DarkTequila (APT)

Forum for analysis and discussion about malware.
Post Reply
User avatar
Patrick
Posts: 21
Joined: Wed Jan 29, 2014 11:48 pm

DarkTequila (APT)

Post by Patrick » Thu Dec 06, 2018 7:21 pm

Write-up from Kaspersky from back in Nov.

SHA256:

Code: Select all

dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47
Anyone ever take a look into this malware? Share your findings and experiences. I've taken a very quick and limited look so far...

Packed w/ UPX (UPX 0/1)
Executing in a non-intended environment only makes a few changes to the OS, like:

Code: Select all

HKLM\SOFTWARE\Microsoft\DownloadManager
Nothing gets dropped here afaik due to the detection and nature of the environment.

Code: Select all

HKU\S-1-5-21-2143623086-3970857485-2198902424-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL
Opens IE to the Gusanito webpage, which is the Spanish translation "An endeering term to describe shady, scared and mischievous people. Spanish translation - Worm/Caterpillar."
"This Regin driver recurrently checks that the current IRQL is set to PASSIVE_LEVEL using the KeGetCurrentIrql() function in many parts of the code, probably in order to operate as silently as possible"

User avatar
Patrick
Posts: 21
Joined: Wed Jan 29, 2014 11:48 pm

Re: DarkTequila (APT)

Post by Patrick » Tue Dec 11, 2018 9:50 am

I had some time tonight so I took a look with Olly.

Definitely packed w/ UPX as the program pauses at a PUSHAD unpack stub at 0000F51AD0.

Code: Select all

00F51AD0 > $ 60 PUSHAD
If we step into the PUSHAD and follow the ESP register's contents in memory dump, we wind up at 0000F51AD1, which is the MOV instruction for moving the executable and the ESI register. Highlighting the first 4 hex dump values (zeroed out), setting a hardware breakpoint, and executing the program leads us to 0000F526AA's compare of EAX>ESP. Notice we now also have reached our series of DB00:

Code: Select all

00F526AA   . 39C4           CMP ESP,EAX
00F526AC   .^75 FA          JNZ SHORT DarkTequ.00F526A8
00F526AE   . 83EC 80        SUB ESP,-80
00F526B1   .-E9 E882F2FF    JMP DarkTequ.00E7A99E
00F526B6     00             DB 00
00F526B7     00             DB 00
00F526B8     48             DB 48                                    ;  CHAR 'H'
00F526B9     00             DB 00
00F526BA     00             DB 00
00F526BB     00             DB 00

...

From here we can see our tail jump prior the the first DB00, at address 0000F526B1. If we set a BP on this instruction and then execute the program to trigger it, we can then step over and reach our OEP.

Code: Select all

00E7A99E   E8 54120000      CALL DarkTequ.00E7BBF7
The malware does not allow a dump of the process with Olly, so it's likely checking for a debugger environment and may even be deleting its own PE. Not sure.
"This Regin driver recurrently checks that the current IRQL is set to PASSIVE_LEVEL using the KeGetCurrentIrql() function in many parts of the code, probably in order to operate as silently as possible"

Post Reply