Dharma/CrySYS payload analysis. Part I

Hash: ceeaf45fbb91df67d5b9f1ca1905301ce63314152fb50ed7c6c31365d06ec86d

String encryption

Most of the strings the malware will use are encrypted with several layers of XOR encoding, so using traditional brute force decryptors won’t work. The decryption itself is performed in the function at 0x00401A50, which in turn calls another 2 functions to perform the decoding. The returned strings are Unicode 16bits (WSTR). It will use different keys to decode different parts .

The program is careful to clear the strings it decodes right after they are used, probably to prevent them being revealed in a memory dump during execution in a sandbox.

Stops target services and processes

Processes whose executable matches any of this:
“1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;”

Services whose name matches any of these:
“FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;”

Persistence

The payload will copy itself in 4 locations, with the name of the original payload file:

Windir\System32
appdata
sh(Startup)
sh(Common Startup)

Disable shadow copies

It will execute these commands to disable the volume shadow copies:

mode con cp select=1251
vssadmin delete shadows /all /quiet
Exit

File encryption

The program uses an embedded AES implementation to partially encrypt contents of the files.

Imports

First thing this binary does is decoding the strings for the imports it’s going to use. It contains a table with the library and functions it wants (see annex 1 below). It then uses a LoadLibrary/GetProcAddress loop to load the imports.

Imported functions after decoding

These imports are surrounded by stub functions, so a second level of renaming is needed (some scripting to the rescue)

Stub for the dynamic imports

And cleans all the strings right after the imports have been loaded.

The mysterious import

There is a function at 0x004071B0 that calls a dynamic function obtained by explicitly decoding the dll and function name. The mysterious function is Wow64DisableWow64FsRedirection, that gives access to a 32 bit process access to the real system32 directory if running under the WOW64 subsystem in a 64 bit operating system.

It’s later reenabled with a similar function at 0x00407280.

Annex 1: list of dynamic imports

.data:0040E53E db ‘kernel32.dll’,0 ; DATA XREF: start+51
.data:0040E54B aGetprocaddress db ‘GetProcAddress’,0
.data:0040E55A aGetmodulehandl db ‘GetModuleHandleW’,0
.data:0040E56B aFindnextfilew db ‘FindNextFileW’,0
.data:0040E579 aFindclose db ‘FindClose’,0
.data:0040E583 aMovefilew db ‘MoveFileW’,0
.data:0040E58D aGetfilesizeex db ‘GetFileSizeEx’,0
.data:0040E59B aGetmodulefilen db ‘GetModuleFileNameW’,0
.data:0040E5AE aGetfileattribu db ‘GetFileAttributesW’,0
.data:0040E5C1 aExitprocess db ‘ExitProcess’,0
.data:0040E5CD aGetcommandline db ‘GetCommandLineW’,0
.data:0040E5DD aGetcomputernam db ‘GetComputerNameW’,0
.data:0040E5EE aGetcomputernam_0 db ‘GetComputerNameA’,0
.data:0040E5FF aCreatemutexw db ‘CreateMutexW’,0
.data:0040E60C aLstrlenw db ‘lstrlenW’,0
.data:0040E615 aLstrlena db ‘lstrlenA’,0
.data:0040E61E aGetcurrentproc db ‘GetCurrentProcess’,0
.data:0040E630 aWaitforsingleo db ‘WaitForSingleObject’,0
.data:0040E644 aGetlogicaldriv db ‘GetLogicalDrives’,0
.data:0040E655 aGettickcount db ‘GetTickCount’,0
.data:0040E662 aDeletefilew db ‘DeleteFileW’,0
.data:0040E66E aWidechartomult db ‘WideCharToMultiByte’,0
.data:0040E682 aInitializecrit db ‘InitializeCriticalSectionAndSpinCount’,0
.data:0040E6A8 aSleep db ‘Sleep’,0
.data:0040E6AE aLeavecriticals db ‘LeaveCriticalSection’,0
.data:0040E6C3 aReadfile db ‘ReadFile’,0
.data:0040E6CC aCreatefilew db ‘CreateFileW’,0
.data:0040E6D8 aOpenmutexw db ‘OpenMutexW’,0
.data:0040E6E3 aEntercriticals db ‘EnterCriticalSection’,0
.data:0040E6F8 aWaitformultipl db ‘WaitForMultipleObjects’,0
.data:0040E70F aLstrcmpiw db ‘lstrcmpiW’,0
.data:0040E719 aLstrcmpia db ‘lstrcmpiA’,0
.data:0040E723 aDeletecritical db ‘DeleteCriticalSection’,0
.data:0040E739 aReleasemutex db ‘ReleaseMutex’,0
.data:0040E746 aClosehandle db ‘CloseHandle’,0
.data:0040E752 aGetversion db ‘GetVersion’,0
.data:0040E75D aCreatethread db ‘CreateThread’,0
.data:0040E76A aExpandenvironm db ‘ExpandEnvironmentStringsW’,0
.data:0040E784 aQueryperforman db ‘QueryPerformanceCounter’,0
.data:0040E79C aQueryperforman_0 db ‘QueryPerformanceFrequency’,0
.data:0040E7B6 aGetcurrentproc_0 db ‘GetCurrentProcessId’,0
.data:0040E7CA aSetfileattribu db ‘SetFileAttributesW’,0
.data:0040E7DD aGetvolumeinfor db ‘GetVolumeInformationW’,0
.data:0040E7F3 aWritefile db ‘WriteFile’,0
.data:0040E7FD aSetfilepointer db ‘SetFilePointerEx’,0
.data:0040E80E aSetendoffile db ‘SetEndOfFile’,0
.data:0040E81B aFindfirstfilew db ‘FindFirstFileW’,0
.data:0040E82A aGetprocessheap db ‘GetProcessHeap’,0
.data:0040E839 aHeaprealloc db ‘HeapReAlloc’,0
.data:0040E845 aHeapalloc db ‘HeapAlloc’,0
.data:0040E84F aHeapfree db ‘HeapFree’,0
.data:0040E858 aCreatepipe db ‘CreatePipe’,0
.data:0040E863 aSethandleinfor db ‘SetHandleInformation’,0
.data:0040E878 aCreateprocessw db ‘CreateProcessW’,0
.data:0040E887 aComparestringw db ‘CompareStringW’,0
.data:0040E896 aComparestringa db ‘CompareStringA’,0
.data:0040E8A5 aOpenprocess db ‘OpenProcess’,0
.data:0040E8B1 aTerminateproce db ‘TerminateProcess’,0
.data:0040E8C2 aGetsystemtime db ‘GetSystemTime’,0
.data:0040E8D0 aSystemtimetofi db ‘SystemTimeToFileTime’,0
.data:0040E8E5 aGetlasterror db ‘GetLastError’,0
.data:0040E8F2 aCreatetoolhelp db ‘CreateToolhelp32Snapshot’,0
.data:0040E90B aProcess32nextw db ‘Process32NextW’,0
.data:0040E91A aProcess32first db ‘Process32FirstW’,0
.data:0040E92A db 0
.data:0040E92B aAdvapi32Dll db ‘advapi32.dll’,0
.data:0040E938 aRegopenkeyexw db ‘RegOpenKeyExW’,0
.data:0040E946 aRegqueryvaluee db ‘RegQueryValueExW’,0
.data:0040E957 aRegsetvalueexw db ‘RegSetValueExW’,0
.data:0040E966 aRegclosekey db ‘RegCloseKey’,0
.data:0040E972 aOpenprocesstok db ‘OpenProcessToken’,0
.data:0040E983 aGettokeninform db ‘GetTokenInformation’,0
.data:0040E997 aOpenscmanagerw db ‘OpenSCManagerW’,0
.data:0040E9A6 aOpenservicew db ‘OpenServiceW’,0
.data:0040E9B3 aCloseserviceha db ‘CloseServiceHandle’,0
.data:0040E9C6 aControlservice db ‘ControlService’,0
.data:0040E9D5 aQueryservicest db ‘QueryServiceStatus’,0
.data:0040E9E8 aEnumdependents db ‘EnumDependentServicesW’,0
.data:0040E9FF aEnumservicesst db ‘EnumServicesStatusExW’,0
.data:0040EA15 db 0
.data:0040EA16 aUser32Dll db ‘user32.dll’,0
.data:0040EA21 aSystemparamete db ‘SystemParametersInfoW’,0
.data:0040EA37 db 0
.data:0040EA38 aShell32Dll db ‘Shell32.dll’,0
.data:0040EA44 aShellexecuteex db ‘ShellExecuteExW’,0
.data:0040EA54 db 0
.data:0040EA55 aNtdllDll db ‘ntdll.dll’,0
.data:0040EA5F aNtquerysystemi db ‘NtQuerySystemInformation’,0
.data:0040EA78 db 0
.data:0040EA79 aMprDll db ‘mpr.dll’,0
.data:0040EA81 aWnetcloseenum db ‘WNetCloseEnum’,0
.data:0040EA8F aWnetopenenumw db ‘WNetOpenEnumW’,0
.data:0040EA9D aWnetenumresour db ‘WNetEnumResourceW’,0
.data:0040EAAF db 0
.data:0040EAB0 aWs232Dll db ‘ws2_32.dll’,0
.data:0040EABB aWsastartup db ‘WSAStartup’,0
.data:0040EAC6 aSocket db ‘socket’,0
.data:0040EACD aSend db ‘send’,0
.data:0040EAD2 aRecv db ‘recv’,0
.data:0040EAD7 aConnect db ‘connect’,0
.data:0040EADF aClosesocket db ‘closesocket’,0
.data:0040EAEB aGethostbyname db ‘gethostbyname’,0
.data:0040EAF9 aInetAddr db ‘inet_addr’,0
.data:0040EB03 aNtohl db ‘ntohl’,0
.data:0040EB09 aHtonl db ‘htonl’,0
.data:0040EB0F aHtons db ‘htons’,0

@shimasakisan_