Reversing APT Tool : SManager
Static and Dynamic Analysis of Chinese APT Backdoor

Introduction:
Recently their is the blog came in Japanese from JPCert(Japanese CERT) about the espionage Campaign held from Chinese APT. From the efforts of our fellow researcher i have the sample.

Static & Dynamic Analysis
Static Analysis(basic)
Analyzed Info. about File:
It contains File hash’s and other sort of file info when it was created and what type of Application it is.

Strings:
As from the strings shown in images below there are info. about different type of Windows Form Application functions are been implemented in this sample.

















Static Analysis: Advanced
Using Ghidra Tool i had analyzed this sample further.
entry function:
Well in this entry function, some sort of stack and buffer overflow is going on and also it also does the help of attacker attacking victim machine to deliver the system startup applications, drivers and kernel version information to leverage the kernel exploitation with the help of “fetch_sys_startup_info”. This entry function is also weird like other entry functions mentioned this far in my blogs as the some of functions in these entry functions are being found loading the ntdll.dll or MSVCRT.dll or some other .dlls for the exploitation of kernel. And at the end of this entry function you will found the call to the Main Windows Form Application function.


scamming_errors_of_ikernel_and_upgrade function:
in this particular function the scamming of fake error is been loaded into memory [ i.e. fake error is being loaded in memory which gives a lead to think that oh that might be .dll hijacking in place ]. Another shot to the fake error is given to victim machine which is the fake upgrading message.
-: reference : 0x10000 and 0x30000 :-


another interesting function in the binary is this function fetch_sys_info which is interesting to note that it loads the MSVCRT.DLL several times as the binary executes which is necessary file to be loaded in the binary at the time of developing the code in the visual studio.

and at the end of the this entry function the call for the windows form application is been made.
Lets now take look at the Windows Form Application Functions
Here are some Windows Form functions displayed in screenshot. If you goes any of these functions there is nothing interesting there to see in there. The main function is AfxWinMain used to return itself when it is called in the entry function.

AfxFindResourceHandle function:
This is the function in which the resources of the Wnd Form App is being handled.

resources_finder_icon_loader function:
“AfxFindResourceHandle”is being called by “resources_finder_icon_loader” function in which the different resources are being found also the icons are being loaded. Also i fetch some modules for the Main Wnd Form App.



Other than that, there are the function in this binary which are used for automating the exploitation ,termination of communication from the Server. “EnableAutomation” is responsible is for this automation.


reg_editor function:
This function is responsible for the editing the registry of system.


creation_of_exploit_directory:
here , after the declaration of variables used in this function, the moving of “GetFileAttributesA” to pVar1 it suggests that attributes of file/directory associated with the param_1 will be provided. And here on the sabotage of kernel level begins.





payload_writer_dir_creator_for_payload function:
this function is very long and some of the reversed code lines are:
This function is responsible for altering the Environment variables of victim machine, does the sort of buffer overflow and memory corruption with the functions “FUN_00421f0" .




All in here , in this “payload_writer_dir_creator_for_payload” their the function “MakeSureDirectoryPathExists” where the disrupting of operations of user32.dll is been handled by this “payload_writer_dir_creator_for_payload” module and also the dbghelp.dll is being installed to add the debugging capabilities for the kernel and victim system triage.



reg_edit_proxy_setup_and_file_ops function:
It sets up the proxy , edits the registry operations and does the file operations using the “reg_ops” and “setup_proxy_and_sys_file_info_fetch” and loads the buffer with new registry and new files for the further kernel exploitation.




caller_of_communication_termination function:
in this function the communication of Windows Form App is been terminated from Command and Control Server (C2).


Dynamic Analysis(Basic)
VT detection:




Registry Key Set:


Registry Key Deleted:

Imports of .dll by this .exe:

Process and Services Activity:

Dynamic Analysis:Advanced
Running Smanager .exe on any.run we get these results


IOCs:
Main object- “97a5fe1d2174e9d34cee8c1d6751bf01f99d8f40b1ae0bce205b8f2f0483225c.exe”
sha256 97a5fe1d2174e9d34cee8c1d6751bf01f99d8f40b1ae0bce205b8f2f0483225c
sha1 9522f369ac109b03e6c16511d49d1c5b42e12a44
md5 830dd354a31ef40856978616f35bd6b7
Dropped executable file
sha256 C:\Users\admin\AppData\Local\Temp\WMedia\1376765.tmp 6c1db6c3d32c921858a4272e8cc7d78280b46bad20a1de23833cbe2956eebf75
DNS requests
domain vgca.homeunix.org
domain office365.blogdns.com
Connections
ip 193[.]187[.]118[.]195
ip 10[.]0[.]14[.]196
C2 Server:

Communicating IP’s with .exec:

YARA Signature:
Thanks for reading.