From 0496b0931c1562476bedfacea0f5db4f087e7ecc Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Thu, 13 Feb 2020 00:49:44 +0100
Subject: [PATCH] Update Analysis_2020-02-08.md
---
.../Neutrino/Analysis_2020-02-08.md | 84 +++++++++++++++++--
1 file changed, 79 insertions(+), 5 deletions(-)
diff --git a/Additional Analysis/Neutrino/Analysis_2020-02-08.md b/Additional Analysis/Neutrino/Analysis_2020-02-08.md
index 692032f..5982740 100644
--- a/Additional Analysis/Neutrino/Analysis_2020-02-08.md
+++ b/Additional Analysis/Neutrino/Analysis_2020-02-08.md
@@ -240,6 +240,12 @@ End Sub
The loader
+After loaded in memory, this delete himself by a concated command with a ping command
+
+```winbatch
+ cmd.exe /a /c ping 127.0.0.1 -n 3&del "%PROGRAMFILES(X86)%\Memsys\ms.exe"
+```
+
The loader creates a mutex with a name that is hardcoded in the binary:"Z0BAZwxx" ,we can note too that the loader add two rules in the firewall on the victim.
```asm
@@ -257,12 +263,15 @@ End Sub
0x00404e5e push esi
```
-This push a run key for the persistence for the implant :
-Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
-Name: [a-z]{5}_32.exe/[a-z]{5}.exe [x86/x64]
-Path: C:\Users\admin\AppData\Roaming\Z0BAZwxx\{Filename}
-The name of the mutex is also used for the name of folder in Appdata.
+This push a run key for the persistence for the implant :
+```winbatch
+Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
+Name: [a-z]{5}_32.exe/[a-z]{5}.exe [x86/x64]
+Path: C:\Users\admin\AppData\Roaming\Z0BAZwxx\{Filename}
+```
+
+The name of the mutex is also used for the name of folder in Appdata.
The loader use a xor for get the final implant.
```asm
@@ -300,6 +309,70 @@ The name of the mutex is also used for the name of folder in Appdata.
Final Implant
+The implant use multiples method for anti-VM and sandbox :
+
+ Use the couple of functions {CreateToolhelp32Snapshot – Process32First– Process32Next} for list the processs and compare to a blacklist. In addition this check the list with checksum
Use the couple of functions {CreateToolhelp32Snapshot – Process32First– Process32Next} for list of the modules of the processs and compare to another blacklist.
Check if the VboxGuest is present in using QueryDosDevices
Check if the debugger is present by the couple of function {IsDebuggerPresent - CheckRemoteDebuggerPresent}
Check the delta of the time by {GetTickCount – Sleep – GetTickCount}
Use GetClassName of each result of EnumWindows (Enumate all windows in the screen) for check the blacklist class
+
+The list of the IP to contact are hardcoded in base64.
+
+This can perform the following actions :
+
+ Take screenshot
Capture keystrokes
Download and execute additionnal payload
DDoS attacks
Spoof the DNS requests
+
Cyber kill chain
The process graph resume cyber kill chains used by the attacker :
@@ -334,5 +407,6 @@ The name of the mutex is also used for the name of folder in Appdata.
* [Encode64 / Decode64 in VB.NET](https://stackoverflow.com/questions/12879661/encode64-decode64-in-vb-net)
* [New Neutrino Bot comes in a protective loader](https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/)
+* [Checksum calculator (from NeutrinoBot Loader)](https://gist.github.com/hasherezade/aefabdb9a67193ef05c93228a78c20c6#file-checksum-cpp)
* [URLhaus Neutrino](https://urlhaus.abuse.ch/browse/tag/Neutrino/)
* [VB2019 paper: Rich Headers: leveraging this mysterious artifact of the PE format](https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/)