Looking at the new Krypton crypter and recent Data Exfiltrator Samples
By: Jason Reaves and Joshua Platt
Recently ReversingLabs wrote about a utility being used for data exfiltration[1] that uses the same string encryption we had previously discussed being leveraged by TrickBot for their new CobaltStrike loader[2]. The string encoding is very noticeable due to the ending marker of ‘mOrxx’, the string encoding is used both in encoding strings but also in a crypter. The crypter itself is a variant of Krypton[4] which has also been called Xenon[3] and it has been around for a long time in the world of crypters.
Krypton Crypter
The newer versions of the crypter involve variable layers of single byte XORing and LZNT compression.
If a PE header isn’t decoded out then it will LZNT decompress the data which can then also have a single byte XOR encoding on the decompressed blob.
Unpacking some objects:
Sample:
0ac2376677e4e85efb460cb6fff78f1c61226c7ac3fd65b133fe6c92dfcddb7fUnpacked strings:
raw.githubusercontent.com
Curl
hgvggjhkvbhulbhnkj/potential-octo-pancake/master/img.pngSample:
101b5d0fea7ab98a354a8d333fc90b6c485062da6672d0312e5443bb686ccce7Unpacked is Mimikatz
Sample:
8dde0e4edffb940823c04a4253a0aaaecb8ff90bb681b9d87866308eb45e925eUnpacked is POC for CVE-2020-0787Sample:
92c7c3ce3fd5c867e68760e943958959b8786e15a5657629a27b69f92b850308Unpacked strings:
raw.githubusercontent.com
mikijmmiu5ktjrgf/psychic-octo-doodle/master/favicon.icoSample:Unpacked strings:
WinInet Test
temp.positiveseca.com
askscc.php?4334523
test
https://temp.positiveseca.com/askscc.php?4334523
can't decompress buff!
can't get len of decompressed buff!
Krypton Strings
String encoding is outlined in both blogs above[1,2] but since it is being used for standalone executable files and the crypter stub I decided to write up a string decoding script based on our previous report[2] to take a closer look at samples that are using for obfuscating their strings.
def decode_str(s,k=0):
blob = bytearray(s[5:])
for i in range(len(blob)):
blob[i] ^= k
blob[i] = (blob[i] - (i+1)) & 0xff
return blobdata = open(sys.argv[1], 'rb').read()
encoded_strs = re.findall('''\xfb\xfc\xfe\xff\xaa[^\x00]+''', data)
for val in encoded_strs:
t = decode_str(val)
print(t)
Using this we can dump most of the strings from a sample:
uploadFile.php
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
GET
198.58.127.161
90j8vjv9807rv912jRJehkdfsvIUE2387
POST
We are still left with some strings that are loaded onto the stack so for these we can do a quick look for the preceding bytes(‘\xfb\xfc\xfe\xff\xaa’) being loaded first:
encoded_stack_needles = re.findall('''c64424..fbc64424..fcc64424..fec64424..ffc64424..aac64424....''', binascii.hexlify(data))
encoded_stack_strings = []
blob = data
for val in encoded_stack_needles:
off = blob.find(binascii.unhexlify(val))
blob = blob[off+4:]
out = ""
c = ord(blob[0])
while c != 0:
out += chr(c)
blob = blob[5:]
c = ord(blob[0])
print(decode_str(out))
Now we can dump all or at least the majority of the decoded strings:
uploadFile.php
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
GET
198.58.127.161
90j8vjv9807rv912jRJehkdfsvIUE2387
POST
HttpOpenRequestW
InternetOpenW
HttpSendRequestW
NtCreateThreadEx
RtlGetCompressionWorkSpaceSize
RtlCompress
LoadLibraryW
GetProductInfo
GetVersionExA
user32
GetWindowRect
GetDesktopWindow
psapi
EnumProcesses
Looking into some of the samples crypted with Krypton we can find the string encoding is also utilized in the unpacked sample:
Sample:
68e4924cdd25baf562eff5a223a6e74ff1cc76201dc5d8a55b12734aa79986cfUnpacked and Decoded strings:
raw.githubusercontent.com
hgvggjhkvbhulbhnkj/furry-palm-tree/main/2020.gif
logo.png
Curl
GET
wininet.dllSample:
a32e37ae08d6a723dff7313d96bc7e23fe9b7db18295e2916f3c935530329919Unpacked and Decoded strings:
raw.githubusercontent.com
hgvggjhkvbhulbhnkj/palm/main/shared.gif
logo.png
Curl
GET
wininet.dll
Data Exfiltrator Samples
Now that we can decode the strings efficiently we can focus our attention to the Data Exfiltrator sample to dump all the data out of the samples we have found which according to some of these samples without a stripped PDB is called ‘file_sender’:
E:\work\proj\file_sender\x64\file_sender.pdb
Harvested data from sample set:
Sample:
MD5: 4a7b6a0ee35d930996c6e5625f184d87
SHA256: 0d7358a3c04d860883da564d51c983e262d5b3057da29a3804d5e8f67644e02eDecoded strings:
uploadFile.php
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
GET
se1.buttonrich.com
3f9n8uv0n43809vn3d092v09290
POST
LoadLibraryW
GetProductInfo
GetVersionExA
NtCreateThreadEx
RtlGetCompressionWorkSpaceSize
RtlCompress
user32
GetWindowRect
GetDesktopWindow
HttpOpenRequestW
InternetOpenW
HttpSendRequestW
psapi
EnumProcessesSample:
MD5: 5ca7b4a0e7981a2569033031ea1dc726
SHA256: 5c268313821c3e851f500e5dea135cce0670f1f2efe4466394d7dcdaeb321aa8Decoded strings:
uploadFile.php
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
GET
198.58.127.161
90j8vjv9807rv912jRJehkdfsvIUE2387
POST
HttpOpenRequestW
InternetOpenW
HttpSendRequestW
NtCreateThreadEx
RtlGetCompressionWorkSpaceSize
RtlCompress
LoadLibraryW
GetProductInfo
GetVersionExA
user32
GetWindowRect
GetDesktopWindow
psapi
EnumProcessesSample:
MD5: e3300ec2f31f5730970c5bb066d2f0ed
SHA256: 68af250429833d0b15d44052637caec2afbe18169fee084ee0ef4330661cce9cDecoded strings:
uploadFile.php
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) discord/0.0.309 Chrome/83.0.4103.122 Electron/9.3.5 Safari/537.36
GET
figures.pablotech.info
8953n7b8ewurdfb3njnyuridrwdb
POST
C:\Windows\
NtAllocateVirtualMemory
NtFreeVirtualMemory
LoadLibraryW
GetProductInfo
GetVersionExA
user32
GetWindowRect
GetDesktopWindow
HttpOpenRequestW
InternetOpenW
HttpSendRequestW
psapi
EnumProcessesSample:
MD5: 85fc54cb1d9dc2207d2f49cc4631fe21
SHA256: 7bc5ea877a9a4ebf173334b63bfdd9762acf8d53fd066049b12f0d6fd9f7892cDecoded strings:
uploadFile.php
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
GET
192.241.144.56
4bw243bg54nyh3wtn46uthgt43
POST
LoadLibraryW
GetProductInfo
GetVersionExA
user32
GetWindowRect
GetDesktopWindow
NtCreateThreadEx
RtlGetCompressionWorkSpaceSize
RtlCompress
HttpOpenRequestW
InternetOpenW
HttpSendRequestW
psapi
EnumProcessesSample:
MD5: 020573d76c6f2d102e40ad882d88ec73
SHA256: 7c7317c7f036c00d4c55d00ba36cb2a58a39a72fe24a4b8d11f42f81b062f80bDecoded strings:
uploadFile.php
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
GET
167.172.170.139
jkrenugbiowenuyfboiwenuyIUONbefuwu849f
POST
user32
GetWindowRect
GetDesktopWindow
HttpOpenRequestW
InternetOpenW
HttpSendRequestW
NtCreateThreadEx
RtlGetCompressionWorkSpaceSize
RtlCompress
LoadLibraryW
GetProductInfo
GetVersionExA
psapi
EnumProcessesSample:
MD5: 5a0dd4b0ff5be657edb0a7f95ded0683
SHA256: 853dce7c9dc870735499df094fba68b2ca23218b4014ce22124fea145c3c2cfeDecoded strings:
uploadFile.php
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) discord/0.0.309 Chrome/83.0.4103.122 Electron/9.3.5 Safari/537.36
GET
figures.pablotech.info
8953n7b8ewurdfb3njnyuridrwdb
POST
C:\Windows\
NtAllocateVirtualMemory
NtFreeVirtualMemory
LoadLibraryW
GetProductInfo
GetVersionExA
user32
GetWindowRect
GetDesktopWindow
HttpOpenRequestW
InternetOpenW
HttpSendRequestW
psapi
EnumProcessesSample:
MD5: 12a7595d94e142847a04f11659ed183d
SHA256: 8cfd554a936bd156c4ea29dfd54640d8f870b1ae7738c95ee258408eef0ab9e6Decoded strings:
uploadFile.php
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
GET
51.77.110.6
3f9n8uv0n43809vn3d092v09290
POST
user32
GetWindowRect
GetDesktopWindow
LoadLibraryW
GetProductInfo
GetVersionExA
HttpOpenRequestW
InternetOpenW
HttpSendRequestW
NtFreeVirtualMemory
NtCreateThreadEx
RtlCompressBuffer
psapi
EnumProcessesSample:
MD5: 9b95da664bc50363541f9f7e89ac32c3
SHA256: 8ea24457df1459297503237411594b734794ee0d2654b22c66d3a976e2e6ff4fDecoded strings:
uploadFile.php
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
GET
172.104.142.206
htyrnhernerIEKmnubOIMUewfiobwuioewb83
POST
user32
GetWindowRect
GetDesktopWindow
LoadLibraryW
GetProductInfo
GetVersionExA
NtCreateThreadEx
RtlGetCompressionWorkSpaceSize
RtlCompress
HttpOpenRequestW
InternetOpenW
HttpSendRequestW
psapi
EnumProcessesSample:
MD5: 4af8b45c9b0f73d47a499d92064b6c2e
SHA256: 934c557e52bd47fa312ea4098e05781145d0b81c9dc543ef42b266813bdb05d4Decoded strings:
uploadFile.php
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
GET
51.161.82.135
huve3fn298vmfu293jKVFDSfvjjfe893
POST
HttpOpenRequestW
InternetOpenW
HttpSendRequestW
C:\Windows\
NtAllocateVirtualMemory
NtFreeVirtualMemory
LoadLibraryW
GetProductInfo
GetVersionExA
user32
GetWindowRect
GetDesktopWindow
psapi
EnumProcessesSample:
MD5: 7c801e3c256d2e9e1f4462fe84e44c68
SHA256: a7cf0f72bb6f1e0a61fbf39e3a3a36db6540250caeef35b47fb51a8959f40984Decoded strings:
uploadFile.php
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
GET
51.161.82.135
huve3fn298vmfu293jKVFDSfvjjfe893
POST
user32
GetWindowRect
GetDesktopWindow
LoadLibraryW
GetProductInfo
GetVersionExA
HttpOpenRequestW
InternetOpenW
HttpSendRequestW
C:\Windows\
NtAllocateVirtualMemory
NtFreeVirtualMemory
psapi
EnumProcessesSample:
MD5: 1010bec081572dc3bd16e26a1e37d815
SHA256: dcc4ac1302ac5693875c4a4b193242cbb441b77cd918569c43fe318bcf64fe3dDecoded strings:
uploadFile.php
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) discord/0.0.309 Chrome/83.0.4103.122 Electron/9.3.5 Safari/537.36
GET
files.pablotech.info
46rnyegq235etnerhgf43trrthgbfRYdfnhg
POST
LoadLibraryW
GetProductInfo
GetVersionExA
HttpOpenRequestW
InternetOpenW
HttpSendRequestW
C:\Windows\
NtAllocateVirtualMemory
NtFreeVirtualMemory
user32
GetWindowRect
GetDesktopWindow
psapi
EnumProcesses
IOCs
temp.positiveseca.com
se1.buttonrich.com
198.58.127.161
figures.pablotech.info
192.241.144.56
167.172.170.139
51.77.110.6
172.104.142.206
51.161.82.135
files.pablotech.info
References
1: https://blog.reversinglabs.com/blog/data-exfiltrator
2: https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c
3: https://fidelissecurity.com/threatgeek/archive/shining-light-xenon-unravelling-crypter/
4: https://github.com/sysopfb/Unpackers/blob/master/Krypton/15/krypton15unpack.py