expected but not on the hybrid-analysis sandbox. Most likely, hybrid-analysis hooks CreateProcess at some level and after checking parameters it changes something and passes arguments to lower functions, so, at the end, we get a different command line string, which causes infinite recursion in case of the sample.

We can use this simple technique to bypass hybrid-analysis sandbox (any.run is immune):

detect_hybrid_analysis

That’s the reason why hybrid-analysis fails. Let’s back to our analysis.

UPDATE 17.04.2018: The bypass on hybrid-analysis is fixed now

After executing child process with -install parameter, it calls collect_encrypt_send function and starts collection information about the system:

Windows version:

6

Installed browser:

7

NOTE: A clean version of Windows 10 contains HKEY_CURRENT_USER\Software\Google\Chrome key, even if there is no Chrome installed, so this method is not reliable

Installed AV via checking HKEY_LOCAL_MACHINE\\SOFTWARE\\%AV_NAME% key:

8

MAC address of the adapter and system language:

9

It passes the collected information to the machine_info_AES_base64 function, which encrypts the content with AES and encodes with base64:

10

Inside machine_info_AES_base64 it calls CoCreateGuid to generate 8 bytes of random data and adds another 8 bytes hardcoded value 1Q2a3k79:

11

The sample uses MD5 functions from advapi32.dll to calculate the md5 hash of the abovementioned 16 bytes string (8_rand_bytes_8_hard_coded)

12

After that, it uses the hash as the key to encrypt the system information using AES algorithm and encodes the encrypted content via base64:

13

NOTE: IDAScope plugin for IDA Pro is very useful to detect which cryptography algorithms are used in a sample.

It sends the encrypted and encoded data to iostream.system.band/dump/io/time.php:

14

15

The first 8 bytes are generated by the CoCreateGuid call. There is simple code to decrypt the traffic content:

16

After sending system information, the parent process dies, but the child process continues execution with the -install argument, and in this case, it executes the iaStorE_and_files function.

After calling the GetNativeSystemInfo function, it extracts 32-bit or 64-bit executables based on the SYSTEM_INFO.dwOemId field

17

After checking the system architecture it calls write_spoolsr_and_MSdat and there it decrypts PE from byte_443870(in case of a 0x64-bit system) using 0xDD as the key, generates random 0x40 bytes and appends to the decrypted file, it saves the decrypted file as %SYS_DIR%\\spoolsr.exe and the encrypted file as %SYS_DIR%\\MS.dat:

18

19

Similarly, KeyHook_usp20_n_dats extract, decrypt and creates following files: KeyHook64.dll, KH.dat, usp20.dll and UP.dat:

20

21

KeyHook64.dll is decrypted KH.dat, spoolsr.exe is decrypted MS.dat and usp20.dll is decrypted UP.dat.

After that, it extracts the data from resources (0x110 in case of 0x64 system and 0x108 otherwise) of the sample and seems like it’s encrypted or compressed data:

22

And it calls decompress_ with extracted data and length of the data, IDAscope tells us that the function uses ZLIB-related constants:

23

24

Seems like it’s a driver, saved under C:\Windows\System32\drivers as iaStorE.sys:

25

On a 0x64 system it installs the driver as a crash dump filter by simply adding the drive name to the registry key \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\DumpFilters, on the next reboot, crashdmp.sys will load the filter driver into the dump stack, for more information about Dump Filer Drivers, click here:

26

On a 0x32 system it installs the driver via creating a service called iaStorE:

27

After extracting files and installing the driver, the sample exits.

All files are signed, including drivers, certificates are revoked by its issuer, but that’s not a problem for Windows:

sig

That’s just the first phase, I’ll try to analyze the dumped files on the next weekends.

Thank you for your time.

Discuss on Reddit