Reversing APT Tool : SManager

Static and Dynamic Analysis of Chinese APT Backdoor

Introduction:

Recently their is the blog came in Japanese from JPCert(Japanese CERT) about the espionage Campaign held from Chinese APT. From the efforts of our fellow researcher i have the sample.

Static & Dynamic Analysis

Static Analysis(basic)

Analyzed Info. about File:

It contains File hash’s and other sort of file info when it was created and what type of Application it is.

It’s the analyzed info by GHIDRA.

Strings:

As from the strings shown in images below there are info. about different type of Windows Form Application functions are been implemented in this sample.

Strings present in SManager sample.

Static Analysis: Advanced

Using Ghidra Tool i had analyzed this sample further.

entry function:

Well in this entry function, some sort of stack and buffer overflow is going on and also it also does the help of attacker attacking victim machine to deliver the system startup applications, drivers and kernel version information to leverage the kernel exploitation with the help of “fetch_sys_startup_info”. This entry function is also weird like other entry functions mentioned this far in my blogs as the some of functions in these entry functions are being found loading the ntdll.dll or MSVCRT.dll or some other .dlls for the exploitation of kernel. And at the end of this entry function you will found the call to the Main Windows Form Application function.

code of entry function.
graph of entry function.

scamming_errors_of_ikernel_and_upgrade function:

in this particular function the scamming of fake error is been loaded into memory [ i.e. fake error is being loaded in memory which gives a lead to think that oh that might be .dll hijacking in place ]. Another shot to the fake error is given to victim machine which is the fake upgrading message.

-: reference : 0x10000 and 0x30000 :-

code of scamming_errors_of_ikernel_and_upgrade function.
graph of scamming_errors_of_ikernel_and_upgrade function.

another interesting function in the binary is this function fetch_sys_info which is interesting to note that it loads the MSVCRT.DLL several times as the binary executes which is necessary file to be loaded in the binary at the time of developing the code in the visual studio.

Here the screenshot of function execution in disassembly as it can be seen that it call MSVCRT.DLL to be loaded in memory.

and at the end of the this entry function the call for the windows form application is been made.

Lets now take look at the Windows Form Application Functions

Here are some Windows Form functions displayed in screenshot. If you goes any of these functions there is nothing interesting there to see in there. The main function is AfxWinMain used to return itself when it is called in the entry function.

Wnd Form functions.

AfxFindResourceHandle function:

This is the function in which the resources of the Wnd Form App is being handled.

Code of AfxFindResourceHandle function.

resources_finder_icon_loader function:

“AfxFindResourceHandle”is being called by “resources_finder_icon_loader” function in which the different resources are being found also the icons are being loaded. Also i fetch some modules for the Main Wnd Form App.

And it is being called from the resources_finder_and_icon_loader function.
Code of resources_finder_and_icon_loader function.
graph of resources_finder_icon_loader function.

Other than that, there are the function in this binary which are used for automating the exploitation ,termination of communication from the Server. “EnableAutomation” is responsible is for this automation.

Code of automation function.
Graph of Automation Function.

reg_editor function:

This function is responsible for the editing the registry of system.

Code of reg_editor function.
Graph of reg_editor function.

creation_of_exploit_directory:

here , after the declaration of variables used in this function, the moving of “GetFileAttributesA” to pVar1 it suggests that attributes of file/directory associated with the param_1 will be provided. And here on the sabotage of kernel level begins.

Image shows the function related to kernal32.dll is been used to triage kernel.
Code of creator_of_exploit_directory function.
Graph of creation_of_exploit_directory function.

payload_writer_dir_creator_for_payload function:

this function is very long and some of the reversed code lines are:

This function is responsible for altering the Environment variables of victim machine, does the sort of buffer overflow and memory corruption with the functions “FUN_00421f0" .

memory_corruption is the function organizing memory corruption in victim machine.
“FUN_00421f0” is the same memory_corruption function.

All in here , in this “payload_writer_dir_creator_for_payload” their the function “MakeSureDirectoryPathExists” where the disrupting of operations of user32.dll is been handled by this “payload_writer_dir_creator_for_payload” module and also the dbghelp.dll is being installed to add the debugging capabilities for the kernel and victim system triage.

Graph of payload_writer_dir_creator_for_payload function.

reg_edit_proxy_setup_and_file_ops function:

It sets up the proxy , edits the registry operations and does the file operations using the “reg_ops” and “setup_proxy_and_sys_file_info_fetch” and loads the buffer with new registry and new files for the further kernel exploitation.

Code and Graph of reg_edit_proxy_setup_and_file_ops
Graph of reg_ops function.
Graph of setup_proxy_and_sys_file_info_fetch function.

caller_of_communication_termination function:

in this function the communication of Windows Form App is been terminated from Command and Control Server (C2).

Graph and code of caller_of_communication_termination function.

Dynamic Analysis(Basic)

VT detection:

VirusTotal detection of SManager.

Registry Key Set:

These are the registry key set of the SManager.

Registry Key Deleted:

These are the registry key deleted on exec.

Imports of .dll by this .exe:

These are the 7.dll imported by Smanager .exe

Process and Services Activity:

Dynamic Analysis:Advanced

Running Smanager .exe on any.run we get these results

In the image there is C2 connections can be seen and graph of dynamic .exec can also be seen.

IOCs:

Main object- “97a5fe1d2174e9d34cee8c1d6751bf01f99d8f40b1ae0bce205b8f2f0483225c.exe”
sha256 97a5fe1d2174e9d34cee8c1d6751bf01f99d8f40b1ae0bce205b8f2f0483225c
sha1 9522f369ac109b03e6c16511d49d1c5b42e12a44
md5 830dd354a31ef40856978616f35bd6b7
Dropped executable file
sha256 C:\Users\admin\AppData\Local\Temp\WMedia\1376765.tmp 6c1db6c3d32c921858a4272e8cc7d78280b46bad20a1de23833cbe2956eebf75
DNS requests
domain vgca.homeunix.org
domain office365.blogdns.com
Connections
ip 193[.]187[.]118[.]195
ip 10[.]0[.]14[.]196

C2 Server:

Communicating IP’s with .exec:

YARA Signature:

Credit: Arkbird

Thanks for reading.

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store