A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #31077  by sysopfb
 Wed Nov 29, 2017 1:12 am
Saw this downloader show up as a payload to Chanitor/Hancitor which is used to download IcedID/BokBot banking trojan.

Has some code share with the banking trojan as they share the same manner of string encryption.

Attached is the hancitor download - 4 the decoded and decompressed object 4.decoded and the unpacked 4_unpack1~Rip.exe

All addresses this point forward are in reference to the unpacked binary in IDA mapped at 0x400000 base


Decoded strings:
Code: Select all
0x40126eL
explorer.exe
0x4013bbL
root\Microsoft\Windows\Defender
0x401404L
MSFT_MpPreference
0x4014aaL
ExclusionExtension
0x401503L
MSFT_MpPreference
0x40157eL
wusa.exe
0x401ab1L
\%0.8X.exe
0x401afcL
http://agaratas.com/docs/new?id=bc%0.8X
0x401bf6L
Elevation:Administrator!new:
0x401c96L
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
0x401cc0L
Exclusions_Extensions
0x401ccfL
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
0x401cffL
DisableRealtimeMonitoring
0x401d0eL
SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection
0x401d45L
DisableAntiSpyware
0x401d54L
SOFTWARE\Policies\Microsoft\Windows Defender
0x401da9L
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
0x401dceL
{6EDD6D74-C007-4E75-B76A-E5740995E24C}
0x401df0L
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
0x401e94L
e%016I64X
0x401feaL
ws2_32.dll
0x402049L
lc%0.8X%0.2X%0.2X%0.8X.agaratas.com
0x4020ecL
WinDefend
So the bot pulls a fake gzip file from the encoded URL agaratas.com/docs/new?id=bc%0.8X and mak posted a quick one liner on twitter for decoding it:
https://twitter.com/maciekkotowicz/stat ... 2990735361

Some of the other strings are used in what appears to be two UAC bypass functions when comparing with EP_X0FFs stuff on github
0x401D89 - CMSTPLUA COM UAC bypass compared to https://gist.github.com/hfiref0x/196af7 ... 28b5a5d68d
0x40154F - Looks like Tyranid from https://github.com/hfiref0x/UACME/blob/ ... /tyranid.c

Also of note looks like trying to add exe to a file extension exclusion list in Windows Defender at 0x40134B
String decode -> 0x40233E
RC4 -> 401A1D
Attachments
pw: infected
(456.07 KiB) Downloaded 38 times
 #31078  by EP_X0FF
 Wed Nov 29, 2017 1:50 am
Yes, it is copy-paste. Nice find.
0x00401261 in 4_unpack_Rip.exe is supMasqueradeProcess, 0x00401BCB is ucmMasqueradedCoGetObjectElevate from uacme, etc.