www.sentinelone.com
Open in
urlscan Pro
172.67.74.101
Public Scan
URL:
https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/
Submission: On October 04 via api from DE — Scanned from DE
Submission: On October 04 via api from DE — Scanned from DE
Form analysis 6 forms found in the DOM
GET https://www.sentinelone.com
<form autocomplete="off" method="get" action="https://www.sentinelone.com">
<fieldset>
<input type="search" name="s" placeholder="Search ..." value="">
<button class="search" type="submit">
<span class="light">
<img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg" alt="Search Icon White" width="24" height="24">
<img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg" alt="Navigation Close" width="18" height="16">
</span>
<span class="dark">
<img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon.svg" alt="Search Icon" width="24" height="24">
<img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close-dark.svg" alt="Navigation Close Dark" width="18" height="16">
</span>
</button>
</fieldset>
</form>GET https://www.sentinelone.com/
<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
<label>
<span class="screen-reader-text">Search ...</span>
<input type="search" class="search-field" placeholder="Search ..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="324827880">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form id="mktoForm_2816" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="324856494">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 164px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2816"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Don’t miss OneCon23! SentinelOne’s Customer Conference. Register Now
Don’t miss OneCon23! SentinelOne’s Customer Conference.
Experiencing a Breach?
* 1-855-868-3733
* Contact
* Cybersecurity Blog
en
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
blog
Platform
* Platform Overview
* Singularity Platform Welcome to Integrated
Enterprise Security
* Singularity XDR Native & Open Protection,
Detection, and Response
* Singularity Data Lake AI-Powered,
Unified Data Lake
* How It Works The Singularity XDR Difference
* Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
* Surfaces
* Endpoint Autonomous Prevention, Detection, and Response
* Cloud Autonomous Runtime Protection for Workloads
* Identity Autonomous Identity & Credential Protection
* Platform Packages
* Singularity Complete The Standard for Enterprise Cybersecurity
* Singularity Control Organization-Wide
Protection and Control
* Singularity Core Cloud-Native NGAV
* Package Comparison Our Platform at a Glance
* Platform Products
* Singularity Cloud Container, VM, and Server Workload Security
* Singularity Mobile Mobile Threat Defense
* Singularity Cloud Data Security AI-Powered Threat Detection
* Singularity RemoteOps Orchestrate Forensics at Scale
* Singularity Identity Identity Threat Detection
and Response
* Singularity CloudFunnel Cloud-to-Cloud Telemetry Streaming
* Singularity Ranger AD Active Directory Attack Surface Reduction
* Singularity BinaryVault Automatic File Sample Collection
* Singularity Ranger Rogue Asset Discovery
* Singularity Hologram Deception Protection
Why SentinelOne?
* Why SentinelOne?
* Why SentinelOne? Cybersecurity Built
for What’s Next
* Our Customers Trusted by the World’s Leading Enterprises
* Industry Recognition Tested and Proven
by the Experts
* About Us The Industry Leader in Autonomous Cybersecurity
* Compare SentinelOne
* CrowdStrike Cyber Dependent
on a Crowd
* McAfee Pale Performance,
More Maintenance
* Microsoft Platform Coverage
That Compromises
* Trend Micro The Risk of DevOps Disruption
* Palo Alto Networks Hard to Deploy,
Harder to Manage
* Carbon Black Adapt Only as Quickly
as Your Block Lists
* Symantec Security Limited
to Signatures
* Verticals
* Energy
* Federal Government
* Finance
* Healthcare
* Higher Education
* K-12 Education
* Manufacturing
* Retail
Services
* Threat Services
* Vigilance Respond Pro
MDR + DFIR 24x7 MDR with Full-Scale Investigation & Response
* WatchTower Pro
Threat Hunting Dedicated Hunting & Compromise Assessment
* Vigilance Respond
MDR Dedicated SOC
Expertise & Analysis
* WatchTower
Threat Hunting Hunting for Emerging Threat Campaigns
Services Overview
* Support, Deployment, & Health
* Technical Account Management Customer Success with Personalized Service
* SentinelOne GO Guided Onboarding & Deployment Advisory
* SentinelOne University Live and On-Demand Training
* Support Services Tiered Support Options for Every Organization
* SentinelOne Community Community Login
Partners
* Our Network
* MSSP Partners Succeed Faster
with SentinelOne
* Singularity Marketplace Extend the Power
of S1 Technology
* Cyber Risk
Partners Enlist Pro Response
and Advisory Teams
* Technology Alliances Integrated, Enterprise-Scale Solutions
* SentinelOne for AWS Hosted in AWS Regions Around the World
* Channel Partners Deliver the Right
Solutions, Together
Program Overview
Resources
* Resource Center
* Case Studies
* Data Sheets
* eBooks
* Reports
* Videos
* Webinars
* White Papers
View All Resources
* Blog
* Cyber Response
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Cloud
* macOS
* SentinelOne Blog
Blog
* Tech Resources
* SentinelLABS
* Ransomware Anthology
* Cybersecurity 101
About
* About SentinelOne
* About SentinelOne The Industry Leader in Cybersecurity
* Investor Relations Financial Information & Events
* SentinelLABS Threat Research for
the Modern Threat Hunter
* Careers The Latest Job Opportunities
* Press & News Company Announcements
* Cybersecurity Blog The Latest Cybersecurity Threats, News, & More
* F1 Racing SentinelOne &
Aston Martin F1 Team
* FAQ Get Answers to Our Most Frequently Asked Questions
* DataSet The Live Data Platform
* S Foundation Securing a Safer Future for All
* S Ventures Investing in the Next Generation
of Security and Data
* Brand SentinelOne Brand Guidelines
en
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
Get a Demo
blog
Back
Platform
* Platform Overview
* Singularity Platform Welcome to Integrated
Enterprise Security
* Singularity XDR Native & Open Protection,
Detection, and Response
* Singularity Data Lake AI-Powered,
Unified Data Lake
* How It Works The Singularity XDR Difference
* Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
* Surfaces
* Endpoint Autonomous Prevention, Detection, and Response
* Cloud Autonomous Runtime Protection for Workloads
* Identity Autonomous Identity & Credential Protection
* Platform Packages
* Singularity Complete The Standard for Enterprise Cybersecurity
* Singularity Control Organization-Wide
Protection and Control
* Singularity Core Cloud-Native NGAV
* Package Comparison Our Platform at a Glance
* Platform Products
* Singularity Cloud Container, VM, and Server Workload Security
* Singularity Mobile Mobile Threat Defense
* Singularity Cloud Data Security AI-Powered Threat Detection
* Singularity RemoteOps Orchestrate Forensics at Scale
* Singularity Identity Identity Threat Detection
and Response
* Singularity CloudFunnel Cloud-to-Cloud Telemetry Streaming
* Singularity Ranger AD Active Directory Attack Surface Reduction
* Singularity BinaryVault Automatic File Sample Collection
* Singularity Ranger Rogue Asset Discovery
* Singularity Hologram Deception Protection
Why SentinelOne?
* Why SentinelOne?
* Why SentinelOne? Cybersecurity Built
for What’s Next
* Our Customers Trusted by the World’s Leading Enterprises
* Industry Recognition Tested and Proven
by the Experts
* About Us The Industry Leader in Autonomous Cybersecurity
* Compare SentinelOne
* CrowdStrike Cyber Dependent
on a Crowd
* McAfee Pale Performance,
More Maintenance
* Microsoft Platform Coverage
That Compromises
* Trend Micro The Risk of DevOps Disruption
* Palo Alto Networks Hard to Deploy,
Harder to Manage
* Carbon Black Adapt Only as Quickly
as Your Block Lists
* Symantec Security Limited
to Signatures
* Verticals
* Energy
* Federal Government
* Finance
* Healthcare
* Higher Education
* K-12 Education
* Manufacturing
* Retail
Services
* Threat Services
* Vigilance Respond Pro
MDR + DFIR 24x7 MDR with Full-Scale Investigation & Response
* WatchTower Pro
Threat Hunting Dedicated Hunting & Compromise Assessment
* Vigilance Respond
MDR Dedicated SOC
Expertise & Analysis
* WatchTower
Threat Hunting Hunting for Emerging Threat Campaigns
Services Overview
* Support, Deployment, & Health
* Technical Account Management Customer Success with Personalized Service
* SentinelOne GO Guided Onboarding & Deployment Advisory
* SentinelOne University Live and On-Demand Training
* Support Services Tiered Support Options for Every Organization
* SentinelOne Community Community Login
Partners
* Our Network
* MSSP Partners Succeed Faster
with SentinelOne
* Singularity Marketplace Extend the Power
of S1 Technology
* Cyber Risk
Partners Enlist Pro Response
and Advisory Teams
* Technology Alliances Integrated, Enterprise-Scale Solutions
* SentinelOne for AWS Hosted in AWS Regions Around the World
* Channel Partners Deliver the Right
Solutions, Together
Program Overview
Resources
* Resource Center
* Case Studies
* Data Sheets
* eBooks
* Reports
* Videos
* Webinars
* White Papers
View All Resources
* Blog
* Cyber Response
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Cloud
* macOS
* SentinelOne Blog
Blog
* Tech Resources
* SentinelLABS
* Ransomware Anthology
* Cybersecurity 101
About
* About SentinelOne
* About SentinelOne The Industry Leader in Cybersecurity
* Investor Relations Financial Information & Events
* SentinelLABS Threat Research for
the Modern Threat Hunter
* Careers The Latest Job Opportunities
* Press & News Company Announcements
* Cybersecurity Blog The Latest Cybersecurity Threats, News, & More
* F1 Racing SentinelOne &
Aston Martin F1 Team
* FAQ Get Answers to Our Most Frequently Asked Questions
* DataSet The Live Data Platform
* S Foundation Securing a Safer Future for All
* S Ventures Investing in the Next Generation
of Security and Data
* Brand SentinelOne Brand Guidelines
Get a Demo
* 1-855-868-3733
* Contact
* Cybersecurity Blog
Experiencing a Breach?
* 1-855-868-3733
* Contact
* Cybersecurity Blog
TEACHING AN OLD RAT NEW TRICKS
April 21, 2016
by Joseph Landry
PDF
Attackers have been successfully deploying RATs for years to remotely control
users systems – giving them full access to the victim’s files or resources such
as cameras, recording key strokes, or downloading further malware.
Traditionally RATs have been deployed when a user opens an email attachment, or
downloads a file from a website or peer-to-peer network. In both cases, these
vectors involve use of files to deliver the payload – which are easier to
detect.
Recently we detected a more sophisticated technique that a handful of countries
across Asia are actively using to infect systems with RATs. This new technique
ensures that the payload/file remains in memory through its execution, never
touching the disk in a de-encrypted state. In doing so, the attacker can remain
out of view from antivirus technologies, and even ‘next-generation’ technologies
that only focus on file-based threat vectors. Also, the samples analyzed have
the ability detect the presence of a virtual machine to ensure it’s not being
analyzed in a network sandbox.
And finally it’s important to highlight that the RAT itself is not new. In fact
this technique can be used to deliver any “known” RAT to a victim’s system. We
analyzed this sample against our SentinelOne EPP to confirm is does not evade
our behavior-based detection mechanisms. This is due to the fact that we’re
monitoring all processes at the user-space/kernel-space interface – and because
all communication between the application and the kernel must be unencrypted, we
detect the sample at both process-injection points.
Samples Analyzed
Main Sample
* Format: Win32 PE .NET 2.0
* SHA-256 sum: b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8
* HSA-1 sum: 3b1ac573509281cdc0b6141f8ea6ed3af393b554
* MD5 sum: 65752e742d643d121ee7e826ab65dc9b
* File size: 321024 bytes (324 kb)
Unpacked Samples
* Main Sample
* e5c71180f117270538487cd9b9b1b6d8 – Packed “Benchmark” DLL
* 9e05fb115bd4e85cfc0e32c72aa721be – Monitor (PerfWatson.exe)
* d740ed3f33ca4cef3a6aa717f94bf52a – NanoCore RAT dumped from memory
Behavioral Analysis
When run, the binary will copy itself to
%APPDATA%MicrosoftBlend14.0FeedCachenvSCPAPISrv.exe and extracts a second binary
named PerfWatson.exe
It then executes both binaries.
For persistence, a registry key is created at
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsLoad pointing
to the PerfWatson.exe binary.
Finally, the RAT tries connecting back to its control server:
* azona2015.chickenkiller.com:1617 (TCP)
* azona.chickenkiller.com:1617 (TCP)
chickenkiller.com is owned by a free dynamic DNS service.
At the time of this writing, the DNS records still exist, but the address they
resolve to appears to be down.
Unpacking
“Benchmark” .NET DLL
The main executable contains an XOR encrypted .NET DLL in its .NET managed
resources and the logic to unpack it. This DLL contains the logic to unpack and
inject the RAT as well as monitor the application, PerfWatson.exe. This DLL is
referred to as “Benchmark” because that is the .NET namespace it uses.
After decrypting the resource, it is linked into the process using
System.Reflection.Assembly.Load(byte[]). This method is documented on MSDN here.
Using this method, the DLL will never be written to the filesystem. This
technique could have been chosen by the developers to evade antivirus detection.
Under the hood, Assembly.Load(), uses a call to the win32 api call
CreateFileMappingW() with the hFile parameter set to INVALID_HANDLE_VALUE.
According to MSDN, this will create a mapped file that is backed by the paging
filesystem, not the standard filesystem. A layer below CreateFileMapping, the
system call NtCreateSection is invoked.
After the empty file is created, it is mapped into memory using the Win32 API
call MapViewOfFileEx. The layer below this invokes the system call
NtMapViewOfSection.
Now, a call to memcpy() is used to copy the decrypted DLL into the newly
allocated address range.
Unpacking Settings and NanoCore
The settings for “Benchmark” and the NanoCore executable are serialized, DES
encrypted, spliced, and stored across multiple PNG files as pixel data. The PNG
files are concatenated and stored in the .NET managed resources of the main
executable.
Some of the settings that can be configured are:
* Exit if a virtual machine is detected
* Paths and filenames to store PerfWatson.exe and NanoCore
* Display a message box to the user
* Delete “:Zone.Identifier” information for files from NTFS ADS.
* Download an encrypted file from the Internet, decrypt it, and run it.
* Monitor the Injected process
After viewing one of these images, it is obvious they are not used to conveying
visual information to a human eye.
After writing a short python script, I was able to extract all 19 PNG files. If
you have robot eyes, you can see a cat.
Here is a C# decompilation of the method used to extract the information out of
the pixel data.
Once everything is decrypted, the set options are executed, and the NanoCore RAT
payload is injected into a new child process. The method of injection is
discussed later.
Unpacking PerfWatson.exe
Now that “Benchmark” is loaded into memory, it is tasked with copying the main
executable and extracting PerfWatson.exe to
%APPDATA%\MicrosoftBlend14.0FeedCache.
PerfWatson.exe is stored inside Benchmark as a base64 encoded string. There is
no encryption or obfuscation outside of the base64 encoding.
Inside the .NET assembly, the string is stored as a DefaultSettingValue string.
The developers might have used this as a way to conceal the meaning of this long
string.
Once the string is decoded, it is written to disk and executed.
Injecting the Payload
The NanoCore RAT payload is never written to disk to avoid detection. Instead,
it is injected into a new process. The injection routine can be summarized by
these Win32 API and system calls:
* CreateProcessW(CREATE_SUSPEND): create the child process in suspend mode.
* NtGetContextThread(): Used to find the PEB and to update the EIP register.
* ReadProcessMemory(): Reads the PEB.ImageBaseAddress field.
* NtUnmapViewOfSection(): This runs only when there is an image already mapped
to 0x400000.
* VirtualAllocEx(): Used to allocate the pages for injection.
* NtWriteVirtualMemory():
* 0x00400000: MZ/PE Header
* 0x00402000: .text
* 0x00436000: .rsrc
* 0x0043a000: .reloc
* PEB.ImageBaseAddress: Updates the base address to 0x400000.
* NtSetContextThread(): Updates the EIP register in the thread context.
* NtAlertResumeThread(): Causes the child process to leave suspend mode and
become runnable.The process begins in suspend mode:
Next, the thread context is read from the child process:
From the thread context, the address of the PEB is now known and is can be read:
The address range for the injected image is now allocated:
And now a series of NtWriteVirtualMemory() to inject the RAT image and update
PEB.ImageBaseAddress.
NtSetContextThread is invoked to update the EIP register’s value:
Finally, execution is started with NtAlertResumeThread:
By dumping the process to disk, we can see that the injected process is just the
NanoCore client.
Worried about DDoS attacks? Check out our thorough guide about the attack
vectors of this malicious virus and how to protect your data from the likes of
BlackEnergy 3.
--------------------------------------------------------------------------------
Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see
the content we post.
READ MORE ABOUT CYBER SECURITY
* Sophisticated New Packer Identified in CryptXXX Ransomware Sample
* Breaking Down the SEO Poisoning Attack | How Attackers Are Hijacking Search
Results
* Ransoms Without Ransomware, Data Corruption and Other New Tactics in Cyber
Extortion
* Geacon Brings Cobalt Strike Capabilities to macOS Threat Actors
* Cloud Credentials Phishing | Malicious Google Ads Target AWS Logins
* DBatLoader and Remcos RAT Sweep Eastern Europe
READ MORE
Get a demo
Defeat every attack, at every stage of the threat lifecycle with SentinelOne
Book a demo and see the world’s most advanced cybersecurity platform in action.
Get Demo
SentinelLabs
SentinelLabs: Threat Intel & Malware Analysis
We are hunters, reversers, exploit developers, & tinkerers shedding light on the
vast world of malware, exploits, APTs, & cybercrime across all platforms.
VISIT SITE
Wizard Spider and Sandworm
MITRE Engenuity ATT&CK Evaluation Results
SentinelOne leads in the latest Evaluation with 100% prevention. Leading
analytic coverage. Leading visibility. Zero detection delays.
SEE RESULTS
LISTEN TO THIS POST
Table of Contents
SEARCH
Search ...
SIGN UP
Keep up to date with our weekly digest of articles.
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.
Thanks! Keep an eye out for new content!
RECENT POSTS
* Boosting Digital Safety | Top Tips for Cybersecurity Awareness Month
October 4, 2023
* Beyond the WebP Flaw | An In-depth Look at 2023’s Browser Security Challenges
October 3, 2023
* The Microsoft Paradox | Dominance & Vulnerability in the World of
Cybersecurity
October 2, 2023
BLOG CATEGORIES
* Cloud
* Company
* Cyber Response
* Data Platform
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Integrations & Partners
* macOS
* The Good, the Bad and the Ugly
Company
* Our Customers
* Why SentinelOne
* Platform
* About
* Partners
* Support
* Careers
* Legal & Compliance
* Security & Compliance
* Contact Us
* Investor Relations
Resources
* Blog
* Labs
* Hack Chat
* Press
* News
* FAQ
* Resources
* Ransomware Anthology
Global Headquarters
444 Castro Street
Suite 400
Mountain View, CA 94041
+1-855-868-3733
sales@sentinelone.com
Sign Up For Our Newsletter
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.
Thank you! You will now receive our weekly newsletter with all recent blog
posts. See you soon!
English
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
©2023 SentinelOne, All Rights Reserved.
Privacy Policy Master Subscription Agreement
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button Back
Vendor Search Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.
Cookies Settings Accept All Cookies
We'd like to show you notifications for the latest news and updates.
AllowCancel