Kevin Johnson’s Security Blog

BlackMatter Ransomware Analysis

2025-09-09T00:00:00+10:00

BlackMatter Ransomware Analysis

Overview
Configuration security and extraction
- Main configuration automated extraction
- Other encrypted and encoded items
Sample Functionality

Overview

This is my analysis of a BlackMatter sample I pulled from MalwareBazaar which focuses on the malware’s configuration, some of its functionality and how I approached analysing it.

SHA256: 374f9df39b92ccccae8a9b747e606aebe0ddaf117f8f6450052efb5160c99368

First Seen In The Wild: 2025-08-13 07:05:26 UTC

Loaded Files Sha256:

63c8efca0f52ebea1b3b2305e17580402f797a90611b3507fab6fffa7f700383
d641ad955ef4cff5f0239072b3990d47e17b9840e07fd5feea93c372147313c5
185f6d6bf0ddcd39f253413f28c0d12f46a82e663bdf6287cb73a362a33c91e7

All scripts I utilised during my analysis are available on my Github here.

Configuration security and extraction

Main configuration automated extraction

The main configuration is encrypted with a custom stream cipher and also compressed using Aplib. Some parts of the configuration are still encrypted or encoded even after this, and they are decrypted on the fly instead of all at once.

The custom decryptor uses the key as a seed for a PRNG (deterministic) function that produces 8 bytes of a keystream at a time. Once the keystream is used up, the resulting subkeys are fed back into the PRNG function. A portion of this PRNG function is inside shellcode that the file loads, presumably to hide the constants it uses.

In addition to decrypting the main configuration, this was frequently used for decryption of other pieces of data.

For the extractor I decided to just copy out the assembly code and assemble/compile it as a DLL so I could call from Python. It was sort of annoying to emulate it with Unicorn given that the PRNG generator was in shellcode and also this allowed me to patch the assembly slightly. The key was actually embedded as a global within the encryption function, however I patched it so that it could be passed in as an argument to the function, thus allowing the decryptor to be much more modular for different samples.

You can use the Create ASM file utility from IDA to do this. You just need to modify the assembly so that the syntax matches the assembler you use - I used FASM

As the DLL function is made with raw assembly Python aficionados might notice how odd it looks to utilise an immutable type (bytes) in what appears to be a pass by reference, as Python will typically do a copy on modification with immutable objects and its ‘pass by assignment’ model. Here is an amusing test I did.

The configuration is then Aplib decompressed, so I grabbed a decompression routine from here - Credit snemes

Following this the configuration flags used by the sample will be resolved, however some parts are still base64 encoded. It stores an array of index values, which are used to index into the configuration which references the base64 strings.

For the automated extraction of the configuration I relied on the fact that there was a ‘.pdata’ section with the layout.

struct config{
BYTE key[8]
DWORD size
BYTE encBuffer[]
}

I made the following C struct for an approximation of the configuration.

struct struct_425120
{
  char rsa_pub key[128]
  char something_with_c2 something[32]
  char unk0_conf_flag;
  char replace_with_random_file_name_conf_flag;
  char find_domain_admins_conf_flag;
  char skip_hidden_files_conf_flag;
  char check_Russian_language_conf_flag;
  char encrypt_local_files_conf_flag;
  char encrypt_network_shares_conf_flag;
  char kills_processes_within_config_hashes_conf_flag;
  char kill_services_within_service_hashes_conf_flag;
  char check_run_once_mutex_conf_flag;
  char print_ransom_note_on_printer_conf_flag;
  char set_ransom_wallpaper_conf_flag;
  char set_default_icon_conf_flag;
  char contact_c2_conf_flag;
  char load_worker_for_secure_erase_conf__flag;
  char delete_services_inline_hashes_conf_flag;
  char load_worker_overwrite_all_data_on_disk_conf_flag;
  char try_lateral_movement_via_network_shares_conf_flag;
  char try_lateral_movement_via_GPO_conf_flag;
  char push_GPO_updates_immediately_conf_flag;
  char load_worker_shutdown_system_conf_flag;
  char disable_delete_logging_conf_flag;
  char *b64_decoded_hash_whitelisted_directories;
  char *b64_decoded_hash_whitelisted_filename;
  char *b64_decoded_hash_whitelisted_file_extensions;
  char *b64_decoded_hashed_computer_names;
  wchar_t *b64_decoded_processes_to_kill_string_list;
  char *b64_services_strings;
  char *b64_c2_domains_53;
  char *b64_decoded_default_credentials_for_brute_force_54;
  char *b64_decoded_ransom_note_54;
};

main class of extractor

import ctypes
import struct
import os
import base64

import pefile
from . import aplib

class BlackMatterDecryptor():
    """
    Decryptor and parser for BlackMatter ransomware samples.

    Usage:

    1. Automatic key & config extraction:
       - The first 8 bytes of the pdata section are used as the key.
       - The bytes following that are used as the config data.
       - Simply call `decrypt_config()` then `extract_all()` after creating an instance.

    2. Manual key & config supply:
       - Pass `key` and `config_va` in the constructor if the config is stored differently.
       - Then call `decrypt_config()`.

    3. Accessing only the custom decryptor:
       - Pass in a key value set the `config_va` argument to 0, to use `cust_decrypt_wrapper()` or `cust_decrypt()` directly.
       - You can also attempt to extract the key and config VA via `extract_from_section_at()`.
    """
    def __init__(self, sampleFpathAbsolute: str, key:bytes = None, config_va: int =None):
        self.pe = pefile.PE(sampleFpathAbsolute)

        self.data = self.pe.__data__
        
        try:
            self.key = key if key is not None else self.extract_key()
        except LookupError:
            self.key = None
            print("Warning: Could not automatically extract the key.\nPlease provide it manually to use decryption functions.\nOther functionality is still available.")

        if config_va is None:
            self.config_va = self.get_segment_va(b'.pdata') + 12
        else:
            self.config_va = config_va

        self.decrypted_main_config = None
        self.b64_decoded = None
        self.conflig_flags = None

        #char *enc[in, out - encrypts in place] , int32 size_in_bytes, char* key_buffer
        #in the actual assembly, the keybuffer is hardcoded into the function, I modified it a bit so you could pass it in as an argument
        script_dir = os.path.dirname(os.path.realpath(__file__))
        dll_path = os.path.join(script_dir, "decrypt.dll")
        bmatter_decrypt = ctypes.WinDLL(dll_path)
        self.decryptor = bmatter_decrypt.bmatter_decrypt

    def extract_key(self, segment_name_with_config: bytes = b'.pdata'):
        va = self.get_segment_va(segment_name_with_config)
        return self.get_bytes_at(va, 8)

    def get_bytes_at(self, va: int, size: int):
        rva = va - self.pe.OPTIONAL_HEADER.ImageBase
        file_offset = self.pe.get_offset_from_rva(rva)
    
        return self.data[file_offset:file_offset + size]

    def cust_decrypt(self, enc_buffer: bytes, size: int):
        self.decryptor(enc_buffer, size, self.key)
        decrypted = enc_buffer

        return decrypted
    
    def extract_from_section_at(self, segment_name: bytes):
        self.config_va = self.get_segment_va(segment_name) + 12
        self.key = self.extract_key(self, segment_name)

    def get_segment_va(self, name: bytes):
        va = None

        for section in self.pe.sections:
            if section.Name.strip(b'\x00') == name:
                va = self.pe.OPTIONAL_HEADER.ImageBase + section.VirtualAddress
                break
        if va:
            return va
        else:
            error_message = f"{name} segment not found in the PE file"
            for section in self.pe.sections:
                if name in section.Name.strip(b'\x00'):
                    error_message += f"\nDid you mean {section.Name.strip(b'\x00')}?"
            raise LookupError(error_message)
        
    def cust_decrypt_wrapper(self, address_of_encrypted: int):
        """
        This is for when the sample uses the wrapper function for its custom decryptor. It passes the encrypted buffer as an offset, and the prior dword is the size.
        The adress should be the encrypted buffer address, not the address where the size is stored, as that is how it's called within the sample
        """
        size = struct.unpack("", self.get_bytes_at(address_of_encrypted - 4, 4))[0]
        enc_buffer = self.get_bytes_at(address_of_encrypted, size)
        return self.cust_decrypt(enc_buffer, size)

    def decrypt_config(self):
        """
        The sample I was analyzing stored it's config in a segment called b'.pdata', with specific offsets for the keys, sizes and config data. Will need to adjust the default args if it does not do this.
        """
        if not self.config_va:
            print("Must apply the config_va attribute!")
            return
        self.decrypted_main_config = aplib.aplib_decompress(self.cust_decrypt_wrapper(self.config_va))
        return self.decrypted_main_config
    
    def extract_public_rsa(self):
        if not self.config_va:
            print("Must apply the config_va attribute!")
            return
        self.rsa = {"RSA Public" : self.decrypted_main_config[:128].hex()}
        return self.rsa


    def extract_config_flags(self) -> dict:
        if self.decrypted_main_config is None:
            print("Configuration must be decrypted first")
            return None
        #config_flags_offset = 160
        config_flags = {
            'unk1' : self.decrypted_main_config[160],
            'Replace with random file name' : self.decrypted_main_config[161],
            'Find Domain Admins' : self.decrypted_main_config[162],
            'Skip hidden files' : self.decrypted_main_config[163],
            'Check for Russian Keyboard Layout' : self.decrypted_main_config[164],
            'Encrypt local files' : self.decrypted_main_config[165],
            'Encrypt network shares' : self.decrypted_main_config[166],
            'Kill processes within config process hashes' : self.decrypted_main_config[167],
            'Kill services within config services hashes' : self.decrypted_main_config[168],
            'Load worker executable for secure self erase' : self.decrypted_main_config[169],
            'Deploy ransom notes on printer' : self.decrypted_main_config[170],
            'Create ransom wallpaper' : self.decrypted_main_config[171],
            'Set BlackMatter default icon' : self.decrypted_main_config[172],
            'Contact C2' : self.decrypted_main_config[173],
            'Load worker executable for secure self erase' : self.decrypted_main_config[174],
            'Kill services from inline hashes' : self.decrypted_main_config[175],
            'Load worker to overwrite all data on disk' : self.decrypted_main_config[176],
            'Try lateral movement via network shares' : self.decrypted_main_config[177],
            'Try lateral movement via GPO' : self.decrypted_main_config[178],
            'Push GPO updates immediately' : self.decrypted_main_config[179],
            'Load worker to shutdown system' : self.decrypted_main_config[180],
            'Disable and delete event logs' :  self.decrypted_main_config[181],
            'unk8' : self.decrypted_main_config[182],
            }
        self.conflig_flags = config_flags
        return config_flags


    def decode_base64_strings(self) -> dict:
        """
        Returns the dword offset from the decrypted configuration that referenced the base 64 string and the base64 string in a list of tuples.
        """
        if self.decrypted_main_config is None:
            print("Configuration must be decrypted first")
            return None
        b64_conf_start = 184
        array_of_b64_str_idx_size = 10
        
        configDwordOffset_b64Decoded = []
        for b64_idx in range(b64_conf_start, (b64_conf_start+array_of_b64_str_idx_size*4), 4):
            offset = struct.unpack("", self.decrypted_main_config[b64_idx:b64_idx+4])[0]
            if offset:
                offset += 184 # The indexes are at config base + 184
                decoded_b64 = base64.b64decode(self.decrypted_main_config[offset:])
                configDwordOffset_b64Decoded.append(decoded_b64)
            else:
                configDwordOffset_b64Decoded.append(0)


        # whitelisted directory hashes
        if configDwordOffset_b64Decoded[0]:
            configDwordOffset_b64Decoded[0] = [hex(item) for item in self._raw_hashlist_to_hashes(configDwordOffset_b64Decoded[0])]

        #whitelisted filename hashes
        if configDwordOffset_b64Decoded[1]:
            configDwordOffset_b64Decoded[1] = [hex(item) for item in self._raw_hashlist_to_hashes(configDwordOffset_b64Decoded[1])]

        #whitelisted file extension hashes
        if configDwordOffset_b64Decoded[2]:
            configDwordOffset_b64Decoded[2] = [hex(item) for item in self._raw_hashlist_to_hashes(configDwordOffset_b64Decoded[2])]

        # computers whitelisted from rebooting in safemode
        if configDwordOffset_b64Decoded[3]:
            configDwordOffset_b64Decoded[3] = [hex(item) for item in self._raw_hashlist_to_hashes(configDwordOffset_b64Decoded[3])]


        # I don't know what 4 is, the array element didn't exist in the sample I looked at.

        # processes to kill
        if configDwordOffset_b64Decoded[5]:
            configDwordOffset_b64Decoded[5] = self._extract_unicode(configDwordOffset_b64Decoded[5])
   
        if configDwordOffset_b64Decoded[6]:
            configDwordOffset_b64Decoded[6] = self._extract_unicode(configDwordOffset_b64Decoded[6])

        # C2 domains
        if configDwordOffset_b64Decoded[7]:
            configDwordOffset_b64Decoded[7] = "Extraction method unknown for this element"


        # Credentials for brute force
        if configDwordOffset_b64Decoded[8]:
            configDwordOffset_b64Decoded[8] = self.cust_decrypt(configDwordOffset_b64Decoded[8], len(configDwordOffset_b64Decoded[8])).decode('utf-16')

        
        # ransom note
        if configDwordOffset_b64Decoded[9]:
            configDwordOffset_b64Decoded[9] = self.cust_decrypt(configDwordOffset_b64Decoded[9], len(configDwordOffset_b64Decoded[9])).decode()

        not_present_string = "Not present in sample"

        configDwordOffset_b64Decoded = [item if item else not_present_string for item in configDwordOffset_b64Decoded]
    
        decoded = {'Hashes of whitelisted directories': configDwordOffset_b64Decoded[0],
                   'Hashes of whitelisted files' : configDwordOffset_b64Decoded[1],
                   'Hashes of whitelisted file extensions' : configDwordOffset_b64Decoded[2],
                   'Hashes of computer names to not reboot in Safe Mode' : configDwordOffset_b64Decoded[3],
                   'Processes to kill' : configDwordOffset_b64Decoded[5],
                   'Services to kill' : configDwordOffset_b64Decoded[6],
                   'C2 Domains' : configDwordOffset_b64Decoded[7],
                   'Credentials for brute force' : configDwordOffset_b64Decoded[8],
                   'Ransom Note' : configDwordOffset_b64Decoded[9]
                   }

        self.b64_decoded = decoded        
        return decoded    

    
    def extract_all(self):
        if not self.b64_decoded:
            self.decode_base64_strings()
        if not self.conflig_flags:
            self.extract_config_flags()
        if not self.extract_public_rsa():
            self.extract_public_rsa()
        self.extracted_all = self.rsa | self.conflig_flags | self.b64_decoded
        return self.extracted_all
        


    def _raw_hashlist_to_hashes(self, hashlist: bytes) -> list[int]:
        hashes = [hashlist[i:i+4] for i in range(0, len(hashlist), 4)]
        hashes = [struct.unpack("", hash)[0] for hash in hashes]
        hashes = [hash for hash in hashes if hash]
        return hashes
    
    def _extract_unicode(self, data: bytes) -> list[str]:
        chunks = []
        current = []
        for i in range(0, len(data), 2):  # UTF-16 uses 2 bytes per char
            try:
                char = data[i:i+2].decode('utf-16')
                current.append(char)
            except UnicodeDecodeError:
                if current:
                    chunks.append(''.join(current))
                    current = []

        if current:
            chunks.append(''.join(current))
        strings_list = [s for s in chunks[0].split('\x00') if s]
        return strings_list

output

{
    "RSA Public": "2f536b62fcda35a2a22a8ed1d6b8baff81a37a32abd39e0af2301024fd6e1ad116ddb3925bfbe7482a340dd2ed2edd7e62e00f6e17f38dd6a3e3fddf81695b7ecaba1cf5d0c4a3595a94ac395ed7ed87fb107670df1a8c2d32663c18a39b89cbf309599ac104a816d680845bb2d1f1df789310c65c15d5b49d7eec3d03386d61",
    "unk1": 1,
    "Replace with random file name": 0,
    "Find Domain Admins": 1,
    "Skip hidden files": 0,
    "Check for Russian Keyboard Layout": 0,
    "Encrypt local files": 1,
    "Encrypt network shares": 1,
    "Kill processes within config process hashes": 1,
    "Kill services within config services hashes": 1,
    "Load worker executable for secure self erase": 1,
    "Deploy ransom notes on printer": 1,
    "Create ransom wallpaper": 1,
    "Set BlackMatter default icon": 1,
    "Contact C2": 0,
    "Kill services from inline hashes": 1,
    "Load worker to overwrite all data on disk": 0,
    "Try lateral movement via network shares": 0,
    "Try lateral movement via GPO": 1,
    "Push GPO updates immediately": 1,
    "Load worker to shutdown system": 0,
    "Disable and delete event logs": 1,
    "unk8": 1,
    "Hashes of whitelisted directories": [
        "0x30a212d",
        "0x8cf281cd",
        "0x267078f5",
        "0x26687e35",
        "0xe3426cd7",
        "0xe1a63bc0",
        "0x36004e4e",
        "0xab086595",
        "0x2e75e394",
        "0xae018eae",
        "0x4c4b25d4",
        "0x7f07935",
        "0x6b66f975",
        "0xb7ea3892",
        "0x5366e694",
        "0xcd1b589b",
        "0x5cde3a7b",
        "0xba22623b",
        "0xef3a37b3",
        "0xcc72be18",
        "0x86ccaa15",
        "0x3907099b",
        "0xf00cae96",
        "0xfcc8ab56",
        "0x82d2a252",
        "0x846bec00",
        "0xdb975937",
        "0xc23aa6f5",
        "0x85aa57e4",
        "0xcbe2aa35",
        "0xc8cef7d1",
        "0x6b6b1a7",
        "0xb0cad2f3"
    ],
    "Hashes of whitelisted files": [
        "0x86ccaa15",
        "0x3907099b",
        "0xf00cae96",
        "0xfcc8ab56",
        "0x82d2a252",
        "0x846bec00",
        "0xdb975937",
        "0xc23aa6f5",
        "0x85aa57e4",
        "0xcbe2aa35",
        "0xc8cef7d1",
        "0x6b6b1a7",
        "0xb0cad2f3"
    ],
    "Hashes of whitelisted file extensions": [
        "0x67b00e00",
        "0xc5b01900",
        "0xc5481b80",
        "0xc7a01840",
        "0xc7701a40",
        "0xc9101840",
        "0xc9201b40",
        "0xc9681bc0",
        "0xc9601c00",
        "0xc9901d40",
        "0xa1fccbfe",
        "0x4aba94f1",
        "0x4ae29631",
        "0x64e29771",
        "0xcb601b00",
        "0xcbb01c80",
        "0xcd281e00",
        "0xd3801b00",
        "0xd56018c0",
        "0xc99eab80",
        "0xd57818c0",
        "0xd59818c0",
        "0xd5c01900",
        "0xdb301900",
        "0xdb581b80",
        "0xdd201bc0",
        "0xdd081c00",
        "0xdd181cc0",
        "0xdd801cc0",
        "0x4a6bb7db",
        "0xdda81cc0",
        "0xdf981b00",
        "0x4cca7837",
        "0xe1c018c0",
        "0xe3301c80",
        "0xe1881cc0",
        "0xe7681bc0",
        "0xe7801d00",
        "0xe99018c0",
        "0xe9981a00",
        "0xe9601c00",
        "0xe9981e40",
        "0xcd2e9b7a",
        "0xaf16c593",
        "0xf1c01c00",
        "0xe15ed8c0",
        "0xd9c81940",
        "0xd3081d00",
        "0xdd481cc0",
        "0xe3101900",
        "0x446a3f92"
    ],
    "Hashes of computer names to not reboot in Safe Mode": [
        "0xe3a72c79"
    ],
    "Processes to kill": [
        "sql",
        "oracle",
        "ocssd",
        "dbsnmp",
        "synctime",
        "agntsvc",
        "isqlplussvc",
        "xfssvccon",
        "mydesktopservice",
        "ocautoupds",
        "encsvc",
        "firefox",
        "tbirdconfig",
        "mydesktopqos",
        "ocomm",
        "dbeng50",
        "sqbcoreservice",
        "excel",
        "infopath",
        "msaccess",
        "mspub",
        "onenote",
        "outlook",
        "powerpnt",
        "steam",
        "thebat",
        "thunderbird",
        "visio",
        "winword",
        "wordpad",
        "notepad",
        "calc",
        "wuauclt",
        "onedrive"
    ],
    "Services to kill": [
        "vss",
        "sql",
        "svc$",
        "memtas",
        "mepocs",
        "msexchange",
        "sophos",
        "veeam",
        "backup",
        "GxVss",
        "GxBlr",
        "GxFWD",
        "GxCVD",
        "GxCIMgr"
    ],
    "C2 Domains": "Not present in sample",
    "Credentials for brute force": "ad.lab:Qwerty!\u0000Administrator:123QWEqwe!@#\u0000Admin2:P@ssw0rd\u0000Administrator:P@ssw0rd\u0000Administrator:Qwerty!\u0000Administrator:123QWEqwe\u0000Administrator:123QWEqweqwe\u0000\u0000",
    "Ransom Note": "\r\nPersonal ID : [redacted]\r\n\r\n-----> Your data is stolen and encrypted.\r\nIf you don't pay the ransom, the data will be published on our TOR darknet sites.\r\nThe sooner you pay the ransom, the sooner your company will be safe.\r\n\r\n-----> What guarantees are that we won't fool you?\r\nWe are not a politically motivated group and we want nothing more than money.\r\nIf you pay, we will provide you with decryption software and destroy the stolen data.\r\nAfter you pay the ransom, you will quickly restore your systems and make even more money.\r\nTreat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.\r\nOur pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.\r\nIf we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.\r\n\r\n-----> You need to contact us via TOX or email\r\n\r\nTOX_ID: [redacted]\r\nYou can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. \r\n\tUsing Tox messenger, we will never know your real name, it means your privacy is guaranteed.\r\n\t\r\nemail: recovery_systems@mailum.com\r\n\r\nWrite to chat your personal ID (on 
the top of message)\r\n\r\n-----> Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!\r\n-----> Don't go to the police or the FBI for help. They won't help you.\r\nThe police will try to prohibit you from paying the ransom in any way.\r\nThe first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.\r\nThis is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.\r\nPaying the ransom to us is 
much cheaper and more profitable than paying fines and legal fees.\r\nThe police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.\r\nIf you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.\r\nThe police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.\r\nThe police and FBI won't protect you from repeated attacks. \r\n\r\n-----> For those who have cyber insurance against ransomware attacks.\r\nInsurance companies require you to keep your insurance information secret.\r\nIn most cases, we find this information and download it."
}

Running the hashes through Hashdb produced the following:

Whitelisted directories

$recycle.bin
config.msi
$windows.~bt
$windows.~ws
windows
boot
program files (x86)
programdata
system volume information
tor browser
windows.old
intel
msocache
perflogs
x64dbg
public
default
microsoft

Whitelisted files

autorun.inf
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
d3d9caps.dat

Whitelisted extensions

386
adv
ani
bat
bin
cab
cmd
com
cpl
cur
deskthemepack
diagcab
diagcfg
diagpkg
dll
drv
exe
hlp
icl
icns
ico
ics
idx
ldf
lnk
mod
mpa
msc
msp
msstyles
ns5
nls
nomedia
ocx
prf
ps1
rom
rtp
tc2
th3
spl
sys
theme
themepack
wpx
lock
key
hta
msi
pdb
search-ms

Other encrypted and encoded items

The sample also utilised stack strings that were passed into a central function and xor’ed and not’ed.

I made a script with the new IDA domain API for this.

import ida_domain
import struct
import string

db = ida_domain.Database()

def extract_utf(data: bytes) -> str:
    try:
        decoded = data.decode('utf-8')
    except UnicodeDecodeError:
        try:
            decoded = data.decode('utf-16')
        except UnicodeDecodeError:
            return None
    if all(c for c in string.printable):  # All printable ASCII
        decoded = "".join(c for c in decoded if 32 <= ord(c) <= 126)
        return decoded
    else: 
        return None
        
def transform(data: list[int], xor_key) -> list[int]:
    # data is a list of 32-bit integers
    result = []
    for value in data:
        value ^= xor_key  & 0xFFFFFFFF # XOR
        value = ~value & 0xFFFFFFFF  # Bitwise NOT, keep 32-bit
        result.append(value)
    return result

def get_callers(func_ea):
    return [caller.frm for caller in db.xrefs.get_calls_to(func_ea)]

def get_stack_string(caller):
    size_address = db.heads.get_prev(db.heads.get_prev(caller))
    size_insn = db.instructions.get_at(size_address)
    size = db.instructions.get_operand(size_insn, 0)
    size = size.get_value()
    
    dwords = []
    cur_address = size_address
    try:
        i = 0
        while i < size:
            i += 1
            cur_address = db.heads.get_prev(cur_address)
            dword_insn = db.instructions.get_at(cur_address)
            if db.instructions.get_mnemonic(dword_insn) != "mov":
                i -= 1
                continue
            dword = db.instructions.get_operand(dword_insn, 1)
            dword = (dword.get_value() & 0xffffffff)
            dwords.append(dword)
            #print(hex(dword))
        #print(hex(size_address))
    except (AttributeError, TypeError):
        print(f"Unresolved Stack string at {hex(size_address)}")
        return None
    
    return dwords

def resolve_stack_strings(caller, xor_key):
        if dwords := get_stack_string(caller):
            transformed = transform(dwords, xor_key)
            stack_string = b''.join(struct.pack(">I", dword) for dword in transformed)
            stack_string = stack_string[::-1]
            if resolved := extract_utf(stack_string):
                return resolved
            else:
                return str(stack_string)

def main():
    callers = get_callers(0x401250)
    for caller in callers:
        resolved = resolve_stack_strings(caller, 0x4803BFC7)
        db.comments.set(caller, resolved)
        #print(resolved)
    
main()

And the custom decryptor as well as Aplib was frequently used for other data, so similar to above I just got x-refs with IDA and resolved them.

from blackmatterdecryptor import BlackMatterDecryptor
from blackmatterdecryptor import aplib
import pickle
import string

callers = [4305144, 4305882, 4335988, 4307122, 4307484, 4312960, 4335632, 4312714, 4313456, 4313660, 4327551, 4334552, 4327531, 4327551, 4327691, 4327803, 4327837, 4335241, 4327913, 4328116, 4328220, 4328116, 4335988, 4328248, 4333426, 4334552, 4334552, 4334552, 4335241, 4335632, 4335988, 4337037, 4336487, 4337743]

fpath = r"C:\Users\Kevin\Desktop\Samples\Blackmatter\374f9df39b92ccccae8a9b747e606aebe0ddaf117f8f6450052efb5160c99368\374f9df39b92ccccae8a9b747e606aebe0ddaf117f8f6450052efb5160c99368.bin"


def write_pickle(data):
    with open("decrypted_addr.pkl", "wb") as f:
        pickle.dump(data, f)


def extract_utf(data: bytes) -> str:
    try:
        decoded = data.decode('utf-8')
    except UnicodeDecodeError:
        try:
            decoded = data.decode('utf-16')
        except UnicodeDecodeError:
            return None
    if all(c for c in string.printable):  # All printable ASCII
        decoded = "".join(c for c in decoded if 32 <= ord(c) <= 126)
        return decoded
    else: 
        return None

def main():
    bm = BlackMatterDecryptor(fpath)
    bm.decrypt_config()

    decrypted_list = [bm.cust_decrypt_wrapper(caller) for caller in callers]

    extracted_all = []
    addr_decrypted = zip(callers, decrypted_list, strict=True)

    for addr, dec in addr_decrypted:
        if extracted_utf := extract_utf(dec):
            extracted_all.append((addr, extracted_utf))
            continue
        
        decompressed = aplib.aplib_decompress(dec)
        if decompressed_utf := extract_utf(decompressed):
            extracted_all.append((addr, decompressed_utf))
    

    seen = set()
    extracted_unique = []
    for addr, val in extracted_all:
        if val not in seen:
            seen.add(val)
            extracted_unique.append((addr, val))
    return extracted_unique

data = main()
for i in data:
    print({i[1]})
    #write_pickle(data)

This is a set of the strings I extracted from the sample.

LDAP://CN=Computers,
Policy\Status
LDAP://CN=%s,CN=Policies,CN=System,DC=%s,DC=%s
office
Mailbox
AUTHORITY\SYSTEM
-psex
SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels
NT\CurrentVersion
NetworkShares.xml
Consolas
.bmp
ChannelAccess
%s
New
WallPaper
dllhost.exe
Registry.pol
WallpaperStyle
Panel\International
ADMIN$
displayName
%TempDir%
sLanguage
FROM
\\%s\
Panel\Desktop
WQL
%04d-%02d-%02d
%s=%s
distinguishedName
-k
LocaleName
SELECT
2621892
-gspd
%02X
*
Software\Microsoft\Windows\CurrentVersion\Group
Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
LDAP://%s/DC=%s,DC=%s
LDAP://CN=Policies,CN=System,%s
-wall
\\.\pipe\{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Win32_ShadowCopy.ID='%s'
SOFTWARE\Microsoft\Windows
LDAP://rootDSE
-safe
Times
%.8x%.8x%.8x%.8x%
Program
\*.dll
LocalServiceNetworkRestrictedd
Enabled
%s.README.txt
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
gPCMachineExtensionNames
hScreen
Global\%.8x%.8x%.8x%.8x
drv
WinSta0\Default
dNSHostName
\\%s.%s\
GPT.INI
[General]Version=%sdisplayName=%s
NT
Files
\\.\pipe\%s
Services.xml
Preferences
%sADMIN$\Temp
LDAP://DC=%s,DC=%s
SYSTEM\CurrentControlSet\Services\EventLog
%u.%u
__ProviderArchitecture
\\%s\sysvol\%s\scripts\
ID
-pass
LocalServiceNetworkRestricted
POST
EventLog
{%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Control
SOFTWARE\%s
comment.cmtx
LDAP://%s
IPC$
%02d:%02d:%02d
versionNumber
-gdel
WINSPOOL
Z:\
%sADMIN$\Temp\%s.exe
ExchangeInstallPath
Win32_ShadowCopy
ROOT\CIMV2
%spipe\%s
Roman
%s_IPC$
onenote
ProductName
gPCUserExtensionNames
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
ScheduledTasks
Files.xml
SystemRoot%%\Temp\%s.exe
%%SystemRoot%%\Temp\%s.exe
defaultNamingContext
                               LockBit BlackAll your important files are stolen and encrypted!    You must find %s file                    and follow the instruction!
H
        
LockBit Black RansomwareYour data are stolen and encryptedThe data will be published on TOR websitehttp://[redacted].onionand http://lockbitapt.uz if you do not pay the ransomYou can contact us and decrypt one file for free on these TOR siteshttp://[redacted].onionhttp://[redacted].onionhttp://lockbitsupp.uzDecryption ID: %s
{"disk_name":"%s","disk_size":"%u","free_size":"%u"}
                                    
"host_hostname":"%s","host_user":"%s","host_os":"%s","host_domain":"%s","host_arch":"%s","host_lang":"%s",%s
Accept: */*Connection: keep-aliveAccept-Encoding: gzip, deflate, brContent-Type: text/plain
{"bot_version":"%s","bot_id":"%s","bot_company":"%.8x%.8x%.8x%.8x%",%s}
SOFTWARE\Policies\Microsoft\Windows\OOBE
%s%sInteractiveTokenHighestAvailablePT10MPT1HfalsefalseIgnoreNewfalsefalsetruetruetruefalseP3D7true%s%s
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoAdminLogon
DefaultUserName
PReg[SOFTWARE\Policies\Microsoft\Windows\System;GroupPolicyRefreshTimeDC;;;][SOFTWARE\Policies\Microsoft\Windows\System;GroupPolicyRefreshTimeOffsetDC;;;][SOFTWARE\Policies\Microsoft\Windows\System;GroupPolicyRefreshTime;;;][SOFTWARE\Policies\Microsoft\Windows\System;GroupPolicyRefreshTimeOffset;;;][SOFTWARE\Policies\Microsoft\Windows\System;EnableSmartScreen;;;][SOFTWARE\Policies\Microsoft\Windows\System;**del.ShellSmartScreenLevel;;; ][SOFTWARE\Policies\Microsoft\Windows Defender;DisableAntiSpyware;;;][SOFTWARE\Policies\Microsoft\Windows Defender;DisableRoutinelyTakingAction;;;][SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection;DisableRealtimeMonitoring;;;][SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection;DisableBehaviorMonitoring;;;][SOFTWARE\Policies\Microsoft\Windows Defender\Spynet;SubmitSamplesConsent;;;][SOFTWARE\Policies\Microsoft\Windows Defender\Spynet;SpynetReporting;;;][SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile;EnableFirewall;;;][SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile;EnableFirewall;;;]
DefaultPassword
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
%s -pass %s
powershell Get-ADComputer -filter * -Searchbase '%s' | Foreach-Object { Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}
[{00000000-0000-0000-0000-000000000000}{BFCBBEB0-9DF4-4C0C-A728-434EA66A0373}{CC5746A9-9B74-4BE5-AE2E-64379C86E0E4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{6A4C88C6-C502-4F74-8F60-2CB23EDC24E2}{BFCBBEB0-9DF4-4C0C-A728-434EA66A0373}][{91FBB303-0CD5-4055-BF42-E512A681B325}{CC5746A9-9B74-4BE5-AE2E-64379C86E0E4}]
[{00000000-0000-0000-0000-000000000000}{3BAE7E51-E3F4-41D0-853D-9BB9FD47605F}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{7150F9BF-48AD-4DA4-A49C-29EF4A8369BA}{3BAE7E51-E3F4-41D0-853D-9BB9FD47605F}][{AADCED64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}]

Sample Functionality

The sample neatly organizes its functions into three main sections:

1. API Resolution

To load in the libraries it wanted it enumerated the system 32 folder for all DLLs and hashed their names. This allowed it to only store DLL hashes instead of having to include any strings.

It also utilised KUSER_SHARED_DATA to retrieve the System32 path which I thought was novel.

For the API resolution the sample did a fairly standard PEB walk. It did use mixed boolean arithmetic to try and conceal constants, however I barely even noticed it as the decompiler folded it away.

I noticed the sample frequently used a custom ABI which was causing IDA to have undefined variables. The ABI had no volatile registers beyond eax.

Can see edx’s value being saved, although IDA has identified this as std_call in which edx is volatile. Specifying the function signature __spoils cleaned up the decompilation a lot.

What was highly interesting was how it attempts to conceal the addresses of the resolved APIs. Once an address was resolved, instead of storing the address directly, it would be encrypted with 1 of 5 randomly chosen functions, and code would be injected that resolved the address. The key used for decryption was injected directly as an operand. Thus calls would have to go through this injected code.

This union of structs I generated shows the code generation in action.

#pragma pack(push, 1)
struct bmatter_xor_rot {
    BYTE mov_opcode;
    DWORD api_addr_modified;
    WORD r_left_or_right_opcode;
    BYTE rotate_amount;
    BYTE xor_opcode;
    DWORD xor_key;
    WORD jmp_eax;
};
#pragma pack(pop)

#pragma pack(push, 1)
struct bmatter_rot {
    BYTE none;
    DWORD api_addr_modified;
    WORD r_left_or_right_opcode;
    BYTE rotate_amount;
    WORD jmp_eax;
};
#pragma pack(pop)

#pragma pack(push, 1)
struct bmatter_IAT_xor {
    BYTE none;
    DWORD api_addr_modified;
    BYTE xor_opcode;
    DWORD xor_key;
    WORD jmp_eax;
};
#pragma pack(pop)

union bmatter_IAT {
    struct bmatter_xor_rot *xor_rot;
    struct bmatter_rot *rot;
    struct bmatter_xor *xor;
};

How the code looks disassembled after generation

It also loaded some shellcode for its custom encryption function and utilised the same address encryption to conceal its address.

However it is still quite easy to resolve it statically, but would make resolving these addresses within a debugger or dynamically complicated.

EA_HASH_ARG_START = 0x004063ED
EA_HASH_ARG_END = 0x00406524
STEP_BETWEEN_ARGS = 17
XOR_KEY = 0x4803BFC7
ALGORITHM = 'ror13_add'
API_HASH_LIST_END_MARKER = 0xCCCCCCCC
from ida_domain import *
import idaapi
import requests
import time
db = Database()
def get_func_operands(arg_start, arg_end, step_between_args):
    insn_ea = list(range(arg_start, arg_end, step_between_args))
    operands = [idaapi.get_dword(operand + 1) for operand in insn_ea] #+1 negates the push instruction, just retrieves the operand
    return operands

def bmatter_retrieve_hashes(ea_hash_arg_start, ea_hash_arg_end)->tuple[list[int], list[list]]:
    # retrieving addresses of code that push a hash struct to the function
    operands = get_func_operands(ea_hash_arg_start, ea_hash_arg_end, STEP_BETWEEN_ARGS)
    dll_hashes = [idaapi.get_dword(dll_hash) for dll_hash in operands]
    dword = 4
    api_hashes = []
    for api_hashes_per_dll in operands:
        hashes_ea = api_hashes_per_dll + dword
        cur_dll_api_hashes = []
        while (api_hash := idaapi.get_dword(hashes_ea)) != API_HASH_LIST_END_MARKER:
            cur_dll_api_hashes.append(api_hash)
            hashes_ea += dword
        api_hashes.append(cur_dll_api_hashes)
    return dll_hashes, api_hashes   # first member is dll hash, second member is API hash
def resolve_api_hash(hash: int, algorithm: str = ALGORITHM, xor: int = None):
    if xor:
        xor = str(xor)
        hashdb_api = f'https://hashdb.openanalysis.net/hash/{algorithm}/{hash}/{xor}'
    else:
        hashdb_api = f'https://hashdb.openanalysis.net/hash/{algorithm}/{hash}'
    
        
    while True:
        response = requests.get(hashdb_api)
        if response.status_code == 429:
            print("Getting rate limited")
            time.sleep(60)
            continue
        else:
            data = response.json()
        
        hashes = data.get('hashes', [])
        if hashes:
            first_hash = hashes[0]
            string_data = first_hash.get('string')
            if string_data:
                string = string_data.get('string')
        return string
        
def retrieve_resolved_out_base(ea_out_arg_start, ea_out_arg_end):
    out_addrs = get_func_operands(ea_out_arg_start, ea_out_arg_end, STEP_BETWEEN_ARGS)
    out_addrs = [out+4 for out in out_addrs]
    return out_addrs

def main():
    _, api_hashes = bmatter_retrieve_hashes(EA_HASH_ARG_START, EA_HASH_ARG_END)
    resolved_out_base = retrieve_resolved_out_base(EA_HASH_ARG_START+5, EA_HASH_ARG_END+5) # out arg is pushed right after hashes, in a 5 byte instruction
    
    for apis_for_dll, hash_list in enumerate(api_hashes):
        for offset, hash in enumerate(hash_list):
            api_name = resolve_api_hash(hash, ALGORITHM, XOR_KEY)
            if api_name:
                db.names.force_name(resolved_out_base[apis_for_dll]+(offset*4), api_name)
                print(f'{api_name} at {hex(resolved_out_base[apis_for_dll]+offset*4)}')
            else:
                print(f"unable to resolve hash: {hex(hash)}, at {hex(resolved_out_base[apis_for_dll]+(offset*4))}")
if __name__ == "__main__":
    main()

2. Configuration Loading & Privilege Escalation

After the resolution of the APIs was complete it moved onto its next section, which I named load_config_elevate_privileges()

It loaded its config as I detailed here.

Then depending on the configuration flags present, performed a variety of functions to try and escalate privileges.

If it detected the primary token did not have admin privileges but belonged to the admin group it would execute a UAC bypass and restart Nice post about the technique here - https://medium.com/malware-bistro/cracking-the-code-privilege-escalation-tactics-used-by-lockbit3-0-d24b48337b35

It loops through an array of privilege constants to try and enable all privileges it has available. The privilege constants are supposedly a LUID type, which is local to a machine and should be retrieved via the API LookupPrivilegeValueA so interesting the constants are hardcoded

If it is not running under SYSTEM it attempts to duplicates explorer’s token.

Nothing too fancy

If it cannot duplicate explorer’s token but it is running under Admin it will try to steal the token of a privileged svchost instance. It loops through the _SYSTEM_PROCESS_INFORMATION entries until it finds a process Image that matches the hash of svchost.exe. If this instance is sufficiently privileged it breaks out of the loop.

If successful and if the svchost instance is 64 bit it will decrypt two shellcode payloads and store them in allocated memory. The first one is actually 64 bit code, which is intended to be injected into svchost to retrieve its token. In the buffer the main process write/patches in its own PID and target process handle (the one that is received from NtDuplicateObject) into the shellcode. These values be used by the shellcode as the argument for the TargetProcessHandle when it makes its call to NtDuplicateObject to duplicate the token. Then it will decrypt the second shellcode payload which is 32 bit, and patches in the address of the 64 bit shellcode. From there it will execute the 32 bit shellcode, which will utilise the provided address to locate the 64 bit shellcode and inject into the remote process (SvcHost).

The arguments will be patched into the shellcode here

This 64 bit shellcode duplicate SvcHosts process token.

Apis from the shellcode

If the svchost instance is 32 bit, 32 bit shellcode is directly injected into svchost and the main process’s PID and target handle is patched into it.

Patching occurring here

If the find_domain_admins_conf_flag flag is specified it will use the following default credentials to attempt to authenticate to an account.

ad.lab:Qwerty!
Administrator:123QWEqwe!@#
Admin2:P@ssw0rd
Administrator:P@ssw0rd
Administrator:Qwerty!
Administrator:123QWEqwe
Administrator:123QWEqweqwe

It will then decrypt a .ico file and write it to disk in the ProgramData folder.

It will then set it as the value for the DefaultIcon registry key.

image shown here

Finally it will initialise the encryption keys it will use.

A symmetric random key is generated locally and then a copy is made which is encrypted by the public RSA key. This is later appended to the files to allow for decryption to occur. Then the original version of the symmetric key gets encrypted via rtlEncryptMemory(), which is decrypted on the fly when it is needed for file encryption. This is to reduce the risk of it being exposed in memory. Regarding the the symmetric key algorithm it is apparently a custom ChaCha20 algorithm - Chuong Dong has a great post discussing it here during his analysis of a 2021 BlackMatter sample. After the randomly generated initial ChaCha matrix is produced the final random bytes of the matrix has arithmetic performed on it such that it produces a number within the size of the matrix. This randomly generated value acts as an index in which the first DWORD of the RSA key is inserted into.

logic reimplemented in Python

idx = 0x07F1CC1 # final 3 random bytes of matrix in little endian

edx = (idx * 0x8088405) & 0xffffffff
edx = (edx + 1) & 0xffffffff
edx = (edx * 120)# & 0xff00000000
edx = edx >> 32
print(hex(edx))

3. CLI Parsing & Dispatch

Finally, it will enter a function I have named parse_cli_and_dispatch()

The sample hashes its command line arguments and then enters different functions depending on the result. I ran my extracted strings through the hashing algorithm and found it can be be run with the following commandline arguments.

-path
-pass
-safe
-wall
-gspd
-psex
-gdel

There is one command line argument I did not manage to resolve.

-pass is meant to be supplied by a hands on keyboard operator. A Domain Administrators credentials should be passed as an argument. Due to the presence of this argument, whenever this sample laterally moves or restarts instances of itself, it always makes sure to make a copy of its command line arguments to pass to the new instances.

-psex is not provided by a commandline operator, rather it is determined by the configuration flags. If the configuration flag try_lateral_movement_via_network_shares_conf_flag is present and it manages to gain Domain Admin credentials (either via -pass or via the default credentials it attempted), it will restart an instance of itself with this commandline.

-gspd is similar however it is determined by the try_lateral_movement_via_GPO_conf_flag.

-wall is again determined by a configuration flag deploy_ransom_notes_on_printer_and_wallpaper_conf_flag and it will restart itself with this command to dispatch the associated functions for creating a wallpaper and enumerating printers.

-path is meant to be supplied by an operator to specify a directory to be encrypted I believe.

The sample will start new instances of itself with -safe if it detects it is being run outside of normal boot.

The function dispatched from the CLI argument I could not resolve leads to -gdel being passed the new instance.

If no command line argument is supplied it will generate a mutex name from hashing its public RSA key. If this has already been created by a prior instance it will either exit, or load and dispatch a child process to securely erase its current image from the disk. Otherwise it will create the mutex itself.

If no command line is supplied as mentioned it will start of by checking if it has managed to acquire any Domain Admin credentials and which configuration flags have been supplied.

Try lateral movement via network shares

First I will discuss the try_lateral_movement_via_network_shares_conf_flag case. It will restart itself with the commandline -psex (if it also managed to breach a Domain Admin). Once the new instance reaches the parse_cli_and_dispatch() function it will enter if_psex(). First it will create a named pipe derived from its public RSA key. Then it will enter psex_main().

It will then create a named pipe derived from its computer name. It also duplicates a handle to this pipe into explorer or LSASS which may be a trick to keep the handle from closing - https://f3real.github.io/duplicatehandle.html

Then it generate a list of the DnsHostName of all the Domain Controllers and computers in the domain.

It will generate the following strings.

With the acquired computer names it will check which devices it can connect to via the API WNetAddConnection2A() specifying the ADMIN$ share and IPC$ share of the target computer.

If this succeeds it will hash the computer names it has acquired to generate a hex string, which it uses as a fingerprint for a variety of strings. It will create the string {computer_name}ADMIN$\Temp and make this directory on the Admin shares of the enumerated computers. Then it will get its own image path and call CopyFileW() with {computer_name}\ADMIN$\Temp\{dcNameFingerprint}_IPC$.exe outlined as the target destination, effectively copying itself into the admin share of the enumerated computers.

It will then call CreateServiceW() with the binary path %%SystemRoot%%\Temp\{computer_name}_IPC$.exe -k LocalServiceNetworkRestricted [-pass {breached_creds}] to execute the copied instance.

Then it will create the name pipe {computer_name}\\pipe\{computer_name_fingerprint}_IPC$, and copy its own CLI into it. The newly infected computers will be able to retrieve this the named pipe is derived via a hash of their computer name. This is presumably to allow breached credentials to propagate to the newly infected computers.

The copied instances will register the retrieve_data_from_fingerprint_share_wrap() function as their service main, which just copies out the data/cli from the shared buffer.

Try lateral movement via GPO

If the try_lateral_movement_via_GPO_conf_flag flag is set and it has acquired Domain Admin credentials it will restart itself with the command line argument -gspd. Once the dispatching function is reached, it will start off by copying its command line into a named pipe derived from the public RSA key.

It will enumerate the Domains policies container for a DistinguishedName that matches something derived from its Public RSA key.

If it does not already exist, it will then retrieves the IID IGroupPolicyObject as well as the current domain name, then dispatches a variety of functions to create the group policy object and create policies for it.

I used the following powershell commands to enumerate the Windows SDK for the interface names associated with RIIDs C:\Program Files (x86)\Windows Kits\10\Include\10.0.22621.0\um> Select-String -Path *.h -Pattern [Pattern] -Context 5,5

It uses this to create new group policy object with the display name set as the global fingerprint, and links it to the current Domain.

It then associates attributes the group policy object. Googling the group policy IDs shows it relates to allowing administrative templates, files and scheduled tasks to run without restriction.

It basically does a bunch more stuff with initliasing the GPO object. It configures a services.xml which outlines to disable various services. Disabling these services prevents sensitive files from being locked when attempting to encrypt them.

It then copies itself into the domain controllers SYSVOL scripts directory. This is how it spreads to the other machines as it subsequently creates a scheduled task so that other computers download it from the SYSVOL path and execute it.

It then creates the configuration file {GpoSysPath}\Preferences\files.xml for the GPO object with the values

The format specifiers are filled out as such:

Which gets the victims to download the file from the infected DCs SYSVOL scripts directory, into their temp directory.

Then it finally creates the scheduled tasks configuration file {GpoSysPath}\Preferences\ScheduledTasks\ScheduledTasks.xml

So when the scheduled task is run it gets the victims to download the file into their temp directory and then run it as SYSTEM with a copy of the original CLI.

That fully completes the GPO object and now it just needs to be pushed to the victims.

If the push_GPO_updates_immediately_conf_flag flag is set it will run powershell with the command powershell Get-ADComputer -filter * -Searchbase '%s' | Foreach-Object { Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}. It will build the string to retrieve the Domains default naming context for the above command.

Otherwise it will just wait for policy to go out naturally.

It will then create the registering key Software\Microsoft\Windows\CurrentVersion\Group Policy\Status\{RSA_fingerprint} if it does not yet exist.

Then if a configuration flag is set it will use OpenDSGPO() and GetMachineName() with the GPO object.

With the retrieved name it will copy the following executable d641ad955ef4cff5f0239072b3990d47e17b9840e07fd5feea93c372147313c5 into the network share {machine_name}\ADMIN$\Temp\{machine_name_fingerprint_IPC$}.exe and start it as a service. It basically uses the same workflow as the lateral movement via network shares path to do this. This action will also be taken when the -gdel command line argument is specified. I’m not entirely sure about this section but I think this would be executed on the remote machines and this copies an executable which performs a secure deletion of the main image on the original device.

Loaded eraser executable

Sha256 from psuedo-unmapping it: 185f6d6bf0ddcd39f253413f28c0d12f46a82e663bdf6287cb73a362a33c91e7

Available at Malshare here: https://malshare.com/sample.php?action=detail&hash=185f6d6bf0ddcd39f253413f28c0d12f46a82e663bdf6287cb73a362a33c91e7

Following the encryption of the files it will then potentially load an executable that aims to delete the ransomware binary.

This screenshot shows a brief overview of the encryption workflow, which I did not explore here due to length.

The loading function will create a file on disk in the ProgramData folder with a name from GetTempFileNameW() and writes an encrypted executable to this path. Only the text segment is encrypted, and it has valid PE headers. It is then loaded into memory via CreateProcess() with the suspended flag, and then the payload is decrypted in memory.

The process/ main thread is then resumed and a named pipe is set up with this process, which is derived via a hash of its executable file contents on disk.

This named pipe has the following content.

struct NamedPipeBufferFormat
{
  DWORD IsDc;
  DWORD do_system_shutdown;
  DWORD overwite_all_data_disk;
  DWORD secure_erase_main_image;
  DWORD hDuplicatedMainProcess;
  char main_image_name[520];
};

In which the options do_system_shutdown, overwite_all_data_disk and secure_erase_main_image originate from configuration flags.

The loaded process utilises a TLS callback to perform API resolution via hashing and also scrambles all the function pointers in the same manner the main binary did here, including its own native functions. For the API hashing it uses the hash derived from the DLL as an xor key for the API name hash. This seed usage makes it more challenging to utilise a hash database such as hashdb.

So I just resolved it in x64dbg, utilising the command breakpoint: log "caller = 0x{[esp + 0x20]}:{label@eax}"

Since it also modifed the pointers to a variety of its own function pointers I had to create a Vtable struct and have my IDA setup with a pane for viewing the vtable struct at all times.

The sample also implements an interesting anti-debug trick. It patches the entry point of the DbgUiRemoteBreakin() with the first 32 bytes of the function that is performing the patch. This would presumably cause any debug attach events to crash. It seems an appropriate anti-debug method given the large amount of I/O operations this process performs (thus giving ample time to attach a debugger), attaching to it while it’s running would not be the worst method to unpack this sample.

bytes that would be patched into the entry point of DbgUiRemoteBreakin()

Once the TLS callback finishes and the main thread starts it will generate a hash of its disk content so it can access the named pipe, which provides it arguments on which functions to perform.

It then waits for the main process to finish via WaitForSingleObject(), with the handle to the process retrieved from the named pipe.

overview of main procedures

If the secure erase of the main image flag is set, it will retrieve the main image name via the name pipe. Then it will open a handle to the file with FILE_FLAG_WRITE_THROUGH (specifies operations go straight to disk with no caching) and write randomly generated bytes backwards and forwards into the file in a loop. this aims to make the original file unrecoverable through digital forensic tools.

If a sharing access error occurs it will register the image as a RmResource so that it can terminate the service or process accessing the image.

If the overwrite all data on disk flag is set it will initialise a thread pool with twice number of processors x2 + 1 threads. These threads sit in a waiting state until they are manually dispatched later by PostQueuedCompletionStatus().

It then gets a list of all the fixed drives and removable drives on the system.

For each drive it retrieves it will convert the drive path to an UNC extended path (\\?\) and appends 6 random characters, and uses this to create a directory (\\?\{drive_letter}\{random}.

Then for each drive it will create a thread to execute a function which ultimately dispatches a the thread in the worker pool from earlier.

It creates a temp file in the newly created directory and calculates info about the space available on the disk. Then it registers the file with the IOCompletion port from earlier. It will create an Overlapped structure with randomly generated bytes and then manually dispatches a thread from the worker thread pool via a call to PostQueuedCompletionStatus() and passes in the overlapped structure containing the randomly generated bytes.

The dispatched thread will fill up the temporary file until a ERROR_DISK_FULL error is reached. .

I assume this done in case there are any orphan files on the drive, which could essentially act as backups for sensitive data that the ransomware encrypted.

Following this, the executable will always delete its image. However if it is given the flag to shutdown the system (presumably so it can be restarted with safe mode for the -safe command line actions), it will use a trick to schedule itself for deletion via calling MoveFileExW(curFileShortPath, 0, MOVEFILE_DELAY_UNTIL_REBOOT). This will copy itself into a non existant path on reboot, then it calls NtShutdownSystem(). However it will avoid doing this is the named pipe arguments indicate that it is running as a Domain Controller.

Otherwise it will just delete itself via the cmd command /C DEL /F /Q "cur_image" >> NUL.

Z2A Challenge #3 – Oski Stealer String Decryption

2025-06-12T00:00:00+10:00

This is my belated write-up for Zero 2 Automated's Challenge #3 – Oski Stealer String Decryption.

The goal was to develop an automated string decryptor for the final payload. The sample is initially packed with a .NET packer which is why I was interested in this challenge as I wanted to get more reps with .NET samples.

First Stage SHA256: 707adf85c61f5029e14aa27791010f2959e70c0fee182fe968d2eb7f2991797b

Unpacking the .NET Sample

Initial triage showed it uses a known obfuscator, so I started by trying to run it through de4dot, which successfully produced a cleaned version.

With .NET samples, I usually start by looking at cross-references to the Assembly class, since many samples use this to load additional payloads. Given that this sample is packed, it's definitely worth checking out.

Looking at references to assembly, there are four calls to methods from the class from non-library/runtime code.

The most interesting one is a method I’ve named Load_byte_array(), which is just a wrapper around AppDomain.CurrentDomain.Load().

Looking at the references to Load_byte_array() shows a method I named retrieve_and_dec_rsrc() as it can clearly be seen getting the resource BayesMe, then calling a decryption function on the resource.

This seemed like a good chance to dynamically retrieve the decrypted resource, so I set a breakpoint after the call to the decryption function, then dumped the local variable array that held the result.

This appeared to be a valid executable file as the MZ magic was seen.

Stepping out of the method showed immediate call to Invoke() and Run(), verifying it is not a dummy file and is actually invoked.

The local variables debugging Window showed that the methodInfo variable is a reference to the method EhgUZIvRw().

Searching for this method showed it belongs to the loaded assembly FuncAttribute.dll

This assembly looked decently obfuscated as well, so I tried running it through de4dot. It was not recognised as a known obfuscator so I skipped cleaning and just analysed it as-is.

A quick look inside the methods it calls show that this method appears to load another assembly and invoke a method from it.

I set breakpoints on the Invoke and AssemblyLoad methods and ran the sample. This showed it loading another assembly and calling the method fQRwCeWyVS() from it.

I dumped the binary and ran it through de4dot — which detected it as a Reactor protected sample, which it managed to successfully clean.

To make dynamic analysis easier, I ran the sample again and overwrote the variable passed to LoadAssembly with the cleaned de4dot sample. I did this by opening the cleaned sample in CyberChef and running the recipe 'to hex'. Then in the debugging context I opened the array variable in the memory view and pasted over it.

This made the decompilation a lot cleaner:

Cleaned

Original

This now showed the call to Invoke targeting the method smethod_10()

I did some basic markup and which showed this sample had variety of functionalities, however it would use hardcoded flags to determine which components to actually execute.

These flags are set by the Class constructor /cctor.

Stepping through the program shows that this specific sample calls find_and_inject_process().

This method uses unmanaged code to retrieve Win APIs to make the injection possible.

Of most interest within this method is the call to WriteProcessMemory, as the variable byte_1 will contain a buffer that is injected into the victim process. By setting a breakpoint on WriteProcessMemory, I saw that the buffer being injected is a C++ compiled executable, which is presumably the final payload.

Final Payload and String Extraction

Finding the Decryption Function

I began analysis by taking a quick look in PeStudio. This showed what appeared to be a large amount of encrypted strings in the .rdata section.

Since the goal is to decrypt the strings, I started by going to the .rdata section in IDA and finding cross references to the strings.

The encrypted strings can easily be identified in IDA.

It looks like they are all passed to a central decryption function decrypt_strings().

Although not the point of the challenge I did develop an IDA debugging script to immediately resolve all the strings, with no real reverse engineering required.

Analyzing the Decryption Function

Back to the actual challenge.

The encrypted strings look to be base64 encoded, however inputting them into a base64 decoder did not return anything legible. My initial hunch was that this could be a custom base64 encoding so I took a quick look around to try and find a modified base64 index string.

It does appear the sample uses a standard base64 index string, so this isn’t a custom variant. (The string above is referenced as a global within the decryption function).

Looking deeper into the decryption function, showed lots of functions relating to C++ std::string handling such as small string optimization operations.

As such I create a C++ std::string struct in IDA to help analyze this.

This made the analysis of this function much easier, and the decryption flow became much clearer. The function base64-decodes the string, then passes it to another function that I initially labelled looks_like_decryption().

After taking a closer look at looks_like_decryption(), it was unmistakable as RC4. I should have looked closer earlier, as that would have saved me from reversing all the std::string handling.

I verified my analysis with Cyberchef.

Automating String Extraction

I moved on to writing a script that would extract and decrypt the strings automatically. From my analysis:

The RC4 key is an 18-byte ASCII string containing only digits.
The decryption function is the most-called function in the binary.

With this it might be possible to develop regex to extract the RC4 key, and extract the encrypted strings by retrieving all the arguments to the most called function in the binary. This should be able to run headlessly with IDA, however I could not try it as I only have IDA home.

With some proof of concept code I can successfully extract the RC4 key from this sample with regex.

I can also identify the decryption function by using IDA to retrieve the function with the highest cross reference count.

The final developed script can be seen working below, and should be able to be integrated into a fully automated workflow.

The actual code is shown below:

import pefile
from binascii import *
import re
import base64
from Crypto.Cipher import ARC4

def retrive_rdata(fpath):
    oski = pefile.PE(fpath)
    for section in oski.sections:
        if b'.rdata' in section.Name:
            oski_rdata = section.get_data()
            break
            
    return oski_rdata
def extract_rc4_key(rdata):
    matches = re.findall(rb'[0-9]{12,32}\x00', rdata)
    
    if len(matches) != 1:
        print('Unsuccessful extracting key')
        return None
        
    for m in matches:
        return (m[:-1].decode())

def get_most_called_func():
    functionCount = []
    for func in Functions():
        xref_count = 0
        for xref in XrefsTo(func):
            xref_count += 1
        functionCount.append((func, xref_count))
        
    funcs_sorted = (sorted(functionCount, key=lambda item: item[1]))
    most_called = funcs_sorted[-1:]
    return most_called[0][0]

def b64_decode_rc4_decrypt(key, enc_string):
    key_bytes = key.encode('utf-8')
    encrypted_bytes = base64.b64decode(enc_string)
    cipher = ARC4.new(key_bytes)
    decrypted_bytes = cipher.decrypt(encrypted_bytes)
    return decrypted_bytes.decode('utf-8', errors='replace')

def main():
    fpath = r"C:\Users\Kevin\Desktop\Samples\z2a challenge oski final payload\oski_final_payload.bin"
    
    rdata = retrive_rdata(fpath)
    
    rc4_key = extract_rc4_key(rdata)
    
    decrypt_strings_func_ea = get_most_called_func()
    
    enc_strings = []
    for xref in CodeRefsTo(decrypt_strings_func_ea, 0):
        arg_insn = idc.prev_head(xref)
        enc_str_ea = get_operand_value(arg_insn, 0)
        enc_str = ida_bytes.get_strlit_contents(enc_str_ea, -1, ida_nalt.STRTYPE_C, 0).decode('utf-8')
        print(b64_decode_rc4_decrypt(rc4_key, enc_str))
        
main()

Emotet Configuration Extraction

2025-05-07T00:00:00+10:00

Overview

This post is a write-up of an OALabs exercise in which the goal was to retrieve the C2 configuration from an unpacked Emotet sample, as a way to practice using emulation.

I am pretty sure the idea was to emulate the configuration de-obfuscation routine, but I also tried to utilise emulation to resolve the API hashing in the sample and had some interesting results.

Sample

SHA256: C688E079A16B3345C83A285AC2AE8DD48680298085421C225680F26CEAE73EB7

First Seen On VirusTotal: 2022-05-13

Family: Emotet

Identifying Win APIs

Since the goal was to extract the C2 configuration, this implies the sample must include some kind of networking functionality.

My approach to find the config data was to look at all the code surrounding network API calls, then I could trace the arguments provided to these and hopefully find the configuration info.

Looking at the imports for this sample, it did not contain a single import. This is a clear sign that this sample utilises API hashing, or at the very least walks the Export table of each module it is retrieving functions from.

(For those unfamiliar, a module loaded into a processes memory space will expose the functions it exports through an export table. Although this is typically intended to be used by the Windows loader or APIs such as GetProcAddress, it can be manually parsed, as a stealthy technique to resolve imports)

So to find the API hashing function I decided to hunt for references to the TEB, as this is required to access the PEB, which is often used to find the base address of modules that have been loaded in processes memory space. As such I used the script below to scan all the assembly instructions to see if it contained 'gs' (If this was a 32 bit sample I would use 'fs').

(The gs/fs segment register of all threads will contain a pointer to the TEB)

Another option would be to do this dynamically (which would likely be quicker as well), by setting breakpoints on a variety of networking APIs and running the sample, but I wanted to try statically reversing the API resolution function.

import idautils

def operand_is_gs(op1, op2):
    if ("gs" in op1 or "GS" in op1) or ("gs" in op2 or "GS" in op2):
        return True
    return False

def find_gs():
    for func_ea in idautils.Functions():
        for head in idautils.Heads(func_ea, idc.get_func_attr(func_ea, idc.FUNCATTR_END)):
            if not idc.is_code(idc.get_full_flags(head)):
                continue
            first_op = print_operand(head, 0)
            second_op = print_operand(head, 1)
            if first_op == 0:
                continue
            if operand_is_gs(first_op, second_op) == True:
                print(f"{hex(head)}: {GetDisasm(head)}")

find_gs()

Which showed one reference:

Back tracing this function, I got to this function - Looking at the cross references to it, it is called 108 times, with a variety of arguments that looked like hash values.

Looking into the hashing algorithm used for the DLL names, it did not look too complex, and as such almost certainly a custom algorithm. (A standard hashing algorithm will typically look much more complex, such that it can be properly cryptographically secure).

The hashing function for hashing the API names is a separate custom hashing function (to the one used for the DLL names).

But first I need to retrieve all hashes provided to the function, which I used the following script to acquire.

import idautils

def get_paramter(all_dll_api_pairs):
    for xref in idautils.XrefsTo(0x00007FF9B6F73D70): # api_resolve_wrapper_func
        xref = xref.frm
        addr = str(hex(xref))
        dll_api_pair_dict = {'address' : addr}
        counter = 25
        prev_instruct = idaapi.prev_head(xref, 25)
        while counter >= 0: # the instruction moving the hash value into the register, is not a consistent offset from the call the api hash wrapper, so have to loop back for a while
            counter -= 1
            mnemonic = print_insn_mnem(prev_instruct)
            if mnemonic != 'mov':
                prev_instruct = idaapi.prev_head(prev_instruct, 25)
                continue
            first_operand = print_operand(prev_instruct, 0)
            if first_operand != "edx" and first_operand != "rdx" and first_operand != "ecx" and first_operand != "rcx":
                prev_instruct = idaapi.prev_head(prev_instruct, 25)
                continue
            if first_operand == 'ecx' or first_operand == 'rcx':
                instruction = idaapi.insn_t()
                idaapi.decode_insn(instruction , prev_instruct)
                dll_name_hash = instruction.Op2.value
                if 'dll_hash' not in dll_api_pair_dict:
                    dll_api_pair_dict['dll_hash'] = (dll_name_hash & 0xffffffff)
                prev_instruct = idaapi.prev_head(prev_instruct, 25)
            if first_operand == 'rdx' or first_operand == 'edx':
                instruction = idaapi.insn_t()
                idaapi.decode_insn(instruction , prev_instruct)
                win_api_hash = instruction.Op2.value
                if 'win_api_hash' not in dll_api_pair_dict:
                    dll_api_pair_dict['win_api_hash'] = (win_api_hash & 0xffffffff)
                prev_instruct = idaapi.prev_head(prev_instruct, 25)
            if len(dll_api_pair_dict) == 3:
                all_dll_api_pairs.append(dll_api_pair_dict)
                break

all_dll_api_pairs = []
get_paramter(all_dll_api_pairs)
print(all_dll_api_pairs)

With this I now have a list of all the hashes, and the location they were called from.

The standard approach to resolve these hashes would either be to use HashDB, or re-implement the hashing function and brute force them with them with a API wordlist.

But I wanted to try something different - I wanted to emulate the entire wrapper function (including the export table walking etc, and extract the DLL names and API names), through Dumpulator.

This would mean I would not need to get a wordlist to perform a brute force, I could just plug in the hashes I acquired and that should be enough, however, spoilers—it only sort of worked.

To do this I needed to do some additional reverse engineering, to figure out where I want to hook, and what registers or memory locations I want to read. As such I marked up this function a bit more.

After marking up the decompiled output, I want to correlate it with the assembly code and see if I can easily retrieve the index into the export name table.

The disassembled code shows a loop, in which an export name table entry is passed into the function win_api_hashing_func, and if the calculated hash matches the hash provided by the argument, it will exit the loop.

To use emulation to resolve this, I have to extract the export table entry passed into win_api_hashing_func each loop, and hopefully when it exits, the most recent value we have extracted will be the API of interest.

The easiest way for this I found was reading the contents of the rcx register at the address 0x07FF9B6F791C4 in win_api_hashing_func as it is directly reading from the export name table at this address.

This can be done by hooking Dumpulator through its Unicorn underpinning, and retrieving a pointer to the string each loop. Once the emulation instance finishes the retrieved value should be the most recent export name table entry, hopefully pointing to the API name string. (Not sure if you are meant to do this as the unicorn instance is labelled as a private attribute, but it worked).

To do this all that is needed is a MiniDump of the process, at whatever process execution state we want it to be in. Then the sample should be rebased in IDA such that the Virtual Addresses match up, allowing the use of the Virtual addresses in IDA to help set up the emulation instance. From here the Dumpulator instance can allocate memory, write to memory and set up register values.

For this function the hash arguments are provided through the rcx and rdx registers, so we just have to initalise these registers with the hashes in our dumpulator instance, and then plug in the address of the start of the function.

from dumpulator import *
from unicorn import *
from unicorn.x86_const import *
import struct


hashed_api_int = [{'address': '0x7ff9b6f7118a', 'win_api_hash': 2496187760, 'dll_hash': 2657936269}, {'address': '0x7ff9b6f713a8', 'dll_hash': 2657936269, 'win_api_hash': 326862382}] #... Cut down for brevity
resolved_win_apis = []


def hook_code(uc, address, size, user_data):
    dp = user_data[0]
    
    resolved_dict = user_data[1]
    if address == 0x07FF9B6F791C4: # Instruction after rcx gets loaded with pointer from entry in export name table
        user_data[2][0] = dp.regs.rcx
    
    if address == 0x07FF9B6F74A66:
        out = dp.read(dp.regs.rbx + 48 + 24 + 8, 8)
        # + 48 = DllBase, + 24 = FullDLLName, + 8 = wchar* (A unicode string struct will have a wide_char* at 8 bytes from its base)
        out = struct.unpack("Q", out)
        out = out[0]
        dll_name = dp.read_str(out, encoding="utf-16")
        resolved_dict['dll'] = dll_name

def extract_name(dll_hash, func_hash, xref_address):
    resolved_dict = {}
    export_name_tab_ptr = [None]
    dp = Dumpulator(r"C:\Users\Kevin\Desktop\Emotet\emotet.dmp", quiet=True)
    dp._uc.hook_add(UC_HOOK_CODE, hook_code, user_data = [dp, resolved_dict, export_name_tab_ptr])
    dp.regs.rcx = dll_hash
    dp.regs.rdx = func_hash 
    start_VA = 0x07FF9B6F73D70
    end_VA = 0x07FF9B6F8E22B
    print("starting")
    dp.start(start_VA, end=end_VA)
    print("finished")
    print(export_name_tab_ptr)
    func_name = dp.read_str(export_name_tab_ptr[0], encoding='utf-8')
    resolved_dict['win_api'] = func_name
    resolved_dict['xref_address'] = xref_address
    resolved_win_apis.append(resolved_dict)

def main():
    for dict in hashed_api_int:
        func_hash = dict['win_api_hash']
        dll_hash = dict['dll_hash']
        xref_addr = dict['address']
        try:
            extract_name(dll_hash, func_hash, xref_addr)
        except:
            pass
    print(resolved_win_apis)
    
main()

An issue with this approach is that if the emulation instance can not successfully resolve the hash, then we also cannot retrieve it. This is what occurred here as it only extracted the APIs from kernel32.dll and ntdll.dl, however I counted around 5 unique DLL name hashes provided to the hashing function.

(Once I extracted the modules later, I noted that these modules were not loaded in the process in the MiniDump instance - The sample would likely make a call to LoadLibrary to load these modules before attempting to retrieve their functions. - This fact likely makes attempting to resolve API hashing in this manner unreliable. Taking a MiniDump after the calls to LoadLibrary might allow this technique to work for all APIs.)

results from the emulation routine (I also extracted the dll name, which is technically unnecessary):

So with this I decided to use HashDB to resolve the functions.

In the API resolution function I can see the hashed value of the API will be XOR'ed with 0x19A3CCB86, thus using a key to help conceal the hash value. However that is easily thwarted by setting it as the XOR key in the HashDB IDA plugin

This allows us to do call HashDB's 'Hunt Algorithm' with any of the hashes we acquired earlier. If the hashing algorithm is in HashDB's database as well as the string that the hash resolves to, HashDB Hunt Algorithm will return the hashing algorithm in use.

If the hashing algorithm was not in HashDB's database, an option would be to write the algorithm and upload it to them, which would provide access to their large string database. However the algorithm hunt returned an algorithm named 'emotet', so I am now ready to resolve all the APIs.

Their API outlines the following format when retrieving strings from an algorithm using an xor key.

https://hashdb.openanalysis.net/hash/{algorithm}/{hash}/{xor}

So I used the following script to resolve all the hashes.

import requests
import time

hashed_api_int = [{'address': '0x7ff9b6f7118a', 'win_api_hash': 2496187760, 'dll_hash': 2657936269}, {'address': '0x7ff9b6f713a8', 'dll_hash': 2657936269, 'win_api_hash': 326862382}] # ... Cutdown for brevity

resolved_apis = []
unresolved_list = []
unresolved_count = 0

for item in hashed_api_int:
    hash_val = item['win_api_hash']
    address = item['address']
    url_hashdb = f'https://hashdb.openanalysis.net/hash/emotet/{hash_val}/430162822'
    response = requests.get(url_hashdb)
    if response.status_code == 429:
        time.sleep(60)
    else:
        data = response.json()
    try:
        api = data["hashes"]
        api = api[0]
        api = api['string']
        api = api['string']
        print(api)
        resolved_apis.append((address, api))
    except:
        print(f'unresolved: {hash_val}')
        unresolved_count += 1
        continue
        
print(unresolved_count)
print(resolved_apis)

After resolving the Win APIs, I investigated what was actually done with the retrieved function pointer. It appears that the retrieved API pointers get written to a global variable (.data section), however this appears to just be storing the pointer in a cache as there is no other xrefs to these addresses (although it is possible they indexed into from a base address, in which they wouldn't show up as cross references).

For each unique hash set that is passed to win_api_hashing_func, there is a specific wrapper function, which subsequently calls the resolved API. So when marking this up, it is important to actually label the wrapper function rather than the global variable.

Thus I used the following script to rename all the functions.

resolved_apis = [('0x7ff9b6f7118a', 'Process32NextW'), ('0x7ff9b6f713a8', 'GetTempPathW')] # ... cutdown for brevity
apis_addr_int = [(int(pair[0], 16), pair[1]) for pair in resolved_apis] # Converting addresses from strings to int values


def rename_funcs(addr_name: list[tuple]):
  for pair in addr_name:
      address, name = pair
      
      func = idaapi.get_func(address)
      func_start = func.start_ea
      set_name(func_start, name + "_Wrapper")
      
      address = next_head(address)
      instruction = print_insn_mnem(address)
      while instruction != 'jmp' and instruction != 'call': # it either called or jumped to the API
          address = next_head(address)
          instruction = print_insn_mnem(address)
      print(hex(address))
      set_cmt(address, name, 0)

def main():
rename_funcs(apis_addr_int)

main()

Finding the config

With the APIs resolved, I went back to my original strategy of looking for networking APIs in the hope that they reference the configuration data. I noted that GetProcAddress got resolved, indicating further runtime API resolution may occur, but since some networking functions did get resolved, I did not think it was prudent to investigate.

Of these functions, I think InternetConnectW is a good candidate to investigate as it's MSDN entry outlines it takes an argument 'lpszServerName': "Pointer to a null-terminated string that specifies the host name of an Internet server. Alternately, the string can contain the IP number of the site, in ASCII dotted-decimal format (for example, 11.0.1.45)."

So going to the wrapper function, I can see it receives an argument that is subsequently passed in as the argument 'lpszServerName' to InternetConnectW.

I backtracked this argument back a couple of function calls and identified that the original value originated from a global variable.

The variable is not initialised at compile time, however it appears that the variable contains a pointer to a structure containing the C2 data, based on how it is being referenced. To identify when a value is assigned to it, I opened up the x-refs and jumped to the one item where it is being written to.

A heap pointer is initialised and written to our global variable. Then, a subsequent function can be seen accessing the global, and writing the output of a sprintf call to the pointer's destination.

Taking a look at the function that provides the format string, it appears to initialise a stack string for a decryption function decrypt_stuff. The decryption function was called 32 times, so I decided to locate all calls to this function and emulate them.

import idautils

decryptor_callers = []

for xref in idautils.XrefsTo(0x07FF9B6F9ADB8):
    try:
        calling_address = xref.frm
        print(hex(calling_address))
        func = idaapi.get_func(calling_address)
        func_start = func.start_ea
        decryptor_callers.append(func_start)
    except:
        pass
print(decryptor_callers)

from dumpulator import *

callers = [140710493230020, 140710493231788] # ... Cutdown for brevity

string_and_caller = []

def rename_funcs(addr_name: list[tuple]):
    name_count = 0
    for pair in addr_name:
        address, dec_string = pair
        
        func = idaapi.get_func(address)
        func_start = func.start_ea
        set_name(func_start, 'decrypts_string_' + str(name_count)) # rename the function: decrypts_string_1, decrypts_string_2, etc
        name_count += 1
        set_cmt(address, dec_string, 0) # comment the decrypted string at the function

def main():
    for caller in callers:
        try:
            dp = Dumpulator(r"C:\Users\Kevin\Desktop\Emotet\emotet.dmp", quiet=True)
            start_VA = caller
            end_VA = 0x07FF9B6F9AF3C
            dp.start(start_VA, end=end_VA)
            rax = dp.regs.rax
            dec_string = dp.read_str(rax, encoding='utf-16')
            print(dec_string)
            string_and_caller.append((caller, dec_string))
        except:
            pass
    rename_funcs(string_and_caller)

main()

This returned a variety of decrypted strings:

    ObjectLength
    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    %s%s.dll
    WinSta0\Default
    RNG
    AES
    %s\%s
    %s\*
    SHA256
    %s%s.exe
    %s\regsvr32.exe "%s\%s" %s
    HASH
    Microsoft Primitive Provider
    bcrypt.dll
    ECDH_P256
    Cookie: %s=%s
    shlwapi.dll
    shell32.dll
    ECCPUBLICBLOB
    Content-Type: multipart/form-data; boundary=%s
    wininet.dll
    ECDSA_P256
    %s\%s%x
    wtsapi32.dll
    POST
    %s\regsvr32.exe "%s" %s
    %s\regsvr32.exe "%s\%s"
    userenv.dll
    %u.%u.%u.%u
    crypt32.dll
    KeyDataBlob

The string that was returned for the format string was "%u.%u.%u.%u". This is almost certainly a format string for an IP address, which confirms my belief that this struct used for C2 communication gets initialised here. As such, emulating this function should retrieve all the IPs. The script just needs to read the destination buffer pointer when it is passed in as an argument, then read from it after the call to sprintf is complete.

Again, I use Dumpulator and hook the underlying Unicorn instance to do this:

from dumpulator import *
from unicorn import *
from unicorn.x86_const import *


dp = Dumpulator(r"C:\Users\Kevin\Desktop\Emotet\emotet.dmp", quiet=True)

start_VA = 0x07FF9B6F8B190

end_VA = 0x07FF9B6F73BC8


ip_buffer = 0
found_ips = []
def hook_code(uc, address, size, user_data):
    dp = user_data[0]
    
    if address == 0x07FF9B6F7388A:
        global ip_buffer
        ip_buffer = dp.regs.rcx
    

    if address == 0x07FF9B6F738F3:
        found_ips.append(dp.read_str(ip_buffer, encoding='utf-16'))

dp._uc.hook_add(UC_HOOK_CODE, hook_code, user_data = [dp])

dp.start(start_VA, end=end_VA)

print(found_ips)

With that, all the IPs were retrieved:

['63[.]142[.]250[.]212', '150[.]95[.]66[.]124', '91[.]207[.]28[.]33', '172[.]104[.]251[.]154', '107[.]182[.]225[.]142', '185[.]157[.]82[.]211', '149[.]56[.]131[.]28', '196[.]218[.]30[.]83', '158[.]69[.]222[.]101', '45[.]176[.]232[.]124', '58[.]227[.]42[.]236', '212[.]24[.]98[.]99', '159[.]65[.]88[.]10', '189[.]126[.]111[.]200', '94[.]23[.]45[.]86', '51[.]254[.]140[.]238', '1[.]234[.]2[.]232', '1[.]234[.]21[.]73', '206[.]189[.]28[.]199', '164[.]68[.]99[.]3', '153[.]126[.]146[.]25', '46[.]55[.]222[.]11', '167[.]99[.]115[.]35', '134[.]122[.]66[.]193', '203[.]114[.]109[.]124', '51[.]91[.]76[.]89', '185[.]4[.]135[.]165', '79[.]137[.]35[.]198', '185[.]8[.]212[.]130', '213[.]241[.]20[.]155', '82[.]165[.]152[.]127', '119[.]193[.]124[.]41', '103[.]75[.]201[.]2', '201[.]94[.]166[.]162', '212[.]237[.]17[.]99', '103[.]70[.]28[.]102', '131[.]100[.]24[.]231', '209[.]250[.]246[.]206', '102[.]222[.]215[.]74', '5[.]9[.]116[.]246', '129[.]232[.]188[.]93', '216[.]158[.]226[.]206', '173[.]212[.]193[.]249', '101[.]50[.]0[.]91', '197[.]242[.]150[.]244', '27[.]54[.]89[.]58', '163[.]44[.]196[.]120', '45[.]118[.]115[.]99', '51[.]91[.]7[.]5', '110[.]232[.]117[.]186', '103[.]43[.]46[.]182', '146[.]59[.]226[.]45', '72[.]15[.]201[.]15', '167[.]172[.]253[.]162', '209[.]126[.]98[.]206', '151[.]106[.]112[.]196', '183[.]111[.]227[.]137', '160[.]16[.]142[.]56', '209[.]97[.]163[.]214', '45[.]235[.]8[.]30', '188[.]44[.]20[.]25', '77[.]81[.]247[.]144', '103[.]132[.]242[.]26']

Although utilising the above code for an automated configuration extractor might prove difficult, so I decided to poke around a bit more in this function and see if there was an easy opportunity to develop automation. I found that the IP data was initialised through these functions (initially the function pointers were placed in an array and called in a later function - these functions generated the data from literal/immediate values, rather than storing them as data.)

Example of one of the functions:

The way this array of function pointers was set up provided a good opportunity to develop regex that could extract these function pointers, which could subsequently be emulated. I decided to emulate the functions with Unicorn instead of Dumpulator, as Unicorn would not require a MiniDump of the process for it to work. As these functions were self-contained (did not make calls out to further functions or read from any global variables), implementing them in Unicorn was not difficult. All that was needed was to initialise the registers rcx and rdx with out buffers.

from unicorn import *
from unicorn.x86_const import *
import struct
from capstone import *
import pefile
import re
import ctypes

ips = []
cap = Cs(CS_ARCH_X86, CS_MODE_64)
ALLOCATION_CHUNK_SIZE = 0x1000


def hook_code(uc, address, size, user_data):
    cur_code = uc.mem_read(address, size)
    instructions = cap.disasm(cur_code, address)
    for instruction in instructions:
        #print(f"{hex(instruction.address)}\t{instruction.mnemonic}\t{instruction.op_str}")
        if instruction.mnemonic == 'retn' or instruction.mnemonic == 'ret':
            out = uc.mem_read(0x10000, 4)
            ip = ''
            for byte in out:
                ip += str(byte)
                ip += '.'
            ip = ip[:-1]
            ips.append(ip)
            print(ip)
            uc.emu_stop()
        if instruction.mnemonic == 'call':
            uc.emu_stop()


def emulate_ip_resolver(code, address):
    uc = Uc(UC_ARCH_X86, UC_MODE_64)
    uc.hook_add(UC_HOOK_CODE, hook_code)
    uc.mem_map(0x10000, 0x1000, UC_PROT_ALL)
    uc.mem_map(0x20000, 0x1000, UC_PROT_ALL)
    uc.reg_write(UC_X86_REG_RCX, 0x10000)
    uc.reg_write(UC_X86_REG_RDX, 0x20000)

    emulate_func(uc, code, address)


def emulate_func(uc: Uc, code: bytes, code_base_ptr: int):
    # Allocating memory for the code, and writing it
    allocation_base = code_base_ptr & 0b1111_1111_1111_1111_1111_1111_1111_1111_0000_0000_0000_0000
    uc.mem_map(allocation_base, ALLOCATION_CHUNK_SIZE, UC_PROT_ALL)
    uc.mem_write(allocation_base, b'\x00' * ALLOCATION_CHUNK_SIZE)
    allocation_end = allocation_base + ALLOCATION_CHUNK_SIZE
    # Allocates more memory if the allocated memory is not enough for the function
    code_len = len(code)
    while (code_len + code_base_ptr) > allocation_end: 
        uc.mem_map(allocation_end, ALLOCATION_CHUNK_SIZE, UC_PROT_ALL)
        uc.mem_write(allocation_end, b'\x00' * ALLOCATION_CHUNK_SIZE)
        allocation_end += ALLOCATION_CHUNK_SIZE
    uc.mem_write(code_base_ptr, code)

    STACK_SPACE = 0x2000
    uc.mem_map(STACK_SPACE, ALLOCATION_CHUNK_SIZE, UC_PROT_ALL)
    uc.mem_write(STACK_SPACE, b'\x00' * ALLOCATION_CHUNK_SIZE)
    uc.reg_write(UC_X86_REG_ESP, STACK_SPACE + ALLOCATION_CHUNK_SIZE // 2)
    
    print("Starting emulating main func")
    uc.emu_start(code_base_ptr, code_base_ptr + len(code), timeout = 0, count = 0)
    print("Finished Emulating")


def retrieve_func_addrs(pe):
    image_base = pe.OPTIONAL_HEADER.ImageBase
    for section in pe.sections:
        if b'.text' in section.Name:
            emotet_content = section.get_data()
            text_rva = section.VirtualAddress
    find_lea = re.compile(rb'\x48\x8d\x05(.{4})\x48\x89')
    matches = find_lea.finditer(emotet_content)

    func_addrs = []

    for match in matches:
        offset = match.group(1)
        offset = struct.unpack('', offset)[0]
        offset = ctypes.c_int(offset).value
        VA = match.start()
        VA += text_rva + image_base
        func_addr = VA + offset + 7
        func_addrs.append(func_addr)

    return func_addrs

def main():
    pe = pefile.PE(r"C:\Users\Kevin\Desktop\Emotet\emo_unpacked_1020000.bin")
    image_base = pe.OPTIONAL_HEADER.ImageBase

    func_addrs = retrieve_func_addrs(pe)
    func_code_list = (pe.get_data(func_addr - image_base, 0x1000) for func_addr in func_addrs)

    for func_code in func_code_list:
        try:
            emulate_ip_resolver(func_code, 0x40_000)
            print()
        except:
            pass

    print(ips)

main()
    

Another option to extract the config data would be to use a debugger and hook the snwprintf calls.

Thank you for reading!

Kevin Johnson’s Security Blog

BlackMatter Ransomware Analysis

BlackMatter Ransomware Analysis

Table of Contents

Overview

Configuration security and extraction

Main configuration automated extraction

Other encrypted and encoded items

Sample Functionality

1. API Resolution

2. Configuration Loading & Privilege Escalation

3. CLI Parsing & Dispatch

Try lateral movement via network shares

Try lateral movement via GPO

Loaded eraser executable

Z2A Challenge #3 – Oski Stealer String Decryption

Unpacking the .NET Sample

Final Payload and String Extraction

Finding the Decryption Function

Analyzing the Decryption Function

Automating String Extraction

Emotet Configuration Extraction

Overview

Sample

Identifying Win APIs

Finding the config