Skip to main content

SMA: Sharpshooter Payload



Article by Vishal Thakur


This is a SMA of the payload used in the SharpShooter campaign.
The sample shows code-reuse from the Lazarus malware family but full attribution is hard to determine at this time.
The focus of this article is on the networking C2i.

Following is the complete URI for the first connection:


000007FEFA6ABA48 | 4C 8B DC                 | mov r11,rsp                             |
000007FEFA6ABA4B | 53                       | push rbx                                |
000007FEFA6ABA4C | 55                       | push rbp                                |
000007FEFA6ABA4D | 56                       | push rsi                                |
000007FEFA6ABA4E | 57                       | push rdi                                |
000007FEFA6ABA4F | 41 54                    | push r12                                |
000007FEFA6ABA51 | 41 55                    | push r13                                |
000007FEFA6ABA53 | 41 56                    | push r14                                |
000007FEFA6ABA55 | 41 57                    | push r15                                |
000007FEFA6ABA57 | 48 81 EC 88 01 00 00     | sub rsp,188                             |
000007FEFA6ABA5E | 48 8B 05 5B 8B 05 00     | mov rax,qword ptr ds:[7FEFA7045C0]      |
000007FEFA6ABA65 | 48 33 C4                 | xor rax,rsp                             |
000007FEFA6ABA68 | 48 89 84 24 70 01 00 00  | mov qword ptr ss:[rsp+170],rax          |
000007FEFA6ABA70 | 49 83 A3 78 FF FF FF 00  | and qword ptr ds:[r11-88],0             |
000007FEFA6ABA78 | 41 83 63 80 00           | and dword ptr ds:[r11-80],0             |
000007FEFA6ABA7D | 8B DA                    | mov ebx,edx                             |
000007FEFA6ABA7F | 33 D2                    | xor edx,edx                             |
000007FEFA6ABA81 | 41 8B F0                 | mov esi,r8d                             |
000007FEFA6ABA84 | 4C 8B F1                 | mov r14,rcx                             | rcx:L"https://www.kingkoil.com.sg/board.php"
000007FEFA6ABA87 | 44 8D 42 24              | lea r8d,dword ptr ds:[rdx+24]           |



Here's a view from the stack.
















The request:


000007FEFA6B4C03 | 41 83 BB 1C 01 00 00 02  | cmp dword ptr ds:[r11+11C],2            | r11+11C:L"tml,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us;q=0.8;q=0.6,en-us;q=0.4,en;q=0.2\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 384\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n"


POST req with the path:


The second connection:

POST req with the path:

UserAgent used:
Complete URI:
Third connection:

The request:
Sample: 37b04dcdcfdcaa885df0f392524db7ae7b73806ad8a8e76fbc6a2df4db064e71McAfee report: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/


Comments

Popular posts from this blog

Major update: Emotet C2i Apr 2019

Emotet has updated the C2 comms in the latest release, going for URIs instead of IPs (root). Here’s a complete list of the current campaign: Emotet C2i: http://51.255.50.164:8080/window/child/ringin/ http://109.104.79.48:8080/cookies/tlb/ http://92.48.118.27:8080/rtm/pnp/ http://197.248.67.226:8080/enabled/forced/ http://181.170.93.38:8080/teapot/balloon/ http://69.163.33.82:8080/glitch/scripts/arizona/ http://192.155.90.90:7080/prov/odbc/arizona/ http://43.229.62.186:8080/teapot/ http://72.47.248.48:8080/sess/cone/ http://209.159.244.240:443/publish/vermont/tlb/ http://197.248.67.226:8080/codec/between/tlb/ http://176.58.93.123:8080/splash/ http://72.47.248.48:8080/sess/glitch/entries/ http://181.170.93.38:8080/schema/free/ http://69.163.33.82:8080/badge/symbols/results/ http://109.73.52.242:8080/results/prov/ http://68.191.37.107/iplk/vermont/sym/merge/ http://154.120.228.126:8080/xian/enabled/sym/merge/ http://136.49.87.106/usbccid/taskbar/enabled/ http://5.9.128.163:8080/json

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18

Emotet C2 Network IOC August 2018 Week 4 Campaign

Article by  Vishal Thakur IP Port COUNTRY REGION CITY TIME ZONE 50.33.142.65 United States Texas Dallas CST 173.63.125.138 United States New Jersey EST 67.175.118.157 United States South Carolina Tamassee EST 47.186.71.56 Canada Ontario Ottawa EST 71.12.111.50 443 United States Georgia Moultrie EST 100.16.243.115 443 United States Virginia Ashburn EST 80.89.191.118 United Arab Emirates Dubai GMT+4 104.219.132.28 United States Oklahoma Oklahoma City CST 23.25.247.205 443 United States Massachusetts Cambridge EST 118.244.214.210 443 Korea, Republic Of Seoul GMT+9 212.129.56.179 443 Russian Federation Moscow GMT+3 47.16.187.196 8090 Canada Ontario Ottawa EST 97.68.6.155 8090 United States New Jersey Bedminster EST 71.174.9.241 United States Florida Brandon EST 14.1.39.3 443 China Guangzhou GMT+8 199.119.78.38 443 United States Missouri Springfield CST 71.8.233.246 7080 United States Delaware Seaford EST 108.191.59.73 United States District Of Columbia Washingt