AdWind Rat Analysis

If you have been reading my recent posts you will know that I’m working on a project to provide a public facing web application that will allow people to upload samples and in return they will get the configuration, Snort Rule, Yara Rule and IOC files specific to each instance.

This post will show you how i muddle my way thought figuring out how to extract a config file so it can be added to the collection of extraction scripts.

AdWind RAT Brief history

adWind has 4 Major milestones in its history.

  1. Starsting life as a proof of concept on indetectables.net it was named futas and was free in its original Spanish, and later in translated English.
  2. From frutas it became AdWind and went up for sale as a “Premium” RAT. Prices ranged from $75 for a single license to $ 250 for multiple licences.
  3. In November of 2013 AdWind was rebranded to UNRECOM (UNiversal REmote COntrol Multi-Platform)
  4. As at the time of writing neither adwinds main site or unrecoms site were available.

 

as for the RAT Itself im not going to focus on its abilities except to say it has all the hallmark features with one bespoke trick up its sleeve, its multiplatform including Win, Linux, Mac, and even possible support for android in the later versions.

My aim is to figure out how to extract the config so lets start there.

Java

We can extract items from a .jar archive using something like winrar / 7zip, showing us the raw contents but if we try to examine any of the java class files we hit our first brick wall, None of this is readable.

Its not assembly language so no amount of IDA is going to help us. We need a java decompiler.

Im not interested in the full ins and outs of this as far as Java is concererned so i dont need a full Java development environment. i have 3 tools which suite my needs in this insance.

Notepad ++ my text editor / viewer of choice.

JD-GUI a multiplatform Java Decompiler

JAD a command line Decompiler for the individual class files JD-GUI doesn’t play well with.

Lets dive in.

Opening the archive in JD-GUI we can see all the class and resource files contained within.

JD-GUI

JD-GUI allows you to read but not write and i like writing notes as i go, so i save the source and switch to Notepad++

looking inside we can immediately see a config.xml file. Unfortunately opening the file wasn’t the quick win we wanted, it looks like it is obfuscated or encrypted in some way. The only way we are going to find out what its supposed to say is to start working through the code to find the point where the config file is exported in clear.

But where to start.

To find our starting point we need to look in META-INF/MANIFEST.MF

The line we are looking for is the “Main-Class:” line this tells us the first class file to get loaded.

With Adwind rat the Main-Class is Adwind, which will be our next step.

Now i dont know Java but i know enough about programming and scripting languages in general to be able to muddle my way through this with a little help from Google.

 

Adwind.class

Adwind

The File ‘ID’ is read in and the first line is stored as a string in a variable “pass”.

ClassLoaderMod is loaded and the ‘pass’ variable and the string ‘Principal’ are passed to it.

extra/ClassLoaderMod

ClassLoaderMod

the key components here are:

The string “Prinicial” is added to a series of characters to create a new string Principal.adwind.

This refers to another resource file which is stored in a variable as a byte stream.

this file as a byte stream and the pass variable that was originally found in the ID file are passed to another function.

Constante.Constantion(pass, b.toByteArray() )

Once this function has executed, the resulting bytearray is sent to another function that will decompress it using a gzip method.

After decompressing this new class is then loaded

Constante.Constantion

This is fairly easy to recognize as a DES Cipher decryption function using the Java Crypto functions. The 8 Byte Key that was extracted from ‘ID’ several steps ago is used to set the cipher, then what ever is passed to it is decrypted.

In Version One of the RAT DES is used as the encryption routine.

DES

In Version Two the author wrote his own RC4 encryption routine in place of DES, but the same flow of execution exists.

RC4

To see what Principal.adwind contains i wrote a little python helper, this will allow us to view any of the files that are encrypted. After running the script this file is decrypted but is still compiled in javabyte code so we need to decompile it with JD-GUI or JAD. If you want the helper script look here https://github.com/kevthehermit/Scripts/blob/master/adWindDecoder.py

Trying to decrypt the config.xml file using the same technique doesn’t work, so we need to continue onwards.

Principal.adwind(.class)

Principal

This looks like the main starting point for our RAT Functionality. Skimming through we can see files being copied, reg keys being installed Port and DNS names being used.

Towards the beginning of the code we can see our elusive config.xml file being read in. It is passed to the same decryption function that we saw earlier, but rather than using the password that is stored in the ID file it uses a hardcoded 12 byte password “awenubisskqi” Now the more astute among you will have realized that this is ok for an RC4 Cipher but DES will get upset if you try to give it a key thats not  8 bytes in length.

What i think is happening is that java DES function truncates the password and only uses the first 8 bytes. (which works in our decode function)

Running the config.xml file through our python script spits out a piece of XML that looks like this




Adwind RAT v2.0
pObKKaQG
127.0.0.1
false
e3a8809017dd76bd26557a5b923ab2ae16c0cdb3
<entry key="delay>3</entr>
spread
1503

Success we have our configuration file :)

Summary Of Execution

  • RAT Loads Main Class of Adwind
  • Adwind gets the password string from ID and loads ClassLoaderMod
  • ClassLoaderMod uses the password and either a DES or RC4 Cryptographic function to decrpyt Principal.adwind
  • Principal.adwind uses a hardcoded password and either a DES or RC4 Cryptographic function to decrpyt config.xml
  • The config.xml is parsed and its contents used to install / configure and launch the RATs main program.

Malware Sample Configuration Extractor

Because the RAT uses a hardcoded password in all V1 and V2 variants once we have it we don't need to jump through all the Hoops, we can simply decode the config.xml file with whichever cipher and the hardcoded key.

Using little python snippets to automate this configuration extraction is OK, but if you don't have access to a safe malware analysis environment and still want to figure out whats going on, there are not many options for you.

That's where the Malware Configuration Sample Extractor (I know it needs a better name, if you can think of one post it in the comments below)

MSCE (1)

The MCSE takes an uploaded sample identifies it, then runs the necessary configuration extractor. A few seconds later and you should be presented with:

  • The Configuration
  • Snort Rules for the DNS Entries
  • Yara Rule that will Match
  • Eventually An IOC File that will contain:
    • File Details
    • Domain / Port Details
    • Install Details (If the config contains the installation names, paths, etc)

Config Section (1)

Thats all for this post, The Public version of the MSCE is still a few weeks away from its official release. This is now running under hte name malwareconfig.com If you want to have a play feel free to head over to http://malwareconfig.com Please be aware that until this goes live It may not work as intended and any data stored in the DB is likely to be destroyed when it goes live.

As usual questions queries comments below.

Comments