Reversing APT Tool : SManager (Unpacked)

Image for post
Image for post

So, Let’s dig-in

Static Analysis:(Basic)

Image for post
Image for post
Image for post
Image for post
File Information shows it’s related to Chinese APT group.

Static Analysis:(Advanced)

Image for post
Image for post
DllEntryPoint is the main entry point.
Image for post
Image for post
Code of Dll_Main_Entry function.
Image for post
Image for post
Graph of Dll_Main_Entry function.
Image for post
Image for post
Code of “thread_ps_info_store”
Image for post
Image for post
Image for post
Image for post
call graph of “thread_ps_info_fetcher”
Image for post
Image for post
Code of thread_buffr_file_ops function.
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
call graph of thread_buffr_file_ops function.
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
code and call graph of create_service_for_plugin function.
Image for post
Image for post
Code of plugin_download_by_raising_exceptions function.
Image for post
Image for post
call graph of plugin_download_by_raising_exceptions function.
Image for post
Image for post
Image for post
Image for post
code of plugin_download_from_C2_using_C2 function.
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Call Graph of plugin_download_from_C2_using_C2 function.
Image for post
Image for post
Image for post
Image for post
Call graph and code of startup_plugin_sock_comm function.
Image for post
Image for post
Image for post
Image for post
Code and Call Graph of C2_ops_for_downloading_plugin function.

Dynamic Analysis:(Advanced)

Image for post
Image for post
IDA view of dynamic debugging of SManager.
Image for post
Image for post
output log of Smanager debugged.

Indicators of Compromise(IOCs) and Detections

Network [ C2 Communications]

Image for post
Image for post
VT Graph.

Att&ck IDs

Att&ck Mitre Techniques

Image for post
Image for post

Sample from Report

YARA Signature:

Image for post
Image for post

Thankyou for reading.

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store