Reversing APT-28 64-bit Keylogger [Zebrocy Nim] [ TLP: White ]

In depth Static and Dynamic Analysis !

Introduction:

Frequently, the sample of Zebrocy Nim are appearing in the malware bazaar and recently the Zebrocy Nim is being armed in the malicious targeting “towards “US,UK,Canada” by APT-28 and APT-29 ” in phishing campaign which based on specifically designed and themed on nCoV-19.

Static and Dynamic Analysis

Static Analysis:Basic

Deploying Cutter
Hash’s:
hash’s of Zebrocy Nim sample.
Strings:
Strings present in Zebrocy Nim Sample.
Imports:
Imports present in Zebrocy Nim Sample.

Static Analysis: Advanced

-: Deploying Ghidra :-
entry function:

entry function contains two functions “get_sys_info” and “encrypt_and_fetch_sys_info_fetch_ps_info_writeup_of_payload_and_encryptor function” what these two functions does is exfiltrate victim computers information as after the infection [ backdoor’ing with malware after the infection from the worm like emotet.]

<a href="https://medium.com/media/f97b33c076b17b529ec8a65acfa7a473/href">https://medium.com/media/f97b33c076b17b529ec8a65acfa7a473/href</a>Graph of of entry function of Zebrocy Nim.
get_sys_info function:
this specific function is responsible for fetching the system information not solely but with the other function present in the entry function. As you had observed “get_sys_info” function you will observe that “local_38” is assigned with the some “FileTime” along with the multiplication with the “0x0" means zero bytes in simple lang. and just after that you see the conditional statement(stmt) “if” in which the very large value is been passed for conditional check just to load the error filled negative value in the memory and assigned that negative error filled value in data buffer. Then after that information SystemTime, CurrentProcessId, TickCount CurrentThreadId are being fetched and then the using “QueryPerformanceCounter” function the Query of Performance of system is being made. Then after that scrambling of data is being done. By scrambling of data i mean is that mathematical operations is operated on information being imported by the function from system and as like before the conditional “if” is being operated on the data and passed to the other two “data buffer” one with passing positive val and one with negative value.
<a href="https://medium.com/media/67c512af0d224787870a6605fd52f91c/href">https://medium.com/media/67c512af0d224787870a6605fd52f91c/href</a>Graph of of get_sys_info function.
encrypt_and_fetch_sys_info_fetch_ps_info_writeup_of_payload_and_encryptor function:
In this particular function, the starting up information of system is been extracted from system then after the few conditional “if” stmt function”going_for_cs_journey” is been called for triage of the critical section.As we see further in this function we get this “encrypting_and_doing_buffer_juggling” is been called which encrypts the data and does the messing up of buffer most probably BOF[ Buffer Overflow] which raise the “unhandled” [exception] in system which is been stored in the data buffer. As moving on further in function we experience the processor generated messingup acc. to x86 or x64. Then after that the data is been exchanged in between the memory locations then some scrambling happening in this function dynamically. At the ending of this function “x64_bit_scrambling” happens with the” payload writing” in memory along with the encrypting the payload and with the few file operations.
<a href="https://medium.com/media/343fe96e9f368d9d267bd3d8f753f843/href">https://medium.com/media/343fe96e9f368d9d267bd3d8f753f843/href</a>Graph of of encrypt_and_fetch_sys_info_fetch_ps_info_writeup_of_payload_and_encryptor function.

In this functional graph of this function we can see boxes are of same size that which indicates that Zebrocy Nim must be using “RC4 encryption”.

Functional graph of of encrypt_and_fetch_sys_info_fetch_ps_info_writeup_of_payload_and_encryptor function.
going_for_cs_journey function:

In this function operations on the “critical section” are occurring with the “freeing up” the memory as operations are done.

<a href="https://medium.com/media/40d14986a902743a26b47d32f7ab8103/href">https://medium.com/media/40d14986a902743a26b47d32f7ab8103/href</a>Graph of going_for_cs_journey function.Functional graph of going_for_cs_journey function.
encrypting_and_doing_buffer_juggling function:

Here in this function the encrypting and buffer overflow is occurring with the help “way_to_encrypting” and “mess_up_buffer” function calling.

<a href="https://medium.com/media/a12389b838c00cbba3dcc16d332bc778/href">https://medium.com/media/a12389b838c00cbba3dcc16d332bc778/href</a>Graph of encrypting_and_doing_buffer_juggling function.Functional Graph of Graph of encrypting_and_doing_buffer_juggling function.
acts_acc_to_x86_x64_processor_for_messingup function:
<a href="https://medium.com/media/67124ae45f6da195e023c1f911454963/href">https://medium.com/media/67124ae45f6da195e023c1f911454963/href</a>Graph of acts_acc_to_x86_x64_processor_for_messingup function.Functional Graph of acts_acc_to_x86_x64_processor_for_messingup function.
exchanger function:
<a href="https://medium.com/media/2dbfe3a1c2cc3ca442d040c575d77069/href">https://medium.com/media/2dbfe3a1c2cc3ca442d040c575d77069/href</a>Graph of exchanger function.Functional Graph of exchanger function.
x64_bit_scrambling function:
<a href="https://medium.com/media/316f04cfd24adc9fd6531a882ec8ba12/href">https://medium.com/media/316f04cfd24adc9fd6531a882ec8ba12/href</a>Graph of x64_bit_scrambling function.Functional Graph of x64_bit_scrambling function.
fetch_ps_info_writeup_of_payload_and_encryptor_file_ops function:
<a href="https://medium.com/media/8dde34ce9467be895d52c76842155d3b/href">https://medium.com/media/8dde34ce9467be895d52c76842155d3b/href</a>Graph of of fetch_ps_info_writeup_of_payload_and_encryptor_file_ops function.Graph of of fetch_ps_info_writeup_of_payload_and_encryptor_file_ops function.

Dynamic Analysis:Basic

VT detection:
VirusTotal detection of Zebrocy Nim malicious activity.
Registry Key Set:
These are the registry key set of Zebrocy Nim.
Registry Key Deleted:
These are the registry key deleted on exec of Zebrocy Nim.
Imports of .dll by this .exe:
These are the 7.dll imported by Zebrocy Nim .exe
Process and Services Activity:

Dynamic Analysis:Advanced

Running Zebrocy Nim .exe on VT we get these results
Image show the contacted IP’s when the file has infected victim machine.

C2 Server:

Communicating IP’s with .exec:

Thanks for reading.

Article Link: https://medium.com/@0xthreatintel/reversing-apt-28-64-bit-keylogger-zebrocy-nim-tlp-white-a77033f5c36b?source=rss-a15183055fd6------2