Static and Dynamic Analysis of Chinese APT Backdoor
Recently their is the blog came in Japanese from JPCert(Japanese CERT) about the espionage Campaign held from Chinese APT. From the efforts of our fellow researcher i have the sample.
Static & Dynamic Analysis
Analyzed Info. about File:
It contains File hash’s and other sort of file info when it was created and what type of Application it is.
As from the strings shown in images below there are info. about different type of Windows Form Application functions are been implemented in this sample.
Static Analysis: Advanced
Using Ghidra Tool i had analyzed this sample further.
Well in this entry function, some sort of stack and buffer overflow is going on and also it also does the help of attacker attacking victim machine to deliver the system startup applications, drivers and kernel version information to leverage the kernel exploitation with the help of “fetch_sys_startup_info”. This entry function is also weird like other entry functions mentioned this far in my blogs as the some of functions in these entry functions are being found loading the ntdll.dll or MSVCRT.dll or some other .dlls for the exploitation of kernel. And at the end of this entry function you will found the call to the Main Windows Form Application function.
in this particular function the scamming of fake error is been loaded into memory [ i.e. fake error is being loaded in memory which gives a lead to think that oh that might be .dll hijacking in place ]. Another shot to the fake error is given to victim machine which is the fake upgrading message.
-: reference : 0x10000 and 0x30000 :-
another interesting function in the binary is this function fetch_sys_info which is interesting to note that it loads the MSVCRT.DLL several times as the binary executes which is necessary file to be loaded in the binary at the time of developing the code in the visual studio.
and at the end of the this entry function the call for the windows form application is been made.
Lets now take look at the Windows Form Application Functions
Here are some Windows Form functions displayed in screenshot. If you goes any of these functions there is nothing interesting there to see in there. The main function is AfxWinMain used to return itself when it is called in the entry function.
This is the function in which the resources of the Wnd Form App is being handled.
“AfxFindResourceHandle”is being called by “resources_finder_icon_loader” function in which the different resources are being found also the icons are being loaded. Also i fetch some modules for the Main Wnd Form App.
Other than that, there are the function in this binary which are used for automating the exploitation ,termination of communication from the Server. “EnableAutomation” is responsible is for this automation.
This function is responsible for the editing the registry of system.
here , after the declaration of variables used in this function, the moving of “GetFileAttributesA” to pVar1 it suggests that attributes of file/directory associated with the param_1 will be provided. And here on the sabotage of kernel level begins.
this function is very long and some of the reversed code lines are:
This function is responsible for altering the Environment variables of victim machine, does the sort of buffer overflow and memory corruption with the functions “FUN_00421f0" .
All in here , in this “payload_writer_dir_creator_for_payload” their the function “MakeSureDirectoryPathExists” where the disrupting of operations of user32.dll is been handled by this “payload_writer_dir_creator_for_payload” module and also the dbghelp.dll is being installed to add the debugging capabilities for the kernel and victim system triage.
It sets up the proxy , edits the registry operations and does the file operations using the “reg_ops” and “setup_proxy_and_sys_file_info_fetch” and loads the buffer with new registry and new files for the further kernel exploitation.
in this function the communication of Windows Form App is been terminated from Command and Control Server (C2).
Registry Key Set:
Registry Key Deleted:
Imports of .dll by this .exe:
Process and Services Activity:
Running Smanager .exe on any.run we get these results
Main object- “97a5fe1d2174e9d34cee8c1d6751bf01f99d8f40b1ae0bce205b8f2f0483225c.exe”
Dropped executable file
sha256 C:\Users\admin\AppData\Local\Temp\WMedia\1376765.tmp 6c1db6c3d32c921858a4272e8cc7d78280b46bad20a1de23833cbe2956eebf75
Communicating IP’s with .exec:
Thanks for reading.