Created
April 19, 2019 16:37
-
-
Save sysopfb/fe60dfb0ecec3c8465bf804ccf8c6944 to your computer and use it in GitHub Desktop.
Notes for hancitor/chanitor e4ad65ade2f04e05a886b398ef08261f5858b15cc822ef29b604cecaac3036b5 crypter
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fast travel: | |
VirtualProtect on text section before xor decoding next layer | |
next layer resolves dependencies and then virtualallocs before main code begins | |
Detection notes: | |
single byte xor of bytecode is incredibly easy to signature on | |
Finding kernel32: | |
004087A1 55 PUSH EBP | |
004087A2 8BEC MOV EBP,ESP | |
004087A4 81EC 08020000 SUB ESP,208 | |
004087AA 53 PUSH EBX | |
004087AB 56 PUSH ESI | |
004087AC 57 PUSH EDI | |
004087AD 60 PUSHAD | |
004087AE FC CLD | |
004087AF 33D2 XOR EDX,EDX | |
004087B1 64:8B15 30000000 MOV EDX,DWORD PTR FS:[30] | |
004087B8 8B52 0C MOV EDX,DWORD PTR DS:[EDX+C] | |
004087BB 8B52 14 MOV EDX,DWORD PTR DS:[EDX+14] | |
004087BE 8B72 28 MOV ESI,DWORD PTR DS:[EDX+28] | |
004087C1 6A 18 PUSH 18 | |
004087C3 59 POP ECX | |
004087C4 33FF XOR EDI,EDI | |
004087C6 33C0 XOR EAX,EAX | |
004087C8 AC LODS BYTE PTR DS:[ESI] | |
004087C9 3C 61 CMP AL,61 | |
004087CB 7C 02 JL SHORT e4ad65ad.004087CF | |
004087CD 2C 20 SUB AL,20 | |
004087CF C1CF 0D ROR EDI,0D | |
004087D2 03F8 ADD EDI,EAX | |
004087D4 ^E2 F0 LOOPD SHORT e4ad65ad.004087C6 | |
004087D6 81FF 5BBC4A6A CMP EDI,6A4ABC5B | |
004087DC 8B5A 10 MOV EBX,DWORD PTR DS:[EDX+10] | |
004087DF 8B12 MOV EDX,DWORD PTR DS:[EDX] | |
004087E1 ^75 DB JNZ SHORT e4ad65ad.004087BE | |
Finds the second occurrence of 0x70c5ba88 after copying itself over | |
Jumps to that address +4 over the hardcoded needle | |
16 byte RC4 | |
key | |
001C0455 A7 68 FD 23 1E A3 B9 CF §hý#£¹Ï | |
001C045D 68 E5 DE EF C1 AD E1 34 håÞïÁá4 | |
sbox snippet after KSA | |
0018FD80 65 4C 04 35 08 29 BE 94 eL)¾” | |
0018FD88 64 B8 DA 03 A1 61 4A 80 d¸Ú¡aJ€ | |
0018FD90 7D BF 0B E6 21 49 9F 85 }¿æ!IŸ… | |
0018FD98 AD D6 F7 14 DE A8 FB FA Ö÷Þ¨ûú | |
0018FDA0 32 46 34 AF 67 8C 98 F5 2F4¯gŒ˜õ | |
Copies 0x934e bytes over from 0x401000 | |
uses previously built RC4 table | |
And scrambles the PRNG output by doing mod 0x934e-i against every dword value | |
unless the value is < 0x934e-i - redundant with modulus | |
then XORs the bytes with 0x4 | |
This is the text section, the rest of the pieces of this layer are then rebuilt and it's called. | |
This section does a classic trick of setting a callback in a window creation, for some reason the blog you linked skips over the decoding portion. | |
Anyway you can go to the callback function setup in the windows class registration and then look at the top it's basically waiting for a particular value passed to the callback of 0x113 which according to the MSDN message formats this is a WM_TIMER hit | |
It's then incrementing the value and waiting for 0xc8 WM_TIMER iterations before performing the actual unpacked of the next layer | |
This is basically a sleep | |
The decoding loop is kind of a cool little stream XOR but it's ultimately just a 4 byte xor over. | |
After being XORd the data is LZNT decompressed and this gives you the unpacked chanitor/hancitor binary | |
However the main part of chanitor is still not copied over, the next part finds a marker in the unpacked binary and the copies over the encrypted configuration data for chanitor/hancitor. | |
At this point it's probably safe to assume this layer is actually related to chanitor/hancitor as a protective layer. Would have to go through other files to confirm. | |
So the original layer that rebuilt a PE file is probably the last crypter layer and the copied over and rebuilt PE file is the actual first level of chanitor/hancitor. | |
Chanitor decoded config: | |
{'build': '11pke12', 'urls': ['http://api.ipify.org', 'http://sandverrolve.com/4/forum.php', 'http://gotrefsehan.ru/4/forum.php', 'http://enheswithto.ru/4/forum.php']} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
yara rule for part of the crypter layer 1
``
rule xor_encoded
{
strings:
condition:
any of them
}