Sample Metadata

Filename: igfxCUIService.exe

MD5: F9B2603D8937E09D99BC4FEC8F16F463

SHA1: 4FF4EE3955061B03BDB21F30145144819BA41FD2

Type: 32-Bit .Net binary

Compilation Timestamp: Wed Mar 07 22:47:03 2018

Sections: .text, .rsrc, .reloc

Exports: None

Resources: 2, Version and Manifest

Internal Filename: svchost.exe

igfxCUIService.exe as an Un-Cryptor

The malware’s first stage is essentially a cryptor. It loads a series of obfuscated strings, concatenates them, and does character replacement, reversing, and other operations to the string. VBScript is involved as well, potentially as another stage of the decryption process.

Function and variable names are written with the Cyrillic character set, but don’t actually say anything. This is an anti-analysis technique. In IDA Pro, the function names look like this:

In reality, tool dnSpy shows what this really is:

According to Google translate, the language of these Cyrillic strings is Ukrainian, and they translate to French. Some, however, don’t translate to anything. Some of the examples:

“le plus grand plus grand plus grand” “interprété, interprété, interprété, interprété” “aphorisme aphoristique” “differsdifferent”

Using dnSpy, set a breakpoint on subroutine “public static object Rсвоюсвоюсвоюun”, line #1, and execute. At the point the program breaks, memory will contain a copy of the payload.

The Payload

Sample Metadata/Indicators

Type: 32-Bit .Net binary

Compilation Timestamp: Wed Mar 07 22:36:54 2018

Sections: .text, .reloc

Exports: None

Resources: None

MD5: 8B79439AB5CE5E9D4C4B88514A82182A

SHA1: 3E9DD2653CB2C599ABD00364F1E9BAAB6F52FADD

Mutex creation: RV_MUTEX-YHuiGGjjtnxD

Domain names: presentation.sytes.net

Ports: 15920

Analysis

Internally, the malware references itself as “Nuclear Explosion.”

Subroutine LA accepts a Base64 encoded assembly (in the .Net sense) and runs it. Likely used to run modules.

In sub Decompress, System.IO.Compression.GZipStream is used to decompress and return a stream of data. Subs Encode and Decode use Base64 to obfuscate data.

Sub GetProduct can be called with no argument, but it can also be passed a WMI query string to get the results of. Sub GAW gets the current window’s title and caption, concatenates it, Base64 encodes it, and returns it.

The following data is sent back:

• Hardware configuration
• IP Address
• Processor (from WMI Query)
• Processor (from Registry, HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0, value ProcessorNameString)
• The results of one off WMI Queries “Select * from AntiVirusProduct” and “SELECT * FROM FirewallProduct”
• Current foreground window caption and title
• If avicap32.dll is loaded (“AVI Capture Window Class”)

Persistence

Sub INS handles the installation functionality. It creates a shortcut named “Skype.URL” and sets the “Target path” to the copy of the malware saved to disk. This is likely to trick the user into running it if the registry persistence mechanism fails.

Subroutine RGPR manages the installation of the registry persistence. It uses subroutine IR to “Install Registry” key values, and then checks itself to see if the key values have been created.

First, in a new thread, RGPR does a sleep() for 10000 milliseconds (10 seconds). Then it checks key “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” to see if a value named “svchost” exists. If not, it attempts to create it with IR. Then, it checks to see if the key exists. If it’s still not there, it tries one more time, and then loops back to the beginning. It does this indefinitely.

Functionality

Subroutine data handles client-server communications.

The malware takes the following commands from Command and Control and performs these actions:

• PNC - Status check/polling
• P - Checking for information about the current status of the machine. What is the user working on? Are we being debugged?
• IE - What software is installed on this device? Can be used to determine purpose of the host
• LP - How is the system configured (hardware)?
• UNV - Arbitrary code execution (Takes the argument and calls sub LA, loading and executing a new Assembly)
• UNI - What current indicators is this sample showing on the infected device? Who are we? (Builds an array with persistence information, process name information, some internal identifiers.)