Extracting Configurations From Malware Samples

I like RAT’s and i don’t mean the furry creatures that live in cages or sewer lines, I am of course talking about Remote Access Trojans. Used by Script Kiddies, E Crime Rings and APT groups alike. they provide a wide range of tools and capabilities for any one who manages to get one implanted on your network or system.

Over the last few weeks i  have been working with two different RATS looking at their C2 Traffic and trying to dissect their network protocol. Having this understanding of the network protocol for each rat allows for some very bespoke IDS rules to be created.

The other aspect i was looking at was , as described in the title, extracting the configuration information. Getting domains and IP addresses from the configuration sections mean you can quickly Block or signature for this activity. Passwords and installation names also provide Host based detection’s and can help attribute the attacker.

Configurations

The obvious way to get this information is to run each sample in a sandbox record the traffic and manually get all the information you need. This isn’t too bad of you have one sample, but if you’re looking at a large campaign or large data sets trying to identify a specific campaign or group it can become a long and laborious task.

The configuration has to be included somewhere inside the implant, it needs to have that information to connect in the first place, so if the data is there surly I can just extract the relevant information without needing to run each and every sample.

This is where python helps me out. I have started to write some scripts that take in a sample and read out the configuration file that is stored within.

The two RATs or Remote Access Trojans i have chosen to start with are jRat and Bozok Rat.

Bozok

This was the easier of the two, the config settings are stored in clear inside the exe file not obfuscated or encrypted. The configuration is stored as a sequence of ‘ ’ separated Values. The easiest way to locate this section is with a Regular Expression. ’O\x00\x00\x00(.+)|\x00\x00\x00’. Once we have the config all we need to do is split it on the Character and write the results out to a file.

You can find the Script on my GitHub https://github.com/kevthehermit/Scripts/blob/master/bozokConfig.py

jRat

This was slightly harder for three reasons.

  1. jRat has the option to include a first stage dropper and installer that then drops the real payload and config.
  2. jRat uses encryption and a small amount of obfuscation to encrypt its config files
  3. jRat has two different types of encryption

All the information can be figured out by looking at the file. so with a little bit of logic the script can determine ifs a dropped, and which encryption is being used then act accordingly to write the config out to a file.

You can find the script on my gitHub https://github.com/kevthehermit/Scripts/blob/master/jRatConfig.py

 Network Traffic

Working with a combination of Self Generated and ITW samples. I started by generating a large variety of network traffic, including as much of the RAT functionality as i could and then extracting as much information as possible.

For an in-depth look at jRat here is an article I wrote for eForensics Magazine: Extracting Network Signatures from malware samples, jRat a case study.

The basic premise was to identify how the protocol worked. Once you have an understanding of the protocol you can figure out how to reverse it and extract any information from it.

Heres an example from my article.

 AES_Traffic_Clean

The images above show a small cut of encrypted traffic, When viewed on the wire the traffic uses a wide Character encoding and so has alternating NULL Bytes. These have been removed for readability. The image below Shows the same traffic as it appears on the wire with the NULL Bytes.

  • Red Indicates the string length of the next string

  • Green Indicates a Base64 encoded String of the indicated length

  • Yellow indicates the identifier that  indicates the type of data that is being Transmitted.

  • Blue shows the sequence that identifies a Hexadecimal string
  •  

    AES_Traffic_NULL

     

    The final example was found during the connection attempts.

    In the initial connection attempts  there is a specific pattern that has been observed in all samples including randomly and differing lab generated samples. With this pattern being observed in all samples we can write a specific Snort rule to detect it.

    alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "jRat > 3.2_5 Connection" content: "|3f 07 ff 40  01 3d|"; classtype: trojan-activity; sid:5000000; rev:1;)

     

    I have started to decode the Bozok protocol and will release my findings on this blog as soon as i put the finishing touches to it.

    My aim with all of this analysis is create a ChopShop module for each of the RATS in common use today.

    For those of you who don’t know what ChopShop is here is an extract from their ReadMe which can be found on their GitHub

     

    ChopShop is a MITRE developed framework to aid analysts in the creation and execution of pynids based decoders and detectors of APT tradecraft.

     

     

     

     

     

     

     

    Before i discovered the ChopShop Toolset i was working on a python script that if provided with compromised network traffic would allow you to view the actions that were performed.

    Providing the script with a raw Stream of network traffic and the encryption key it will step through the encrypted traffic and write out the results.

    The script is not perfect but in the absence of my still to be release ChopShop module it fills a gap i needed.

    https://github.com/kevthehermit/Scripts/blob/master/jRatNetwork.py

    Hopefully I’ll have working modules for both RATs following my next post on analyzing the Bozok network protocol.

    As usual Questions, Queries, Comments below.

     

     

    Comments