Reversing Bandios/Colony Malware [PART 1]
6 minutes readSHA256: 59c662a5207c6806046205348b22ee45da3f685fe022556716dbbd6643e61834
I found the sample on the ANY.RUN sandbox.
On the ANY.RUN
sandbox we see that it spawns the child process with -install
argument, the child process creates several files under %SYSTEM_DIRECTORY%
:
If we run the same executable on hybrid-analysis we get almost nothing, it executes recursively and never ends:
Let’s dive in deep and see what happens.
NOTE: I've renamed functions after analysis
After getting the necessary privileges it checks if -install
argument is there. if not, it executes copy_tmp_with_install_arg
and collect_encrypt_send
, otherwise iaStorE_and_files
will be executed.
Inside copy_tmp_with_install_arg
it copies itself to %TEMP%
directory and executes with the -install
argument:
A very interesting fact is that there are two ways to execute application using the CreateProcess
function:
CreateProcess(exePath, nullptr, ...);
and CreateProcess(nullptr, exePath, ...);
, if we run the program via the first method we get command line string with quotation marks, otherwise we get one without it:
The sample calls the second variant and at the beginning of the process it checks the arguments without quotation marks, in the normal environment it works as expected but not on the hybrid-analysis
sandbox. Most likely, hybrid-analysis
hooks CreateProcess
at some level and after checking parameters it changes something and passes arguments to lower functions, so, at the end, we get a different command line string, which causes infinite recursion in case of the sample.
We can use this simple technique to bypass hybrid-analysis
sandbox (any.run
is immune):
That’s the reason why hybrid-analysis
fails. Let’s back to our analysis.
UPDATE 17.04.2018: The bypass on hybrid-analysis is fixed now
After executing child process with -install
parameter, it calls collect_encrypt_send
function and starts collection information about the system:
Windows version:
Installed browser:
NOTE: A clean version of Windows 10 contains HKEY_CURRENT_USER\Software\Google\Chrome key, even if there is no Chrome installed, so this method is not reliable
Installed AV via checking HKEY_LOCAL_MACHINE\\SOFTWARE\\%AV_NAME%
key:
MAC address of the adapter and system language:
It passes the collected information to the machine_info_AES_base64
function, which encrypts the content with AES
and encodes with base64
:
Inside machine_info_AES_base64
it calls CoCreateGuid
to generate 8 bytes of random data and adds another 8 bytes hardcoded value 1Q2a3k79
:
The sample uses MD5
functions from advapi32.dll
to calculate the md5
hash of the abovementioned 16 bytes string (8_rand_bytes_8_hard_coded
)
After that, it uses the hash as the key to encrypt the system information using AES
algorithm and encodes the encrypted content via base64
:
NOTE
: IDAScope
plugin for IDA Pro
is very useful to detect which cryptography algorithms are used in a sample.
It sends the encrypted and encoded data to iostream.system.band/dump/io/time.php
:
The first 8 bytes are generated by the CoCreateGuid
call. There is simple code to decrypt the traffic content:
After sending system information, the parent process dies, but the child process continues execution with the -install
argument, and in this case, it executes the iaStorE_and_files
function.
After calling the GetNativeSystemInfo
function, it extracts 32-bit or 64-bit executables based on the SYSTEM_INFO.dwOemId
field
After checking the system architecture it calls write_spoolsr_and_MSdat
and there it decrypts PE
from byte_443870
(in case of a 0x64-bit
system) using 0xDD
as the key, generates random 0x40
bytes and appends to the decrypted file, it saves the decrypted file as %SYS_DIR%\\spoolsr.exe
and the encrypted file as %SYS_DIR%\\MS.dat
:
Similarly, KeyHook_usp20_n_dats
extract, decrypt and creates following files: KeyHook64.dll
, KH.dat
, usp20.dll
and UP.dat
:
KeyHook64.dll
is decrypted KH.dat
, spoolsr.exe
is decrypted MS.dat
and usp20.dll
is decrypted UP.dat
.
After that, it extracts the data from resources (0x110
in case of 0x64
system and 0x108
otherwise) of the sample and seems like it’s encrypted or compressed data:
And it calls decompress_
with extracted data and length of the data, IDAscope
tells us that the function uses ZLIB
-related constants:
Seems like it’s a driver, saved under C:\Windows\System32\drivers
as iaStorE.sys
:
On a 0x64
system it installs the driver as a crash dump filter by simply adding the drive name to the registry key \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\DumpFilters
, on the next reboot, crashdmp.sys will load the filter driver into the dump stack, for more information about Dump Filer Drivers
, click here:
On a 0x32
system it installs the driver via creating a service called iaStorE
:
After extracting files and installing the driver, the sample exits.
All files are signed, including drivers, certificates are revoked by its issuer, but that’s not a problem for Windows:
That’s just the first phase, I’ll try to analyze the dumped files on the next weekends.
Thank you for your time.
Discuss on Reddit