A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27156  by sysopfb
 Wed Nov 04, 2015 9:46 pm
Vawtrak project 13
Being delivered by Bedep

Not on VT yet

C2 urls:
hxxp://ninthclub.com/Work/new/index.php
hxxp://camelcap.com/Work/new/index.php
hxxp://ideagreens.com/Work/new/index.php
hxxp://guesstrade.com/Work/new/index.php
hxxp://castuning.ru/Work/new/index.php
hxxp://mgsmedia.ru/Work/new/index.php
hxxp://textidea.com/Work/new/index.php
hxxp://vintageselects.com/Work/new/index.php
hxxp://pausephone.com/Work/new/index.php
hxxp://hybridtrend.com/Work/new/index.php
hxxp://basislabel.com/Work/new/index.php
hxxp://finehotels.net/Work/new/index.php
hxxp://circlewear.net/Work/new/index.php
hxxp://helloalliance.net/Work/new/index.php
hxxp://seaboy.net/Work/new/index.php
hxxp://wildclick.net/Work/new/index.php

Backconnect: 176.9188.147:8080

Post infection traffic indicators:
Uris(to C2 domain):
/xytorfie/wait2.txt
/toks/is_enabled
/toks/heartbeat
/toks/form

Config is getting bigger :)
Decrypted config and sample in attached, to unpacked the dll RtlDecompressBuffer
Attachments
(67.06 KiB) Downloaded 93 times
pw:infected
(122.49 KiB) Downloaded 97 times
 #29052  by sysopfb
 Tue Aug 16, 2016 3:15 pm
DGA based on the PRNG string generator that's been in vawtrak for awhile.
Blog posts:
http://www.threatgeek.com/2016/08/vawtr ... ps-c2.html
https://info.phishlabs.com/blog/vawtrak ... ersistence

DGA example script: https://github.com/fideliscyber/indicat ... rak-dga.py

DGA script:
Code: Select all
import sys

def PRNG(seed):
	seed = (seed * 0x41c64e6d) + 0x3039
	return (seed & 0xFFFFFFFF)

seed_mask = 0x7FFFFFFF

#seed - 0034b0d8
def main():
    init_seed = int(sys.argv[1],16)
    for j in range(0x96):
        seed = PRNG(init_seed)
        tmp = (seed & seed_mask) / 5
        rem = (seed & seed_mask) % 5
        rem += 7
    
        out = ""
        for i in range(rem):
            seed = PRNG(seed)
            tmp = (seed & seed_mask) % 0x1a
            out += chr(tmp + 0x61)
        print(out+'.ru')
        init_seed = seed
    

if __name__ == "__main__":
    main()

To get the seed:
From unpacked loader you find the RCDATA section:
Code: Select all
	#Get RCDATA section
	pe = pefile.PE(sys.argv[1])
	rsrc_rcdata_sections = pe.DIRECTORY_ENTRY_RESOURCE.entries[0].directory.entries
	rsrcs = []
	for entry in rsrc_rcdata_sections:
		data_rva = entry.directory.entries[0].data.struct.OffsetToData
		size = entry.directory.entries[0].data.struct.Size
		data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
		name = str(entry.name)
		rsrcs.append((name, data, size))
Then you decode it:
Code: Select all


	#Decode the section
	l = rsrcs[0][1]
	seed = struct.unpack_from('<I', l)[0]
	out = bytearray(l[4:])
	for i in range(len(out)):
		seed = PRNG(seed)
		out[i] = ((out[i] - (seed & 0xFF))&0xFF)
Then you LZMAT decompress it:
Code: Select all
	#LZMAT decompress the section
	comp = str(out[4:])
	outSize = struct.unpack_from('<I', str(out))[0]
	uncomp = lzmat_decode(comp, len(comp), outSize)
Now you basically have the initial inject that gets injected into every process but first it injects explorer.exe, then hooks CreateProcessInternalW which is then used to inject ever new process with this initial inject

The inject has a header of data along with a 32 bit and 64 bit DLL
Structure can be mapped using python:
Code: Select all
#Parse the data
	(length, header_length, offset_to_first_mz, offset_to_second_mz,project_id,unk,dll_or_exe,rsa_seed,rsa_pubkey,dga_seed,num_domains) = struct.unpack_from('<IIIIIHBI148sII', uncomp)
Then we can decode out the rsa public key:
Code: Select all
#Decode rsa public key
	rsa_pubkey = bytearray(rsa_pubkey)
	seed = rsa_seed	
	for i in range(len(rsa_pubkey)):
		seed = PRNG(seed)
		rsa_pubkey[i] = (rsa_pubkey[i] - (seed & 0xFF)) & 0xFF
Can also pass the dga_seed to the algorithm that is already described in many blog posts with example script in the beginning of this post