Reversing APT Tool : SManager
Static and Dynamic Analysis of Chinese APT Backdoor
Introduction:
Recently their is the blog came in Japanese from JPCert(Japanese CERT) about the espionage Campaign held from Chinese APT. From the efforts of our fellow researcher i have the sample.
Static & Dynamic Analysis
Static Analysis(basic)
Analyzed Info. about File:
It contains File hash’s and other sort of file info when it was created and what type of Application it is.
It’s the analyzed info by GHIDRA.Strings:
As from the strings shown in images below there are info. about different type of Windows Form Application functions are been implemented in this sample.
Strings present in SManager sample.Static Analysis: Advanced
Using Ghidra Tool i had analyzed this sample further.
entry function:
code of entry function.
graph of entry function.scamming_errors_of_ikernel_and_upgrade function:
code of scamming_errors_of_ikernel_and_upgrade function.
graph of scamming_errors_of_ikernel_and_upgrade function.another interesting function in the binary is this function fetch_sys_info which is interesting to note that it loads the MSVCRT.DLL several times as the binary executes which is necessary file to be loaded in the binary at the time of developing the code in the visual studio.
Here the screenshot of function execution in disassembly as it can be seen that it call MSVCRT.DLL to be loaded in memory.and at the end of the this entry function the call for the windows form application is been made.
Lets now take look at the Windows Form Application Functions
Here are some Windows Form functions displayed in screenshot. If you goes any of these functions there is nothing interesting there to see in there. The main function is AfxWinMain used to return itself when it is called in the entry function.
Wnd Form functions.AfxFindResourceHandle function:
This is the function in which the resources of the Wnd Form App is being handled.
Code of AfxFindResourceHandle function.
And it is being called from the resources_finder_and_icon_loader function.
Code of resources_finder_and_icon_loader function.
graph of resources_finder_icon_loader function.Other than that, there are the function in this binary which are used for automating the exploitation ,termination of communication from the Server.
Code of automation function.
Graph of Automation Function.reg_editor function:
Code of reg_editor function.
Graph of reg_editor function.
Code of creator_of_exploit_directory function.
Graph of creation_of_exploit_directory function.payload_writer_dir_creator_for_payload function:
this function is very long and some of the reversed code lines are:
Graph of payload_writer_dir_creator_for_payload function.reg_edit_proxy_setup_and_file_ops function:
Code and Graph of reg_edit_proxy_setup_and_file_ops
Graph of reg_ops function.
Graph of setup_proxy_and_sys_file_info_fetch function.caller_of_communication_termination function:
in this function the communication of Windows Form App is been terminated from Command and Control Server (C2).
Graph and code of caller_of_communication_termination function.Dynamic Analysis(Basic)
VT detection:
VirusTotal detection of SManager.Registry Key Set:
These are the registry key set of the SManager.Registry Key Deleted:
These are the registry key deleted on exec.Imports of .dll by this .exe:
These are the 7.dll imported by Smanager .exeProcess and Services Activity:
Dynamic Analysis:Advanced
Running Smanager .exe on any.run we get these results
In the image there is C2 connections can be seen and graph of dynamic .exec can also be seen.IOCs:
C2 Server:
Communicating IP’s with .exec:
Thanks for reading.
Article Link: https://medium.com/@0xthreatintel/reversing-apt-tool-smanager-971605587e9c?source=rss-a15183055fd6------2