Reversing APT-28 64-bit Keylogger [Zebrocy Nim] [ TLP: White ]

In depth Static and Dynamic Analysis !

Introduction:

Frequently, the sample of Zebrocy Nim are appearing in the malware bazaar and recently the Zebrocy Nim is being armed in the malicious targeting “towards “US,UK,Canada” by APT-28 and APT-29 ” in phishing campaign which based on specifically designed and themed on nCoV-19.

Static and Dynamic Analysis

Static Analysis:Basic

Deploying Cutter

Hash’s:

hash’s of Zebrocy Nim sample.

Strings:

Strings present in Zebrocy Nim Sample.

Imports:

Imports present in Zebrocy Nim Sample.

Static Analysis: Advanced

-: Deploying Ghidra :-

entry function:

entry function contains two functions “get_sys_info” and “encrypt_and_fetch_sys_info_fetch_ps_info_writeup_of_payload_and_encryptor function” what these two functions does is ex-filtrate victim computers information as after the infection [ backdoor’ing with malware after the infection from the worm like emotet.]

Code of entry function of Zebrocy Nim.
Graph of of entry function of Zebrocy Nim.

get_sys_info function:

this specific function is responsible for fetching the system information not solely but with the other function present in the entry function. As you had observed “get_sys_info” function you will observe that “local_38” is assigned with the some “FileTime” along with the multiplication with the “0x0" means zero bytes in simple lang. and just after that you see the conditional statement(stmt) “if” in which the very large value is been passed for conditional check just to load the error filled negative value in the memory and assigned that negative error filled value in data buffer. Then after that information SystemTime, CurrentProcessId, TickCount CurrentThreadId are being fetched and then the using “QueryPerformanceCounter” function the Query of Performance of system is being made. Then after that scrambling of data is being done. By scrambling of data i mean is that mathematical operations is operated on information being imported by the function from system and as like before the conditional “if” is being operated on the data and passed to the other two “data buffer” one with passing positive val and one with negative value.

Code of get_sys_info function.
Graph of of get_sys_info function.

encrypt_and_fetch_sys_info_fetch_ps_info_writeup_of_payload_and_encryptor function:

In this particular function, the starting up information of system is been extracted from system then after the few conditional “if” stmt function”going_for_cs_journey” is been called for triage of the critical section.As we see further in this function we get this “encrypting_and_doing_buffer_juggling” is been called which encrypts the data and does the messing up of buffer most probably BOF[ Buffer Overflow] which raise the “unhandled” [exception] in system which is been stored in the data buffer. As moving on further in function we experience the processor generated messingup acc. to x86 or x64. Then after that the data is been exchanged in between the memory locations then some scrambling happening in this function dynamically. At the ending of this function “x64_bit_scrambling” happens with the” payload writing” in memory along with the encrypting the payload and with the few file operations.

Code of encrypt_and_fetch_sys_info_fetch_ps_info_writeup_of_payload_and_encryptor function.
Graph of of encrypt_and_fetch_sys_info_fetch_ps_info_writeup_of_payload_and_encryptor function.

In this functional graph of this function we can see boxes are of same size that which indicates that Zebrocy Nim must be using “RC4 encryption”.

Functional graph of of encrypt_and_fetch_sys_info_fetch_ps_info_writeup_of_payload_and_encryptor function.

going_for_cs_journey function:

In this function operations on the “critical section” are occurring with the “freeing up” the memory as operations are done.

Code of going_for_cs_journey function.
Graph of going_for_cs_journey function.
Functional graph of going_for_cs_journey function.

encrypting_and_doing_buffer_juggling function:

Here in this function the encrypting and buffer overflow is occurring with the help “way_to_encrypting” and “mess_up_buffer” function calling.

Code of encrypting_and_doing_buffer_juggling function.
Graph of encrypting_and_doing_buffer_juggling function.
Functional Graph of Graph of encrypting_and_doing_buffer_juggling function.

acts_acc_to_x86_x64_processor_for_messingup function:

In this function the “xor” operations is being conducted on “image header” and whereas the scrambling of the (.pdata) section is been held accountable. And after the few lines of scrambling the code with while loop the there the function known as the “64_bit_scrambling_up” then the not so clever technique is being implanted RtlAddFunctiontable as is had appeared in few samples we analyzed.

acts_acc_to_x86_x64_processor_for_messingup function.
Graph of acts_acc_to_x86_x64_processor_for_messingup function.
Functional Graph of acts_acc_to_x86_x64_processor_for_messingup function.

exchanger function:

exchanger is being the function which exchange the data in between the two memory sets.

Code of exchanger function.
Graph of exchanger function.
Functional Graph of exchanger function.

x64_bit_scrambling function:

in this particular module in malware “Zebrocy Nim” the x64 bit scrambling across the x64-bit registers is being carried out.

Code of x64_bit_scrambling function.
Graph of x64_bit_scrambling function.
Functional Graph of x64_bit_scrambling function.

fetch_ps_info_writeup_of_payload_and_encryptor_file_ops function:

here, in this module of “Zebrocy Nim” around four operations is being established to thwart the victim system and also do it covertly without the knowledge of the victim much like the way malware’s does the job for the attacker.

Four main operations in this particular module:-

“fetch_ps_info” , “writing the payload” in memory, “encrypting all the written data” written by payload and performing the file operations on system to carried out the communication with the Command and Control Server (C2) later on when the communication with C2 is being made which is being known as the “leaking of information of victim machine” is been done.

Code of fetch_ps_info_writeup_of_payload_and_encryptor_file_ops function.
Graph of of fetch_ps_info_writeup_of_payload_and_encryptor_file_ops function.
Graph of of fetch_ps_info_writeup_of_payload_and_encryptor_file_ops function.

Dynamic Analysis:Basic

VT detection:

VirusTotal detection of Zebrocy Nim malicious activity.

Registry Key Set:

These are the registry key set of Zebrocy Nim.

Registry Key Deleted:

These are the registry key deleted on exec of Zebrocy Nim.

Imports of .dll by this .exe:

These are the 7.dll imported by Zebrocy Nim .exe

Process and Services Activity:

Dynamic Analysis:Advanced

Running Zebrocy Nim .exe on VT we get these results

Image show the contacted IP’s when the file has infected victim machine.

C2 Server:

Communicating IP’s with .exec:

Thanks for reading.

Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.