A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #32888  by R136a1
 Thu May 02, 2019 7:13 pm
This is a publicly advertized trojan which can be found here:
warzone[.]io

They also operate a dynamic DNS service located here:
warzonedns[.]com

The usual Twitter string analysts dubbed this AVE_MARIA Stealer while it's a bit more than this. And from Twitter directly to a blog:
https://blog.yoroi.company/research/the ... a-malware/ :-(

The feature list seems to be accurate, although the description of "Privilege Escalation" is crazy for simple UAC bypass. Privilege elevation would be more accurate.

The UAC bypass module is located in the resource "WM_DSP" which is a bit sloppy coded. For example:
Code: Select all
  GetModuleFileNameW(0, &Filename, 0x208u);
  v0 = LoadLibraryW(L"ntdll.dll");
  RtlGetCurrentPeb = GetProcAddress(v0, "RtlGetCurrentPeb");
  v1 = LoadLibraryW(L"ntdll.dll");
  RtlEnterCriticalSection = (int (__stdcall *)(_DWORD))GetProcAddress(v1, "RtlEnterCriticalSection");
  v2 = LoadLibraryW(L"ntdll.dll");
  RtlLeaveCriticalSection = (int (__stdcall *)(_DWORD))GetProcAddress(v2, "RtlLeaveCriticalSection");
  v3 = LoadLibraryW(L"ntdll.dll");
  RtlInitUnicodeString = (int (__stdcall *)(_DWORD, _DWORD))GetProcAddress(v3, "RtlInitUnicodeString");
  v4 = LoadLibraryW(L"ntdll.dll");
  RtlFillMemory = (int (__stdcall *)(_DWORD, _DWORD, _DWORD))GetProcAddress(v4, "RtlFillMemory");
  v5 = LoadLibraryW(L"ntdll.dll");
  GetProcAddress(v5, "NtAllocateVirtualMemory");
  v6 = LoadLibraryW(L"ntdll.dll");
  LdrEnumerateLoadedModules = (int (__stdcall *)(_DWORD, _DWORD, _DWORD))GetProcAddress(v6, "LdrEnumerateLoadedModules");
You can see that LoadLibrary is called way too many times. Also, NtAllocateVirtualMemory is resolved but never used.

Furthermore, it gives out a message box when the process has already admin privileges:
Code: Select all
MessageBoxW(0, L"Hey I'm Admin", 0, 0);
:party:

And error handling seems to be an alien concept for the author. Example:
Code: Select all
v0 = FindResourceW(0, (LPCWSTR)0x65, L"WM_DISP");
v1 = LoadResource(0, v0);
nNumberOfBytesToWrite = SizeofResource(0, v0);
lpBuffer = LockResource(v1);
RtlFillMemory(&FileName, 520, 0);
GetTempPathW(0x208u, &FileName);
lstrcatW(&FileName, L"dismcore.dll");
v2 = CreateFileW(&FileName, GENERIC_ALL, 1u, 0, 2u, 0x84u, 0);
WriteFile(v2, lpBuffer, nNumberOfBytesToWrite, &NumberOfBytesWritten, 0);
CloseHandle(v2);
RtlFillMemory(&Buffer, 520, 0);
GetTempPathW(0x208u, &Buffer);
lstrcatW(&Buffer, L"ellocnak.xml");
v3 = CreateFileW(&Buffer, 0x10000000u, 1u, 0, 2u, 0x84u, 0);
...
:x

As you can see, it uses Leo Davidson derivative (see point 23 of UACME description). An explanation can be found here: viewtopic.php?t=3643&start=110 (-> "Exploiting g_lpAutoApproveEXEList").

Also weird, trojan code contains a leftover test function which is never used:
Code: Select all
  get_kernel32_base();
  result = resolve_api_function(v0);
  if ( result )
  {
    result = result(leftover_func, &v5, 28);
    if ( v6 )
    {
      resolve_iat_functions();
      MessageBoxA(0, "Bla2", "Bla2", 0);
      v4 = v2;
      v8 = 0;
      v3 = (LPCWSTR *)copy_str_to_mem(L"C:\\Users\\louis\\Documents\\workspace\\MortyCrypter\\MsgBox.exe");
      wrapper_CreateProcessW((HANDLE *)&v7, v3, (LPWSTR *)&v8, v4);
      wrapper_VirtualFree(lpAddress);
      lpAddress = 0;
      result = wrapper_VirtualFree(0);
    }
  }
  return result;
All in all, it's a classic trojan coded for monetisation purposes. :bored:

Sample attached.

More samples:
531d967b9204291e70e3aab161a5b7f1001339311ece4f2eed8e52e91559c755
023ee9f2b86939f57849c5707b6d128c9229a9d877c57046de2f5bc411311e66
0eb8867f2449f54dda104c676cbdc2e40549cacf85c738e05828b0d5fdcc45d2
3f081250d5d0a34bf21c7160b6207a55c81549a110527b4b6319990a374ea755
44795df9dd22a61af97c39b47baf922be043fd6cb113d252d5b121b3fea8ae0f
4d53fb1993c396b5caaa3700cd1dc42d1bb0734ec12e1822fb5ebf7c0c42d500
69f39fb00d28a32ae15618744500a62e0a7b288871fbec7bbad11a9506dbab9b
9ba69a7e37b7b567dd7ede67091c0c48df4f7e3966d5f0854f8092bc11e86fae
a790be6be3404f90bbdd66e9af486afbc029be7a6c12592327a1642218dd8f6b
a9fff9713433f99e9351d2f634110c9697ec52f17f469c624f87edb9116434ae
b6c028df0b4efe3e07bb1c8ed300163d16d2554b1b800f234a14a836f99849c4
e541a3f77231846c96a00c4b7826a36f693ab2fa40dc58260818c7ebedd21da7
e56eb6d82d97c84d25d694d67f9ea72e28714f633cf26d4cfd05513fa1338c68
0f3c4d987c5ad7446d6c9c9e7a840fef387e394484198d891fc05628c4973e73
11b31cefb8689e3fe4036ea7e94a8d15f45b78074f5696749ff5b3c5a5a41792
125acec95bc567057387e48be9bb21990ae817be5ee8e6fe8fe41b3ee7462302
148740edf13a6b6b0ad448203b89d48c75324d6b45e1f4ce462fc06bf03244c2
263433966d28f1e6e5f6ae389ca3694495dd8fcc08758ea113dddc45fe6b3741
2a0acfb651c56c0000badcfba3a428188614082a79b2f83eea1a95bae5aa7859
3dc2dfb927491848080cb53a2ff7c632eb1d7b0e61765ac1679ab921cac758cc
40b00781a4d54f82b50a60c4fd6628ed6d62074beb90b8613b5a4f96f117cae1
4f2940a006495ee3d570aaa7271d205b1c2a4cb9cb843d970948c5a2084c3ad6
50840fbc820980940c82d5e35cf8d92ab97776dcee48db94266f10b97c0b2a1c
844548eeb620b760ff16c8802f395df5807492d4154ac1a6645035183e3b26eb
8655b2dab11c522233c71631ab0215f2b88e117787a473c4ea06ca62cb16b675
9224757f4a30f3672ef0ca4c815a3408fceae738b21cff9516f7cd88257e4765
b7ca8b6fe28369743c9d454b404565058279fcce765fa33a8757b59ef50b9ddf
c20163acf10fdbff86b0c2747c952d0406c6dced12ac29a9c73cb0310bfecae9
c8f687c0dd0c5ec3445361943811e1d62c2760e9770486cf752de238e5162d6a
cc50f1c93289bb729b1a68205f4e142a0a8dd9d30796fef6e26ae6965babfa12
cf4abc0e521f831554ee57506b8ab370faafe2d776f64bae1bc8c67e79b433ee
e2a0f2cae40e4f08339523f7f0d117e769e52aa4346cce35ee913ddd2d348b29
f49af39077e893f6f893e1b50715f2affe5c34d493e261c73eff0d1986abf484
f4ca6f9fdcda5154b4457ed513e12afbc9aba71282ab082eea6332e7a3b9bcd4
fd2536014cf56d746f8b9dd8e3dd8116eddcbb87074170c1a8b33a48dc27a472
...
You do not have the required permissions to view the files attached to this post.
 #32889  by EP_X0FF
 Fri May 03, 2019 7:24 am
They share this pile of garbage code with Ransomware Ave Maria -> viewtopic.php?f=16&t=5451 :clown: