Introduction

This article was written during BSidesLV, BlackHat and Defcon events.

** We highly recommend you to try to do the analysis by yourself before looking at this article. Here is a fake one cfd26988d55294870f2676117cf1307ca4acdf8d **

A remote administration tool (also known as a RAT) is a piece of software that allows a remote “operator” to control a system as if he has physical access to that system. While desktop sharing and remote administration have many legal uses, such software is usually associated with criminal or malicious activity. In this example we are going to take a look at Cybergate RAT which have its configuration hardcoded. Our goal is to decrypt and retrieve its configuration.

Getting started

Hashing

To get the SHA1 you can use rahash2 -a sha1 sample.exe or ph sha1 $s @ 0. The $s variable contains the binary size, see ?$? to get the complete list of variable.

See also rahash2 tutorial on

Strings

To get the complete list of strings, use rabin2 -zz sample.exe or [0x0040e1a8]> izz. You can also get them in json format by appending j, like rabin2 -zzj sample.exe or [0x0040e1a8]> izzj.

You can notice that in the sample there is a huge proportion of ###@###. To give you a hint, it is very frequent that basic RAT store their configuration in an encrypted form and use delimiter to seperate the various elements, like ###@###http://urlofattacker###@###enableFTP=true###@###. You can also see that this string is stored in the .rsrc. section. If you want more context, you can simply use rafind2 -X -s "###" sample.exe.

Information of the binary

• Get Information: rabin2 -I sample.exe or [0x0040e1a8]> iI
• Get Entrypoint: rabin2 -e sample.exe or [0x0040e1a8]> ie
• Get Sections: rabin2 -S sample.exe or iS
• Get imports: rabin2 -i sample.exe or [0x0040e1a8]> ii
• Get libraries: rabin2 -L sample.exe or [0x0040e1a8]> iL
• Get Entropy: rahash2 -B -b 512 -a entropy sample.exe or [0x0040e1a8]> p=e

You can of course combine everything into one command: -IeiL.

Imports are giving us an indication about what resource are manipulated, you can get them with rabin2 -i sample.exe, as mentionned previously.

Analysis

We want to open and analyse the binary the dumb way r2 -A (-A is using [0x0040e1a8]> aaa see why it is a bad practice here: http://radare.today/posts/analysis-by-default/).

We know that the configuration is located in the .rsrc segment. By checking the imports we know that what resources are manipulated: Let see where this takes place by looking at the XREFS.

In the visual mode we can visit VF to get all flags, then go to the hud, using _ we can search for LoadResource.

If you select imp.kernel32.dll_LoadResource, which appears to be a relocation, x is giving us the xref and we can use 0 shortcut (keyboard) to seek to the first (and only) reference. We can do it again as it was just a relocation and we land on fcn.0040630c.

We now use visual graph using V don’t forget to activate comment using ".

As we can see this function primary purpose is clearly to load the resource. Let’s rename it using r (as in rename) followed by get_resource.

Let see the xref of this function. fcn.00406380. We can see that this function is manipulationg ###@### in mov edx, 0x406460 ; "####@####" 0x00406460.

If we look at the function called after this using keyboard g followed by the letter in brackets: [a], [b].. we can see lot of them looks like garbage but one clearly stand out: .

We can see a loop with a buffer being xored xor dl, 0xbc.

Configuration decryption

We can now proceed decryption the dirty way. First we reopen the binary in raw + write mode using oonn+ then we use wox to xor the binary. [0x0040e1a8]> wox 0xbc $s @ 0. Now relaunching the [0x0040e1a8]> izz we can see the decrypted configuration!

Next steps

If you are looking for Malware RAT Family easy to analyze, please check out RATDecoders.

– Maxime M., Incident Intelligence Analyst @ FireEye (aka Maijin)