Reversing APT-28 64-bit Keylogger [Zebrocy Nim] [ TLP: White ]

In depth Static and Dynamic Analysis !


Frequently, the sample of Zebrocy Nim are appearing in the malware bazaar and recently the Zebrocy Nim is being armed in the malicious targeting “towards “US,UK,Canada” by APT-28 and APT-29 ” in phishing campaign which based on specifically designed and themed on nCoV-19.

Static and Dynamic Analysis

Static Analysis:Basic

Deploying Cutter




Static Analysis: Advanced

-: Deploying Ghidra :-

entry function:

entry function contains two functions “get_sys_info” and “encrypt_and_fetch_sys_info_fetch_ps_info_writeup_of_payload_and_encryptor function” what these two functions does is ex-filtrate victim computers information as after the infection [ backdoor’ing with malware after the infection from the worm like emotet.]

get_sys_info function:

this specific function is responsible for fetching the system information not solely but with the other function present in the entry function. As you had observed “get_sys_info” function you will observe that “local_38” is assigned with the some “FileTime” along with the multiplication with the “0x0" means zero bytes in simple lang. and just after that you see the conditional statement(stmt) “if” in which the very large value is been passed for conditional check just to load the error filled negative value in the memory and assigned that negative error filled value in data buffer. Then after that information SystemTime, CurrentProcessId, TickCount CurrentThreadId are being fetched and then the using “QueryPerformanceCounter” function the Query of Performance of system is being made. Then after that scrambling of data is being done. By scrambling of data i mean is that mathematical operations is operated on information being imported by the function from system and as like before the conditional “if” is being operated on the data and passed to the other two “data buffer” one with passing positive val and one with negative value.

encrypt_and_fetch_sys_info_fetch_ps_info_writeup_of_payload_and_encryptor function:

In this particular function, the starting up information of system is been extracted from system then after the few conditional “if” stmt function”going_for_cs_journey” is been called for triage of the critical section.As we see further in this function we get this “encrypting_and_doing_buffer_juggling” is been called which encrypts the data and does the messing up of buffer most probably BOF[ Buffer Overflow] which raise the “unhandled” [exception] in system which is been stored in the data buffer. As moving on further in function we experience the processor generated messingup acc. to x86 or x64. Then after that the data is been exchanged in between the memory locations then some scrambling happening in this function dynamically. At the ending of this function “x64_bit_scrambling” happens with the” payload writing” in memory along with the encrypting the payload and with the few file operations.

In this functional graph of this function we can see boxes are of same size that which indicates that Zebrocy Nim must be using “RC4 encryption”.

going_for_cs_journey function:

In this function operations on the “critical section” are occurring with the “freeing up” the memory as operations are done.

encrypting_and_doing_buffer_juggling function:

Here in this function the encrypting and buffer overflow is occurring with the help “way_to_encrypting” and “mess_up_buffer” function calling.

acts_acc_to_x86_x64_processor_for_messingup function:

In this function the “xor” operations is being conducted on “image header” and whereas the scrambling of the (.pdata) section is been held accountable. And after the few lines of scrambling the code with while loop the there the function known as the “64_bit_scrambling_up” then the not so clever technique is being implanted RtlAddFunctiontable as is had appeared in few samples we analyzed.

exchanger function:

exchanger is being the function which exchange the data in between the two memory sets.

x64_bit_scrambling function:

in this particular module in malware “Zebrocy Nim” the x64 bit scrambling across the x64-bit registers is being carried out.

fetch_ps_info_writeup_of_payload_and_encryptor_file_ops function:

here, in this module of “Zebrocy Nim” around four operations is being established to thwart the victim system and also do it covertly without the knowledge of the victim much like the way malware’s does the job for the attacker.

Four main operations in this particular module:-

“fetch_ps_info” , “writing the payload” in memory, “encrypting all the written data” written by payload and performing the file operations on system to carried out the communication with the Command and Control Server (C2) later on when the communication with C2 is being made which is being known as the “leaking of information of victim machine” is been done.

Dynamic Analysis:Basic

VT detection:

Registry Key Set:

Registry Key Deleted:

Imports of .dll by this .exe:

Process and Services Activity:

Dynamic Analysis:Advanced

Running Zebrocy Nim .exe on VT we get these results

C2 Server:

Communicating IP’s with .exec:

Thanks for reading.

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store