Internals of FASTCash: Unit180 tool

Days Ago FastCash existed: Reversing FastCash

FastCash is a banking trojan, triage of it leads to cryptocurrency fraud claimed by fraudster Unit180 allegedly cyber criminal group from DPRK.

Analysis

Static and Dynamic Analysis

Static Analysis:

Signature Information:

WinMain function

Most basic function when you do Windows reverse engineering , its called WinMain(). In the FastCash WinMain(), these are the few function we will see today:-

modify_previleges(), scramble_up_data(), callr_of_callr_of_unpack_payld_thd_ops_decrypt_smthg_callr(), rtrn_FILE_processor_INTEL_dir(), snapshot_and_error_creator().

Firstly, privileges of system in which the infection happens the privileges of that system are being modified then after the some pszPATH is set to 0. Then soon after that the data on that system id being scrambled up using the function “scramble_up_data”. After the conditional check of “if” stmt PathFileExistA is satisfies pszPATH then till that the “DLL not found “ is printed and then the “callr_of_callr_unpack_payld_thd_ops_decrypt_smnthg_callr” will be passed to v8. Then the v8 is passed in if stmt and after the not equal comparison with “dword_40EEE8” if that satisfies then the “rtrn_file_processor_INTEL_dir” function get executed which is the first conditional check otherwise the other “if” conditional check will be executed which if satisfies executes the “snapshot_and_error_creator” function. Lastly the null value is returned.

modify_privileges() function:

In this particular function, what happen in this function is that firstly the declaration of variables “result”,Handle with name “v0”, ”TokenHandle” along with the structure “Luid” and “NewState”. Then after the “v0” handle is seen storing “GetCurrentProcess()” function. Then the “if” conditional check is being done in which the till when the condition is not equal to access token accessed by the “OpenProcessToken” and null val is returned. Another “if” conditional check is being proceeded in which the stmt in the parenthesis only run till when the val goes to equal val of “ local unique identifier” (LUID) is being satisfied and as the conditional being satisfied CloseHandle() is being run to close the handle and to return null. Then after that, the using the NewState for accessing the Privileges & PrivilegesCount the values are being assigned & then the AdjustTokenPrivileges() is being used for disabling all the previleges and close the handle using CloseHandle() function and also assign to result and if that’s not done the result is assigned as zero and lastly the result is being returned.

scramble_up_data() function:

In this function, mostly what happens is that, scrambling of data in the system is being done for which in this particular function many control flow and conditional stmts are being used.

callr_of_callr_of_unpack_payld_thd_ops_decrypt_smthg_callr() function:

This function is being used for the unpacking of payload & for carrying out thread operations and lastly it decrypt something.

Code of callr_of_callr_of_unpack_payld_thd_ops_decrypt_smthg_callr function.

rtrn_FILE_processor_INTEL_dir() function:

Here in this function the process injection is happening and also the payload is being written in the memory as a process.

snapshot_and_error_creator() function:

In this function, mainly what happens is that snapshot of the different process is being taken for which process modules and handles are also being fetched also the LastError are also being fetched using “GetLastError” function.

Dynamic Analysis:

Basic

Behavior Graph:

Setting up the breakpoints in IDA at all reversed functions mentioned in static analysis.

Functional call graph of WinMain of FastCash.

As the execution of FastCash happens during debugging , it hits the first breakpoint at the function “modify_privileges” which is the first function in the WinMain() function.

In going through the debugging while tracing the modify_privileges() function the debugger goes to the offset “aParameterInput” in place of “modify_privileges” function & as debugger being executing the instructions without holding accountable to entering function this leads us to conclusion that this peace of malicious malware is being employed to use some Anti-Debugging techniques as the debugger doesn’t goes to the breakpoints which we have set.

From the WinMain() function the debugger jumps to the function “_tmainCRTStartup()” function which is mainly what does is that it fetched the Startup information of the system which is mainly being done for the maintaining persistence across the system for persistence triage.

Indicators of Compromise(IOCs) and Detections

Network [ C2 Communications]

40[.]90[.]23[.]247 & 2[.]57[.]89[.]199

Att&ck IDs

T1106, T1129, T1204, T1500, T1130, T1112, T1057, T1012.

Att&ck Mitre Techniques

Sample from Report

FastCash:

MD5: 89081f2e14e9266de8c042629b764926

SHA1: 730c1b9e950932736fc4b02cbdb4e4e891485ac2

SHA256: 39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655

Signers

ORDARA LTD, Symantec Class 3 Extended Validation Code Signing CA — G2, VeriSign.

Counter Signers

DigiCert Timestamp Responder, DigiCert Assured ID CA-1, DigiCert.

X509 Signers

VeriSign Class 3 Public Primary Certification Authority — G5, Symantec Class 3 Extended Validation Code Signing CA — G2, ORDARA LTD, DigiCert Timestamp Responder, DigiCert Assured ID CA-1.

Dropped Executables:

SHA256: 21369005c8400b68d8cab1a9a6c4d5809f5a685a8e18d311272467bb25d3d3c8

SHA256: 5fb9e280013d58043c5689478f9dcfad3212f4681534627eb33998ddd6f63308

SHA256: 6787c524b0ac30a698237ffb035f932d7132343671b8fe8f0388ed380d19a51c

SHA256: 6f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b

YARA Signature:

Mapping Network Traffic via Wire:

Tracking C2 using Wireshark.

Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.