<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width"/><title>BUGHATCH Malware Analysis — Elastic Security Labs</title><meta name="description" content="Elastic Security has performed a deep technical analysis of the BUGHATCH malware. This includes capabilities as well as defensive countermeasures."/><meta property="og:title" content="BUGHATCH Malware Analysis — Elastic Security Labs"/><meta property="og:description" content="Elastic Security has performed a deep technical analysis of the BUGHATCH malware. This includes capabilities as well as defensive countermeasures."/><meta property="og:image" content="https://www.elastic.co/security-labs/assets/images/bughatch-malware-analysis/libraries-edev-ops-1680x980.jpg?dce9fcc0d03a3859c3d329601d191822"/><meta property="og:image:alt" content="Elastic Security has performed a deep technical analysis of the BUGHATCH malware. This includes capabilities as well as defensive countermeasures."/><meta property="og:site_name"/><meta property="og:url" content="https://www.elastic.co/security-labs/bughatch-malware-analysis"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="BUGHATCH Malware Analysis — Elastic Security Labs"/><meta name="twitter:description" content="Elastic Security has performed a deep technical analysis of the BUGHATCH malware. This includes capabilities as well as defensive countermeasures."/><meta name="twitter:image" content="https://www.elastic.co/security-labs/assets/images/bughatch-malware-analysis/libraries-edev-ops-1680x980.jpg?dce9fcc0d03a3859c3d329601d191822"/><meta name="twitter:image:alt" content="Elastic Security has performed a deep technical analysis of the BUGHATCH malware. This includes capabilities as well as defensive countermeasures."/><link rel="canonical" href="https://www.elastic.co/security-labs/bughatch-malware-analysis"/><link rel="preload" href="/security-labs/logo.svg" as="image" fetchpriority="high"/><link rel="preload" as="image" imageSrcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=640&amp;q=75 640w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=750&amp;q=75 750w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=828&amp;q=75 828w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=1080&amp;q=75 1080w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=1200&amp;q=75 1200w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=1920&amp;q=75 1920w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=2048&amp;q=75 2048w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=3840&amp;q=75 3840w" imageSizes="100vw" fetchpriority="high"/><meta name="next-head-count" content="19"/><script src="https://play.vidyard.com/embed/v4.js" type="text/javascript" async=""></script><link rel="icon" href="/security-labs/favicon.svg"/><link rel="mask-icon" href="/security-labs/favicon.svg" color="#1C1E23"/><link rel="apple-touch-icon" href="/security-labs/favicon.svg"/><meta name="theme-color" content="#1C1E23"/><link rel="preload" href="/security-labs/_next/static/media/6d93bde91c0c2823-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/a34f9d1faa5f3315-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/369c6e283c5acc6e-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/92f44bb82993d879-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/ee71530a747ff30b-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/9fac010bc1f02be0-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><link rel="preload" href="/security-labs/_next/static/media/cbf5fbad4d73afac-s.p.woff2" as="font" type="font/woff2" crossorigin="anonymous" data-next-font="size-adjust"/><script id="google-tag-manager" data-nscript="beforeInteractive"> (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-KNJMG2M'); </script><link rel="preload" href="/security-labs/_next/static/css/265ed7605fd03477.css" as="style"/><link rel="stylesheet" href="/security-labs/_next/static/css/265ed7605fd03477.css" data-n-g=""/><link rel="preload" href="/security-labs/_next/static/css/1007ff9e696f6f88.css" as="style"/><link rel="stylesheet" href="/security-labs/_next/static/css/1007ff9e696f6f88.css" data-n-p=""/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/security-labs/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js"></script><script src="/security-labs/_next/static/chunks/webpack-7987c6fda769d510.js" defer=""></script><script src="/security-labs/_next/static/chunks/framework-7a7e500878b44665.js" defer=""></script><script src="/security-labs/_next/static/chunks/main-ebd33a9f1cae5951.js" defer=""></script><script src="/security-labs/_next/static/chunks/pages/_app-cb8664d1d3df2511.js" defer=""></script><script src="/security-labs/_next/static/chunks/fec483df-43ee602fabdfe3a4.js" defer=""></script><script src="/security-labs/_next/static/chunks/877-34f408271ef44c22.js" defer=""></script><script src="/security-labs/_next/static/chunks/511-d08fe0fdd6f8a984.js" defer=""></script><script src="/security-labs/_next/static/chunks/683-a5053c37fe5bd0c9.js" defer=""></script><script src="/security-labs/_next/static/chunks/402-8f632e261e10d103.js" defer=""></script><script src="/security-labs/_next/static/chunks/616-0b017b9cfa597392.js" defer=""></script><script src="/security-labs/_next/static/chunks/pages/%5Bslug%5D-b0c191de1a3710e4.js" defer=""></script><script src="/security-labs/_next/static/kahZ-cxorFKvHlgt0NoHQ/_buildManifest.js" defer=""></script><script src="/security-labs/_next/static/kahZ-cxorFKvHlgt0NoHQ/_ssgManifest.js" defer=""></script></head><body><noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KNJMG2M" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript><div id="__next"><main class="__variable_0351a5 __variable_1f211e __variable_a5b5f5 flex flex-col min-h-screen"><div class="scroll-percentage-container"><div class="scroll-percentage-bar" style="width:0%"></div></div><nav class="fixed w-full z-40" data-headlessui-state=""><div class="bg-gradient-to-b from-zinc-900 from-20% h-[200%] to-transparent absolute inset-0 z-0 pointer-events-none"></div><div class="container relative z-10"><div class="flex h-16 items-center justify-between"><div class="flex items-center justify-start w-full"><div><a class="hover:opacity-50 transition" href="/security-labs"><img alt="elastic security labs logo" fetchpriority="high" width="200" height="30" decoding="async" data-nimg="1" style="color:transparent" src="/security-labs/logo.svg"/></a></div><div class="hidden lg:ml-6 lg:block"><div class="flex space-x-4"><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="/security-labs/about"><span>About</span></a><div class="relative" data-headlessui-state=""><div><button class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" id="headlessui-menu-button-:R2kpm:" type="button" aria-haspopup="menu" aria-expanded="false" data-headlessui-state="">Topics<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true" class="ml-1 -mr-1 h-4 w-4 text-zinc-400 relative top-[1px]"><path fill-rule="evenodd" d="M5.23 7.21a.75.75 0 011.06.02L10 11.168l3.71-3.938a.75.75 0 111.08 1.04l-4.25 4.5a.75.75 0 01-1.08 0l-4.25-4.5a.75.75 0 01.02-1.06z" clip-rule="evenodd"></path></svg></button></div></div><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="/security-labs/category/vulnerability-updates"><span>Vulnerability updates</span></a><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="/security-labs/category/reports"><span>Reports</span></a><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="/security-labs/category/tools"><span>Tools</span></a></div></div><div class="hidden lg:ml-auto lg:block"><div class="flex items-center space-x-4"><a class="rounded flex items-center p-4 text-white focus:outline-none focus:ring-0 focus:ring-offset-1 focus:ring-offset-zinc-600 group" href="https://search.elastic.co/?location%5B0%5D=Security%20Labs&amp;referrer=https://www.elastic.co/security-labs/bughatch-malware-analysis"><div class="flex items-center relative font-display"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="h-6 w-6"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-5.197-5.197m0 0A7.5 7.5 0 105.196 5.196a7.5 7.5 0 0010.607 10.607z"></path></svg></div></a><a class="flex lg:inline-flex font-light my-1 py-1 px-2 font-display font-semibold lg:text-sm xl:text-base items-center transition hover:hover-link hover:text-white focus:accessible-link-focus" href="https://www.elastic.co/security-labs/rss/feed.xml"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true" class="h-4 w-4 mr-1"><path d="M3.75 3a.75.75 0 00-.75.75v.5c0 .414.336.75.75.75H4c6.075 0 11 4.925 11 11v.25c0 .414.336.75.75.75h.5a.75.75 0 00.75-.75V16C17 8.82 11.18 3 4 3h-.25z"></path><path d="M3 8.75A.75.75 0 013.75 8H4a8 8 0 018 8v.25a.75.75 0 01-.75.75h-.5a.75.75 0 01-.75-.75V16a6 6 0 00-6-6h-.25A.75.75 0 013 9.25v-.5zM7 15a2 2 0 11-4 0 2 2 0 014 0z"></path></svg><span class="hidden xl:block">Subscribe</span></a><a class="font-display inline-flex items-center justify-center rounded font-semibold disabled:!select-none disabled:!bg-gray-400 bg-blue-600 text-white hover:bg-blue-500 enabled:hover:text-white/80 transition-colors px-4 py-2 text-sm flex-1 lg:flex-auto" href="https://cloud.elastic.co/registration?cta=cloud-registration&amp;tech=trial&amp;plcmt=navigation&amp;pg=security-labs">Start free trial</a><a class="font-display inline-flex items-center justify-center rounded font-semibold text-white disabled:!select-none disabled:!bg-gray-400 button px-4 py-2 text-sm flex-1 lg:flex-auto" href="https://www.elastic.co/contact">Contact sales</a></div></div></div><div class="-mr-2 flex lg:hidden"><a class="rounded flex items-center p-4 text-white focus:outline-none focus:ring-0 focus:ring-offset-1 focus:ring-offset-zinc-600 group" href="https://search.elastic.co/?location%5B0%5D=Security%20Labs&amp;referrer=https://www.elastic.co/security-labs/bughatch-malware-analysis"><div class="flex items-center relative font-display"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="h-6 w-6"><path stroke-linecap="round" stroke-linejoin="round" d="M21 21l-5.197-5.197m0 0A7.5 7.5 0 105.196 5.196a7.5 7.5 0 0010.607 10.607z"></path></svg></div></a><button class="inline-flex items-center justify-center rounded-md p-2 text-gray-400 hover:bg-gray-700 hover:text-white focus:outline-none focus:ring-2 focus:ring-inset focus:ring-white" id="headlessui-disclosure-button-:R59m:" type="button" aria-expanded="false" data-headlessui-state=""><span class="sr-only">Open navigation menu</span><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="block h-6 w-6"><path stroke-linecap="round" stroke-linejoin="round" d="M3.75 6.75h16.5M3.75 12h16.5m-16.5 5.25h16.5"></path></svg></button></div></div></div></nav><main class="mb-20 flex-1 flex flex-col"><div class="h-48 md:h-64"><div class="after:absolute after:block after:bg-blue-400 after:blur-3xl after:content-[&#x27; &#x27;] after:h-96 after:opacity-5 after:right-0 after:rounded-full after:top-20 after:w-1/2 after:z-0 before:absolute before:block before:blur-3xl before:bg-orange-400 before:content-[&#x27; &#x27;] before:h-96 before:left-0 before:opacity-5 before:rounded-full before:w-1/2 before:z-0 w-full h-full relative"><div class="relative z-10 w-full h-[125%] -top-[25%] bg-no-repeat bg-cover bg-bottom flex items-center justify-center" style="background-image:url(/security-labs/grid.svg)"></div></div></div><article class="px-4"><div class="max-w-7xl mx-auto relative z-10 flex flex-col space-y-4"><div class="eyebrow break-words"><time class="block mb-2 md:mb-0 md:inline-block article-published-date" dateTime="2022-09-09T00:00:00.000Z">9 September 2022</time><span class="hidden md:inline-block md:mx-2">•</span><a class="hover:text-blue-400 text-xs md:text-sm whitespace-nowrap author-name" href="/security-labs/author/salim-bitam">Salim Bitam</a></div><h1 class="font-bold leading-tighter text-3xl md:text-5xl"><span>BUGHATCH Malware&nbsp;Analysis</span></h1><p class="text-zinc-200 text-base md:text-xl">Malware analysis of the BUGHATCH downloader.</p><div class="flex items-center mt-4 text-zinc-200 text-sm space-x-4 border-t border-white/25 pt-4"><span class="flex items-center space-x-1"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="h-4 w-4 text-zinc-400"><path stroke-linecap="round" stroke-linejoin="round" d="M12 6v6h4.5m4.5 0a9 9 0 11-18 0 9 9 0 0118 0z"></path></svg><span>34 min read</span></span><span class="flex items-center space-x-1"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="h-4 w-4 text-zinc-400"><path stroke-linecap="round" stroke-linejoin="round" d="M9.568 3H5.25A2.25 2.25 0 003 5.25v4.318c0 .597.237 1.17.659 1.591l9.581 9.581c.699.699 1.78.872 2.607.33a18.095 18.095 0 005.223-5.223c.542-.827.369-1.908-.33-2.607L11.16 3.66A2.25 2.25 0 009.568 3z"></path><path stroke-linecap="round" stroke-linejoin="round" d="M6 6h.008v.008H6V6z"></path></svg><span><a class="hover:text-blue-400 whitespace-nowrap" href="/security-labs/category/malware-analysis">Malware analysis</a></span></span></div></div><div class="max-w-7xl mx-auto"><div class="bg-zinc-900 border border-zinc-800 drop-shadow-lg p-5 sm:p-8 md:p-10 rounded-3xl mt-5 md:mt-10"><div class="relative w-full rounded-lg overflow-hidden aspect-video"><img alt="BUGHATCH Malware Analysis" fetchpriority="high" decoding="async" data-nimg="fill" class="object-cover absolute h-full w-full" style="position:absolute;height:100%;width:100%;left:0;top:0;right:0;bottom:0;color:transparent" sizes="100vw" srcSet="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=640&amp;q=75 640w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=750&amp;q=75 750w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=828&amp;q=75 828w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=1080&amp;q=75 1080w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=1200&amp;q=75 1200w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=1920&amp;q=75 1920w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=2048&amp;q=75 2048w, /security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=3840&amp;q=75 3840w" src="/security-labs/_next/image?url=%2Fsecurity-labs%2Fassets%2Fimages%2Fbughatch-malware-analysis%2Flibraries-edev-ops-1680x980.jpg&amp;w=3840&amp;q=75"/><div class="absolute border border-white/50 inset-0 mix-blend-overlay rounded-lg z-10"></div></div></div></div><div class="lg:max-w-7xl mx-auto relative mt-12 lg:grid lg:grid-cols-4 lg:gap-8 items-start"><div class="flex justify-center lg:col-span-3"><div class="prose lg:prose-lg prose-invert w-full article-content"><div><h2 class="font-bold text-2xl md:text-4xl relative"><span id="key-takeaways" class="absolute -top-32"></span>Key takeaways</h2> <ul> <li>Elastic Security Labs is releasing a BUGHATCH malware analysis report from a recent <a href="https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis">campaign</a></li> <li>This report covers detailed code analysis, network communication protocols, command handling, and observed TTPs</li> <li>From this research we produced a <a href="https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_Bughatch.yar">YARA rule</a> to detect the BUGHATCH downloader</li> </ul> <h2 class="font-bold text-2xl md:text-4xl relative"><span id="preamble" class="absolute -top-32"></span>Preamble</h2> <p>BUGHATCH is an implant of a custom C2 deployed during the CUBA ransomware campaigns we observed in February of 2022, this tool was most likely built by the threat actor themselves as it was not used previously.</p> <p>BUGHATCH is capable of downloading and executing commands and arbitrary code, it gives the operator the freedom to execute payloads with different techniques like reflection, shellcode execution, system command execution, and so on. The samples we have seen were not obfuscated and were deployed using a custom obfuscated in-memory dropper written in PowerShell and referred to as <a href="https://www.mandiant.com/resources/unc2596-cuba-ransomware">TERMITE by Mandiant</a>.</p> <p>In this document, we will go through the execution flow of BUGHATCH highlighting its functionalities and code execution techniques, a YARA rule and the MITRE ATT&amp;CK mapping can be found in the appendix.</p> <p>In this analysis we will describe the following:</p> <ul> <li>Token adjustment</li> <li>Information collection</li> <li>Threading and thread synchronization</li> <li>Network communication protocol</li> <li>Command handling</li> </ul> <blockquote> <p>For information on the CUBA ransomware campaign and associated malware analysis, check out our blog posts detailing this:</p> <ul> <li><a href="https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis">CUBA Ransomware Campaign</a></li> <li><a href="https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis">CUBA Malware Analysis</a></li> </ul> </blockquote> <h2 class="font-bold text-2xl md:text-4xl relative"><span id="static-analysis" class="absolute -top-32"></span>Static analysis</h2> <p>| | | | ------------ | ---------------------------------------------------------------- | --- | | SHA256 | F1325F8A55164E904A4B183186F44F815693A008A9445D2606215A232658C3CF | | File Size | 35840 bytes | | File Type: | Win32 executable | | Signed? | No | | Packer? | No | | Compiler | Visual Studio 2017 - 15.5.0 preview 2 | | Compile Time | Sun Feb 06 21:05:18 2022 | UTC | | Entropy | 6.109 |</p> <h3 class="font-bold leading-tight text-xl md:text-3xl relative"><span id="sections" class="absolute -top-32"></span>Sections</h3> <div class="table-container"><table style="width:100%;table-layout:fixed;word-wrap:break-word"><thead><tr><th></th><th></th><th></th><th></th><th></th><th></th></tr></thead><tbody><tr><td>Name</td><td>VirtualAddress</td><td>Virtual Size</td><td>Raw Size</td><td>Entropy</td><td>MD5</td></tr><tr><td>.text</td><td>0x1000</td><td>0x6000</td><td>0x5400</td><td>5.933</td><td>A6E30CCF838569781703C943F18DC3F5</td></tr><tr><td>.rdata</td><td>0x7000</td><td>0x3000</td><td>0x2A00</td><td>6.217</td><td>9D9AD1251943ECACE81644A7AC320B3C</td></tr><tr><td>.data</td><td>0xA000</td><td>0x1000</td><td>0x400</td><td>1.163</td><td>B983B8EB258220628BE2A88CA44286B4</td></tr><tr><td>.reloc</td><td>0xB000</td><td>0x424</td><td>0x600</td><td>5.235</td><td>39324A58D79FC5B8910CBD9AFBF1A6CB</td></tr></tbody></table></div> <h2 class="font-bold text-2xl md:text-4xl relative"><span id="code-analysis" class="absolute -top-32"></span>Code analysis</h2> <p>BUGHATCH is an in-memory implant loaded by an obfuscated PowerShell script that decodes and executes an embedded shellcode blob in its allocated memory space using common Windows APIs ( <strong>VirtualAlloc</strong> , <strong>CreateThread, WaitForSingleObject</strong> ).</p> <p>The PowerShell loader uses inline C# to load APIs needed for shellcode injection as seen in the following pseudocode.</p> <p></p> <p>The PowerShell script is obfuscated with random functions and variable names and contains the shellcode in a reverse-Base64 format.</p> <p></p> <p>The script first decodes the reverse-Base64 encoded data, then allocates a memory region with <strong>VirtualAlloc</strong> before copying the shellcode into it. Finally, the script executes the shellcode by creating a new thread with the <strong>CreateThread</strong> API.</p> <p></p> <p>The shellcode downloads another shellcode blob and the encrypted PE implant from the C2 server, this second shellcode decrypts and reflectively loads the PE malware.</p> <p>This section dives deeper into the BUGHATCH execution flow, threading and encryption implementation, communication protocol with C2, and finally supported commands and payload execution techniques implemented.</p> <p>The following is a diagram summarizing the execution flow of the implant:</p> <p></p> <p></p> <h3 class="font-bold leading-tight text-xl md:text-3xl relative"><span id="token-adjustment" class="absolute -top-32"></span>Token adjustment</h3> <p>The implant starts by elevating permissions using the <strong>SeDebugPrivilege</strong> method, enabling the malware to access and read the memory of other processes. It leverages common Windows APIs to achieve this as shown in the pseudocode below:</p> <p></p> <h3 class="font-bold leading-tight text-xl md:text-3xl relative"><span id="information-collection" class="absolute -top-32"></span>Information collection</h3> <p>The malware collects host-based information used to fingerprint the infected system, this information will be stored in a custom structure that will be 2-byte XOR encrypted and sent to the C2 server in an HTTP POST request.</p> <p>The following lists the collected information:</p> <ul> <li>Current value of the performance counter</li> <li>Network information</li> <li>System information</li> <li>Token information</li> <li>Domain and Username of the current process</li> <li>Current process path</li> </ul> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="current-value-of-the-performance-counter" class="absolute -top-32"></span>Current value of the performance counter</h4> <p>Using the <strong>QueryPerformanceCounter</strong> API, it collects the amount of time since the system was last booted. This value will be used to compute the 2-byte XOR encryption key to encrypt communications between the implant and the C2 server, a detailed analysis of the encryption implementation will follow.</p> <p></p> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="network-information" class="absolute -top-32"></span>Network information</h4> <p>It collects the addresses of network interfaces connected to the infected machine by using the <strong>GetIpAddrTable</strong> Windows API.</p> <p></p> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="system-information" class="absolute -top-32"></span>System information</h4> <p>BUGHATCH collects key system information which includes:</p> <ul> <li>Windows major release, minor release, and build number</li> <li>Processor architecture (either 32-bit or 64-bit)</li> <li>Computer name</li> </ul> <p></p> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="token-information" class="absolute -top-32"></span>Token information</h4> <p>The agent proceeds to collect the current process token group membership, it invokes the <strong>AllocateAndInitializeSid</strong> API followed by the <strong>CheckTokenMembership</strong> API, concatenating the <a href="https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings">SDDL SID strings</a> for every group the process token is part of. While not unique to BUGHATCH, this is detected by Elastic&#x27;s <a href="https://www.elastic.co/guide/en/security/current/enumeration-of-privileged-local-groups-membership.html">Enumeration of Privileged Local Groups Membership</a> detection rule.</p> <p></p> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="domain-and-username-of-the-current-process" class="absolute -top-32"></span>Domain and username of the current process</h4> <p>The malware opens a handle to the current process with <strong>OpenProcessToken</strong> and gets the structure that contains the user account of the token with <strong>GetTokenInformation</strong>. It then retrieves the username and domain of the user account with the <strong>LookupAccountSidW</strong> API and concatenates the 2 strings in the following format: <strong>DOMAIN\USERNAME</strong>.</p> <p></p> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="current-process-path" class="absolute -top-32"></span>Current process path</h4> <p>Finally, it collects the current process path with <strong>GetModuleFileNameW</strong>. The malware then encrypts the entire populated structure with a simple 2-byte XOR algorithm, this encryption implementation is detailed later in the report.</p> <h2 class="font-bold text-2xl md:text-4xl relative"><span id="threading-and-thread-synchronization" class="absolute -top-32"></span>Threading and thread synchronization</h2> <p>The implant is multithreaded; it uses two different linked lists, one is filled with the commands received from the C2 server and the other is filled with the output of the commands executed.</p> <p>It spawns 5 worker threads, each handling a command received from the C2 server by accessing the appropriate linked list using the <strong>CriticalSection</strong> object. The main process’ thread also retrieves the command&#x27;s output from the second linked list using the <strong>CriticalSection</strong> object for synchronization purposes, to avoid any race conditions.</p> <p></p> <h2 class="font-bold text-2xl md:text-4xl relative"><span id="network-communication-protocol" class="absolute -top-32"></span>Network communication protocol</h2> <p>In this section we will detail:</p> <ul> <li>Base communication protocol</li> <li>Encryption implementation</li> </ul> <p>The implant we analyzed uses HTTP(S) for communications. On top of the SSL encryption of the protocol, the malware and C2 encrypt the data with a 2-byte XOR key computed by the malware for each new session. The values to compute the 2-byte XOR key are prepended at the beginning of the base protocol packet which the server extracts to decrypt/encrypt commands.</p> <p>When launched, the malware will first send an HTTP POST request to the C2 server containing all the collected information extracted from the victim’s machine, the C2 then responds with the operator’s command if available, or else the agent sleeps for 60 seconds. After executing the command and only if the output of the executed command is available, the malware will send a POST request containing both the collected information and the command’s output, otherwise, it sends the collected information and waits for new commands.</p> <p></p> <h3 class="font-bold leading-tight text-xl md:text-3xl relative"><span id="base-communication-protocol" class="absolute -top-32"></span>Base communication protocol</h3> <p>The author(s) of BUGHATCH implemented a custom network protocol, the following is the syntax that the agent and server use for their communication:</p> <p></p> <ul> <li><strong>XOR key values:</strong> The values to compute the 2-byte XOR encryption key used to encrypt the rest of the data</li> <li><strong>Separator:</strong> A static value ( <strong>0x389D3AB7</strong> ) that separates <strong>Msg</strong> chunks, example: the server can send different instructions in the same HTTP request separated by the <strong>Separator</strong></li> <li><strong>Chunk length:</strong> Is the length of the <strong>Msg</strong> , <strong>Separator</strong> and <strong>Chunk length</strong></li> <li><strong>Msg:</strong> Is the message to be sent, the message differs from the agent to the server.</li> </ul> <p>We will dive deeper into the encapsulation of the <strong>Msg</strong> for both the agent and the server.</p> <p></p> <h3 class="font-bold leading-tight text-xl md:text-3xl relative"><span id="encryption-implementation" class="absolute -top-32"></span>Encryption implementation</h3> <p>The malware uses 2-byte XOR encryption when communicating with the C&amp;C server; a 2-byte XOR key is generated and computed by the implant for every session with the C2 server.</p> <p>The agent uses two DWORD values returned by <strong>QueryPerformanceCounter</strong> API as stated earlier, it then computes a 2-byte XOR key by XOR-encoding the DWORD values and then multiplying and adding hardcoded values. The following is a Python pseudocode of how the KEY is computed:</p> <pre><code>tmp = (PerformanceCount[0] ^ PerformanceCount[1]) &amp; 0xFFFFFFFF XorKey = (0x343FD * tmp + 0x269EC3)&amp; 0xFFFFFFFF XorKey = p16(XorKey &gt;&gt; 16).ljust(2, b&#x27;\x00&#x27;)</code></pre> <p></p> <h2 class="font-bold text-2xl md:text-4xl relative"><span id="command-handling" class="absolute -top-32"></span>Command handling</h2> <p>In this section, we will dive deeper into the functionalities implemented in the agent and their respective <strong>Msg</strong> structure that will be encapsulated in the base communication protocol structure as mentioned previously.</p> <p>Once the working threads are started, the main thread will continue beaconing to the C2 server to retrieve commands. The main loop is made up of the following:</p> <ul> <li>Send POST request</li> <li>Decrypt the received command and add it to the linked list</li> <li>Sleep for 60 seconds</li> </ul> <p>A working thread will first execute the <strong>RemoveEntryRecvLinkedList</strong> function that accesses and retrieves the data sent by the C2 server from the linked list.</p> <p></p> <p>The thread will then de-encapsulate the data received from the C2 and extract the <strong>Msg(Command)</strong>. The malware implements different functionalities according to a command flag, the table below illustrates the functionalities of each command:</p> <div class="table-container"><table style="width:100%;table-layout:fixed;word-wrap:break-word"><thead><tr><th></th><th></th></tr></thead><tbody><tr><td>Command FLAG</td><td>Description</td></tr><tr><td>1</td><td>Group functions related to code and command execution</td></tr><tr><td>2</td><td>Group functions related to utilities like impersonation and migration</td></tr><tr><td>3</td><td>Process injection of a PE file in a suspended child process</td></tr></tbody></table></div> <h3 class="font-bold leading-tight text-xl md:text-3xl relative"><span id="command-1" class="absolute -top-32"></span>Command 1</h3> <p>This command gives access to functionalities related to payload execution, from DLL to PE executable to PowerShell and cmd scripts.</p> <p>Some of the sub-commands use pipes to redirect the standard input/output of the child process, which enables the attacker to execute payloads and retrieve its output, for example, PowerShell or Mimikatz, etc…</p> <p>The following is the list of sub commands:</p> <div class="table-container"><table style="width:100%;table-layout:fixed;word-wrap:break-word"><thead><tr><th></th><th></th><th></th></tr></thead><tbody><tr><td>Sub Command Flag</td><td>Function Name</td><td>Functionality description</td></tr><tr><td>2</td><td>ReflectivelyExecutePERemote</td><td>Reflectively loads PE files in a child process and redirects its standard input output, the output will be sent to the operator C2 server</td></tr><tr><td>3</td><td>DropPEDiskExecute</td><td>Drops a PE file to disk and executes it, the execution output is then sent to the operator’s C2 server</td></tr><tr><td>4</td><td>SelfShellcodeExecute</td><td>Executes a shellcode in the same process</td></tr><tr><td>5</td><td>RemoteShellcodeExecute</td><td>Executes a shellcode in a suspended spawned child process</td></tr><tr><td>6</td><td>ExecuteCmd</td><td>Executes a CMD script/command</td></tr><tr><td>7</td><td>ExecutePowershell</td><td>Executes a Powershell script/command</td></tr><tr><td>9</td><td>ReflectivelyLoadDllRemote</td><td>Executes a DLL reflectively in a remote process using CreateRemoteThread API</td></tr></tbody></table></div> <p>The following is the structure that is used by the above commands:</p> <pre><code>struct ExecutePayloadCommandStruct { DWORD commandFlag; DWORD field_0; DWORD subCommandFlag_1; DWORD readPipeTimeOut_2; DWORD payloadSize_3; DWORD commandLineArgumentSize_4; DWORD STDINDataSize_5; CHAR payload_cmdline_stdin[n]; };</code></pre> <ul> <li><strong>commandFlag:</strong> Indicates the command</li> <li><strong>subCommandFlag:</strong> Indicates the subcommand</li> <li><strong>readPipeTimeOut:</strong> Indicates the timeout for reading the output of child processes from a pipe</li> <li><strong>payloadSize:</strong> Indicates the payload size</li> <li><strong>commandLineArgumentSize:</strong> Indicates length of the command line arguments when executing the payload, example a PE binary</li> <li><strong>STDINDataSize:</strong> Indicates the length of the standard input data that will be sent to the child process</li> <li><strong>Payload_cmdline_stdin:</strong> Can contain the payload PE file for example, its command line arguments and the standard input data that will be forwarded to the child process, the malware knows the beginning and end of each of these using their respective length.</li> </ul> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="reflectivelyexecuteperemote" class="absolute -top-32"></span>ReflectivelyExecutePERemote</h4> <p>The agent reflectively loads PE binaries in the memory space of a created process in a suspended state (either <strong>cmd.exe</strong> or <strong>svchost.exe</strong> ). The agent leverages <a href="https://docs.microsoft.com/en-us/windows/win32/ipc/anonymous-pipes">anonymous (unnamed) pipes</a> within Windows to redirect the created child process&#x27;s standard input and output handles. It first creates an anonymous pipe that will be used to retrieve the output of the created process, then the pipe handles are specified in the <strong>STARTUPINFO</strong> structure of the child process.</p> <p></p> <p>After creating the suspended process, the malware allocates a large memory block to write shellcode and a XOR encrypted PE file.</p> <p>The shellcode will 2-byte XOR decrypt and load the embedded PE similar to ( <strong>Command 3</strong> ). This command can load 64bit and 32bit binaries, each architecture has its own shellcode PE loader, after injecting the shellcode it will point the instruction pointer of the child process’s thread to the shellcode and resume the thread.</p> <p></p> <p>The following is an example of a packet captured from our custom emulated C2 server, we can see the structure discussed earlier on the left side and the packet bytes on the right side, for each command implemented in the malware, a packet example will be given.</p> <p></p> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="droppediskexecute" class="absolute -top-32"></span>DropPEDiskExecute</h4> <p>With this subcommand, the operator can drop a PE file on disk and execute it. The agent has 3 different implementations depending on the PE file type, GUI Application, CUI (Console Application), or a DLL.</p> <p>For CUI binaries, the malware first generates a random path in the temporary folder and writes the PE file to it using <strong>CreateFileA</strong> and <strong>WriteFile</strong> API.</p> <p></p> <p>It then creates a process of the dropped binary file as a child process by redirecting its standard input and output handles; after execution of the payload the output is sent to the operator’s C2 server.</p> <p>For GUI PE binaries, the agent simply writes it to disk and executes it directly with <strong>CreateProcessA</strong> API.</p> <p>And lastly, for DLL PE files, the malware first writes the DLL to a randomly generated path in the temporary folder, then uses <strong>c:\windows\system32\rundll32.exe</strong> or <strong>c:\windows\syswow64\rundll32.exe</strong> (depending on the architecture of the DLL) to run either an exported function specified by the operator or the function <strong>start</strong> if no export functions were specified.</p> <p></p> <p></p> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="selfshellcodeexecute" class="absolute -top-32"></span>SelfShellcodeExecute</h4> <p>This subcommand tasks the agent to execute shellcode in its own memory space by allocating a memory region using <strong>VirtualAlloc</strong> API and then copying the shellcode to it, the shellcode is executed by creating a thread using <strong>CreateThread</strong> API.</p> <p></p> <p></p> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="remoteshellcodeexecute" class="absolute -top-32"></span>RemoteShellcodeExecute</h4> <p>This sub-command can be used to execute a 32-bit or a 64-bit position independent shellcode in another process memory space.</p> <p>Similarly to the <strong>SpawnAgent</strong> subcommand, the malware creates a suspended <strong>svchost.exe</strong> process with <strong>CreateProcessA</strong> API, allocates a memory region for the shellcode sent by the C2 server with <strong>VirtualAllocEx</strong> , and writes to it with <strong>WriteProcessMemory</strong> , it then sets the suspended thread instruction pointer to point to the injected shellcode with <strong>SetThreadContext</strong> and finally it will resume the thread with <strong>ResumeThread</strong> to execute the payload.</p> <p></p> <p></p> <p></p> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="executecmd-and-executepowershell" class="absolute -top-32"></span>ExecuteCmd and ExecutePowershell</h4> <p>An operator can execute PowerShell scripts or CMD scripts in the infected machine, the malware can either write the script to a file in the temporary folder with a randomly generated name as follow: <strong><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">TEMP&lt;digits&gt;.PS1</code></strong> for PowerShell or <strong><code class="px-1.5 py-1 rounded not-prose bg-[var(--tw-prose-invert-pre-bg)] whitespace-break-spaces text-[85%] text-emerald-600">TEMP&lt;digits&gt;.CMD</code></strong> for a Command shell. The malware then passes parameters to it if specified by the malicious actor and executes it, the malware uses named pipes to retrieve the output of the PowerShell process.</p> <p></p> <p></p> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="reflectivelyloaddllremote" class="absolute -top-32"></span>ReflectivelyLoadDllRemote</h4> <p>Execute reflectively a 32-bit or 64-bit DLL in a process created in a suspended state, the following summarizes the execution flow:</p> <ul> <li>Check if the PE file is a 32 or 64-bit DLL</li> <li>Create a suspended <strong>svchost.exe</strong> process</li> <li>Allocate memory for the DLL and the parameter for the DLL if specified by the C2 command with the <strong>VirtualAllocEx</strong> API</li> <li>Write to the remotely allocated memory withthe <strong>WriteProcessMemory</strong> API the DLL and the parameter if specified</li> <li>Create a remote thread to execute the injected DLL with the <strong>CreateRemoteThread</strong> API</li> </ul> <p></p> <p></p> <h3 class="font-bold leading-tight text-xl md:text-3xl relative"><span id="command-2" class="absolute -top-32"></span>Command 2</h3> <p>The command 2 has multiple sub functionalities as shown in the command table above, according to a subCommandFlag the malware can do 6 different operations as follows:</p> <div class="table-container"><table style="width:100%;table-layout:fixed;word-wrap:break-word"><thead><tr><th></th><th></th><th></th></tr></thead><tbody><tr><td>Sub Command Flag</td><td>Function Name</td><td>Functionality description</td></tr><tr><td>1</td><td>ExitProcess</td><td>Exit process</td></tr><tr><td>2</td><td>SelfDeleteExitProcess</td><td>Self delete and exit process</td></tr><tr><td>3</td><td>SpawnAgent64</td><td>Spawn 64-bit agent</td></tr><tr><td>4</td><td>SpawnAgent32</td><td>Spawn 32-bit agent</td></tr><tr><td>0x1001</td><td>ImpersonateToken</td><td>Impersonate explorer</td></tr><tr><td>0x1002</td><td>MigrateC2</td><td>Change C2 config</td></tr></tbody></table></div> <p>The following is the structure that is used by the above commands:</p> <pre><code>struct ImpersonateReplicateStruct { int subCommandFlag; int impersonateExplorerToken; char padding[16]; __int16 isParameterSet; WCHAR w_parameters[n]; };</code></pre> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="exitprocess" class="absolute -top-32"></span>ExitProcess</h4> <p>Calls the <strong>ExitProcess(0)</strong> API to terminate.</p> <p></p> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="selfdeleteexitprocess" class="absolute -top-32"></span>SelfDeleteExitProcess</h4> <p>The agent gets the PATH of the current process with <strong>GetModuleFileNameA</strong> and then executes the following command to self-delete: <strong>cmd.exe /c del FILEPATH \&gt;\&gt; NUL</strong> using <strong>CreateProcessA</strong> then simply exit the process with <strong>ExitProcess(0)</strong>.</p> <p></p> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="spawnagent64-and-spawnagent32" class="absolute -top-32"></span>SpawnAgent64 and SpawnAgent32</h4> <p>When subcommands 3 or 4 are specified, the malware will spawn another agent on the same machine depending on the subcommand sent by the C2, as shown in the table above.</p> <p>The malware first retrieves the C2 IP address embedded in it, it will then do an HTTP GET request to download a packed agent in shellcode format, in the sample we analyzed <strong>/Agent32.bin</strong> URI is for the 32-bit agent, and <strong>/Agent64.bin</strong> is for 64-bit the agent.</p> <p></p> <p>The malware then creates a suspended <strong>svchost.exe</strong> process with <strong>CreateProcessA</strong> API, writes the agent shellcode to the process, sets its instruction pointer to point to the injected shellcode with <strong>SetThreadContext</strong> , and finally it will resume the thread with <strong>ResumeThread</strong> to execute the injected payload.</p> <p></p> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="impersonatetoken" class="absolute -top-32"></span>ImpersonateToken</h4> <p>This subcommand is specific to process tokens; an attacker can either impersonate the <strong>explorer.exe</strong> token or create a token from credentials (Domain\Username, Password) sent by the C2 to spawn another instance of the current process.</p> <p></p> <p>It will first check if the current process is a local system account or local service account or network service account by testing whether the given process token is a member of the group with the specified RID ( <strong>SECURITY_LOCAL_SYSTEM_RID</strong> , <strong>SECURITY_LOCAL_SERVICE_RID</strong> , <strong>SECURITY_NETWORK_SERVICE_RID</strong> ) respectively.</p> <p></p> <p>Then depending if the operator specified credentials or not, the malware will first call <strong>LogonUserW</strong> with the Domain\User and password to create a token then it will spawn another instance of the current process with this token.</p> <p></p> <p>If not, the implant will impersonate the <strong>explore.exe</strong> process by duplicating its token with <strong>DuplicateTokenEx</strong> and then spawn the current process with the duplicated token if no credentials are specified.</p> <p></p> <h4 class="font-bold leading-tight text-lg md:text-2xl relative"><span id="migratec2" class="absolute -top-32"></span>MigrateC2</h4> <p>The operator can migrate the implant to another C2 server by specifying the subcommand <strong>0x1001</strong> with the IP address of the new C2.</p> <p></p> <p></p> <h3 class="font-bold leading-tight text-xl md:text-3xl relative"><span id="command-3" class="absolute -top-32"></span>Command 3</h3> <p>When command 3 is received the malware will reflectively load a PE file embedded as payload in the C&amp;C request in another process&#x27;s memory space, the following is an overview of the execution:</p> <ul> <li>Determine the type and architecture of the PE file</li> <li>Create a suspended process</li> <li>Allocate a large memory in the suspended process</li> <li>Write a shellcode in the allocated memory that will locate, decrypt and reflectively load the PE file</li> <li>2-byte XOR encrypt the PE file and append it after the shellcode</li> <li>Set the EIP context of the suspended process to execute the shellcode</li> </ul> <p>The shellcode will then reflectively load the PE file</p> <p></p> <p>The agent first parses the PE file received from the C2 server to determine the type and architecture of the PE file.</p> <p></p> <p>And according to this information, a Windows signed executable will be chosen to inject into.</p> <p>If the PE file is CUI (Console User Interface), the malware will choose <strong>cmd.exe</strong> , however, if it is GUI (Graphical User Interface) or a DLL PE file it will choose <strong>svchost.exe</strong>.</p> <p></p> <p>The malware will then create a suspended process with <strong>CreateProcessA</strong> API (either <strong>cmd.exe</strong> or <strong>svchost.exe</strong> ) and allocate a large amount of memory with <strong>VirtualAllocEx</strong> in the created process, it will then copy a position independent shellcode stored in the <strong>.rdata</strong> section to the newly allocated memory that is responsible for locating according to a specific tag the appended PE file, decrypt it and reflectively load it in memory.</p> <p>Then it appends after the shellcode a 12 bytes structure composed of a tag, the size of the PE file, and a 2-byte XOR key.</p> <p>It will then 2-byte XOR encrypt the PE file and append it after the structure, the following is an overview of the written data to the allocated memory:</p> <div class="table-container"><table style="width:100%;table-layout:fixed;word-wrap:break-word"><thead><tr><th></th><th></th><th></th><th></th><th></th></tr></thead><tbody><tr><td>SHELLCODE</td><td>TAG</td><td>PE SIZE</td><td>2-byte XOR KEY</td><td>2-byte XOR encrypted PE file</td></tr></tbody></table></div> <p></p> <p>The agent will then set the thread context with <strong>SetThreadContext</strong> and point the instruction pointer of the suspended process to the shellcode then it will simply resume the execution with <strong>ResumeThread</strong>.</p> <p>The shellcode will first locate the 2-byte XOR encrypted PE file according to the tag value ( <strong>0x80706050</strong> ), it will then 2-byte XOR decrypt it and load it reflectively on the same process memory.</p> <h2 class="font-bold text-2xl md:text-4xl relative"><span id="observed-adversary-tactics-and-techniques" class="absolute -top-32"></span>Observed adversary tactics and techniques</h2> <p>Elastic uses the MITRE ATT&amp;CK framework to document common tactics, techniques, and procedures that advanced persistent threats use against enterprise networks.</p> <h3 class="font-bold leading-tight text-xl md:text-3xl relative"><span id="tactics" class="absolute -top-32"></span>Tactics</h3> <p>Tactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action.</p> <ul> <li><a href="https://attack.mitre.org/tactics/TA0002">Execution</a></li> <li><a href="https://attack.mitre.org/tactics/TA0009">Collection</a></li> <li><a href="https://attack.mitre.org/tactics/TA0011">Command and Control</a></li> <li><a href="https://attack.mitre.org/tactics/TA0010">Exfiltration</a></li> </ul> <h3 class="font-bold leading-tight text-xl md:text-3xl relative"><span id="techniques--sub-techniques" class="absolute -top-32"></span>Techniques / sub techniques</h3> <p>Techniques and Sub techniques represent how an adversary achieves a tactical goal by performing an action.</p> <ul> <li><a href="https://attack.mitre.org/techniques/T1059/003/">Command and Scripting Interpreter: Windows Command Shell</a></li> <li><a href="https://attack.mitre.org/techniques/T1573/002/">Encrypted Channel: Asymmetric Cryptography</a></li> <li><a href="https://attack.mitre.org/techniques/T1573/001/">Encrypted Channel: Symmetric Cryptography</a></li> <li><a href="https://attack.mitre.org/techniques/T1041/">Exfiltration Over C2 Channel</a></li> <li><a href="https://attack.mitre.org/techniques/T1119/">Automated Collection</a></li> <li><a href="https://attack.mitre.org/techniques/T1106/">Native API</a></li> </ul> <h2 class="font-bold text-2xl md:text-4xl relative"><span id="detections" class="absolute -top-32"></span>Detections</h2> <h3 class="font-bold leading-tight text-xl md:text-3xl relative"><span id="detection-rules" class="absolute -top-32"></span>Detection rules</h3> <p>The following detection rule was observed during the analysis of the BUGHATCH sample. This rule is not exclusive to BUGHATCH activity.</p> <ul> <li><a href="https://www.elastic.co/guide/en/security/current/enumeration-of-privileged-local-groups-membership.html#enumeration-of-privileged-local-groups-membership">Enumeration of Privileged Local Groups Membership</a></li> </ul> <h3 class="font-bold leading-tight text-xl md:text-3xl relative"><span id="yara-rule" class="absolute -top-32"></span>YARA rule</h3> <p>Elastic Security has created a <a href="https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_Bughatch.yar">YARA rule</a> to identify this activity.</p> <pre><code>rule Windows_Trojan_BUGHATCH { meta: author = “Elastic Security” creation_date = &quot;2022-05-09&quot; last_modified = &quot;2022-06-09&quot; license = “Elastic License v2” os = &quot;Windows&quot; arch = &quot;x86&quot; category_type = &quot;Trojan&quot; family = &quot;BUGHATCH&quot; threat_name = &quot;Windows.Trojan.BUGHATCH&quot; reference_sample = &quot;b495456a2239f3ba48e43ef295d6c00066473d6a7991051e1705a48746e8051f&quot; strings: $a1 = { 8B 45 ?? 33 D2 B9 A7 00 00 00 F7 F1 85 D2 75 ?? B8 01 00 00 00 EB 33 C0 } $a2 = { 8B 45 ?? 0F B7 48 04 81 F9 64 86 00 00 75 3B 8B 55 ?? 0F B7 42 16 25 00 20 00 00 ?? ?? B8 06 00 00 00 EB ?? } $a3 = { 69 4D 10 FD 43 03 00 81 C1 C3 9E 26 00 89 4D 10 8B 55 FC 8B 45 F8 0F B7 0C 50 8B 55 10 C1 EA 10 81 E2 FF FF 00 00 33 CA 8B 45 FC 8B 55 F8 66 89 0C 42 } $c1 = &quot;-windowstyle hidden -executionpolicy bypass -file&quot; $c2 = &quot;C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe&quot; $c3 = &quot;ReflectiveLoader&quot; $c4 = &quot;\\Sysnative\\&quot; $c5 = &quot;TEMP%u.CMD&quot; $c6 = &quot;TEMP%u.PS1&quot; $c7 = &quot;\\TEMP%d.%s&quot; $c8 = &quot;NtSetContextThread&quot; $c9 = &quot;NtResumeThread&quot; condition: any of ($a*) or 6 of ($c*) }</code></pre></div></div></div><div class="hidden lg:flex lg:col-span-1 text-sm lg:flex-col lg:space-y-6"><div class="toc"><h4 class="font-bold leading-tight text-lg md:text-2xl mb-3">Jump to section</h4><ul class="flex flex-col space-y-2"><li><a class="flex items-center space-x-1 hover:text-white" href="/security-labs/bughatch-malware-analysis#key-takeaways"><span>Key&nbsp;takeaways</span></a></li><li><a class="flex items-center space-x-1 hover:text-white" href="/security-labs/bughatch-malware-analysis#preamble"><span>Preamble</span></a></li><li><a class="flex items-center space-x-1 hover:text-white" href="/security-labs/bughatch-malware-analysis#static-analysis"><span>Static&nbsp;analysis</span></a></li><li><a class="flex items-center space-x-1 hover:text-white ml-4" href="/security-labs/bughatch-malware-analysis#sections"><span>Sections</span></a></li><li><a class="flex items-center space-x-1 hover:text-white" href="/security-labs/bughatch-malware-analysis#code-analysis"><span>Code&nbsp;analysis</span></a></li><li><a class="flex items-center space-x-1 hover:text-white ml-4" href="/security-labs/bughatch-malware-analysis#token-adjustment"><span>Token&nbsp;adjustment</span></a></li><li><a class="flex items-center space-x-1 hover:text-white ml-4" href="/security-labs/bughatch-malware-analysis#information-collection"><span>Information&nbsp;collection</span></a></li><li><a class="flex items-center space-x-1 hover:text-white ml-8" href="/security-labs/bughatch-malware-analysis#current-value-of-the-performance-counter"><span>Current value of the performance&nbsp;counter</span></a></li><li><a class="flex items-center space-x-1 hover:text-white ml-8" href="/security-labs/bughatch-malware-analysis#network-information"><span>Network&nbsp;information</span></a></li><li><a class="flex items-center space-x-1 hover:text-white ml-8" href="/security-labs/bughatch-malware-analysis#system-information"><span>System&nbsp;information</span></a></li></ul><button class="border-t border-white/20 w-full mt-3 py-2 flex items-center space-x-1 text-xs font-medium uppercase tracking-wide hover:text-white"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true" class="w-3 h-3"><path d="M10.75 4.75a.75.75 0 00-1.5 0v4.5h-4.5a.75.75 0 000 1.5h4.5v4.5a.75.75 0 001.5 0v-4.5h4.5a.75.75 0 000-1.5h-4.5v-4.5z"></path></svg><span>Show more</span></button></div><div class="bg-zinc-900 border border-zinc-800 drop-shadow-lg p-5 md:p-2 sm:p-4 md:px-6 md:py-4 rounded-xl"><h4 class="font-bold leading-tight text-lg md:text-2xl mb-3">Elastic Security Labs Newsletter</h4><div><a target="_blank" class="button inline-flex" href="https://www.elastic.co/elastic-security-labs/newsletter?utm_source=security-labs">Sign Up</a></div></div></div></div><div class="bg-zinc-900 border border-zinc-800 drop-shadow-lg p-5 md:p-2 sm:p-4 md:px-6 md:py-4 rounded-xl my-5 md:my-10 max-w-3xl mx-auto flex flex-col items-center shadow-2xl"><h4 class="font-bold leading-tight text-lg md:text-2xl">Share this article</h4><div class="flex flex-wrap items-center justify-center mt-4 space-x-4"><a class="flex items-center space-x-2 button" href="https://twitter.com/intent/tweet?text=BUGHATCH Malware Analysis&amp;url=https://www.elastic.co/security-labs/bughatch-malware-analysis" target="_blank" rel="noopener noreferrer" aria-label="Share this article on Twitter" title="Share this article on Twitter"><svg class="w-4 h-4" viewBox="0 0 24 24"><path fill="currentColor" d="M23.954 4.569c-.885.389-1.83.653-2.825.772a4.98 4.98 0 002.187-2.746 9.955 9.955 0 01-3.157 1.204 4.98 4.98 0 00-8.49 4.54A14.128 14.128 0 011.69 3.05a4.98 4.98 0 001.54 6.638A4.94 4.94 0 011.2 8.62v.06a4.98 4.98 0 004 4.87 4.94 4.94 0 01-2.24.086 4.98 4.98 0 004.64 3.45A9.97 9.97 0 010 20.35a14.075 14.075 0 007.59 2.22c9.16 0 14.17-7.583 14.17-14.17 0-.217-.005-.434-.015-.65a10.128 10.128 0 002.485-2.58l-.001-.001z"></path></svg><span>Twitter</span></a><a class="flex items-center space-x-2 button" href="https://www.facebook.com/sharer/sharer.php?u=https://www.elastic.co/security-labs/bughatch-malware-analysis" target="_blank" rel="noopener noreferrer" aria-label="Share this article on Facebook" title="Share this article on Facebook"><svg class="w-4 h-4" viewBox="0 0 24 24"><path fill="currentColor" d="M22.5 12c0-5.799-4.701-10.5-10.5-10.5S1.5 6.201 1.5 12c0 5.301 3.901 9.699 9 10.401V14.4h-2.7v-2.7h2.7v-2.1c0-2.7 1.8-4.2 4.2-4.2 1.2 0 2.1.1 2.4.2v2.4h-1.5c-1.2 0-1.5.6-1.5 1.5v1.8h3l-.3 2.7h-2.7V22C18.599 21.3 22.5 17.301 22.5 12z"></path></svg><span>Facebook</span></a><a class="flex items-center space-x-2 button" href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://www.elastic.co/security-labs/bughatch-malware-analysis&amp;title=BUGHATCH Malware Analysis" target="_blank" rel="noopener noreferrer" aria-label="Share this article on LinkedIn" title="Share this article on LinkedIn"><svg class="w-4 h-4" viewBox="0 0 24 24"><path fill="currentColor" d="M19 0h-14c-2.761 0-5 2.239-5 5v14c0 2.761 2.239 5 5 5h14c2.762 0 5-2.239 5-5v-14c0-2.761-2.238-5-5-5zm-11 19h-3v-11h3v11zm-1.5-12.268c-.966 0-1.75-.79-1.75-1.764s.784-1.764 1.75-1.764 1.75.79 1.75 1.764-.783 1.764-1.75 1.764zm13.5 12.268h-3v-5.604c0-3.368-4-3.113-4 0v5.604h-3v-11h3v1.765c1.396-2.586 7-2.777 7 2.476v6.759z"></path></svg><span>LinkedIn</span></a><a class="flex items-center space-x-2 button" href="https://reddit.com/submit?url=https://www.elastic.co/security-labs/bughatch-malware-analysis&amp;title=BUGHATCH Malware Analysis" target="_blank" rel="noopener noreferrer" aria-label="Share this article on Reddit" title="Share this article on Reddit"><svg class="w-4 h-4" viewBox="0 0 24 24"><path fill-rule="evenodd" clip-rule="evenodd" d="M24 12C24 18.6274 18.6274 24 12 24C5.37258 24 0 18.6274 0 12C0 5.37258 5.37258 0 12 0C18.6274 0 24 5.37258 24 12ZM19.6879 11.0584C19.8819 11.3352 19.9916 11.6622 20.004 12C20.0091 12.3306 19.9205 12.656 19.7485 12.9384C19.5765 13.2208 19.3281 13.4488 19.032 13.596C19.0455 13.7717 19.0455 13.9483 19.032 14.124C19.032 16.812 15.9 18.996 12.036 18.996C8.172 18.996 5.04 16.812 5.04 14.124C5.02649 13.9483 5.02649 13.7717 5.04 13.596C4.80919 13.49 4.6042 13.335 4.43923 13.1419C4.27427 12.9487 4.15327 12.722 4.08462 12.4775C4.01598 12.2329 4.00133 11.9764 4.04169 11.7256C4.08205 11.4748 4.17646 11.2358 4.31837 11.0251C4.46028 10.8145 4.6463 10.6372 4.86354 10.5056C5.08078 10.3739 5.32404 10.2911 5.57646 10.2629C5.82889 10.2346 6.08444 10.2616 6.32541 10.3419C6.56638 10.4222 6.78701 10.5539 6.972 10.728C8.35473 9.79023 9.98146 9.27718 11.652 9.252L12.54 5.088C12.55 5.03979 12.5694 4.99405 12.5972 4.95341C12.625 4.91277 12.6605 4.87805 12.7018 4.85127C12.7431 4.82448 12.7894 4.80615 12.8378 4.79735C12.8862 4.78855 12.9359 4.78945 12.984 4.8L15.924 5.388C16.0676 5.14132 16.2944 4.9539 16.5637 4.85937C16.833 4.76484 17.1272 4.7694 17.3934 4.87222C17.6597 4.97505 17.8806 5.1694 18.0164 5.42041C18.1523 5.67141 18.1942 5.96262 18.1348 6.24177C18.0753 6.52092 17.9182 6.76972 17.6918 6.94352C17.4654 7.11732 17.1845 7.20473 16.8995 7.19006C16.6144 7.1754 16.3439 7.05962 16.1366 6.8635C15.9292 6.66738 15.7985 6.40378 15.768 6.12L13.2 5.58L12.42 9.324C14.0702 9.3594 15.6749 9.87206 17.04 10.8C17.2839 10.566 17.5902 10.4074 17.9221 10.3436C18.254 10.2797 18.5973 10.3132 18.9106 10.4401C19.2239 10.5669 19.4939 10.7817 19.6879 11.0584ZM8.20624 12.5333C8.07438 12.7307 8.004 12.9627 8.004 13.2C8.004 13.5183 8.13043 13.8235 8.35547 14.0485C8.58051 14.2736 8.88574 14.4 9.204 14.4C9.44134 14.4 9.67335 14.3296 9.87068 14.1978C10.068 14.0659 10.2218 13.8785 10.3127 13.6592C10.4035 13.4399 10.4272 13.1987 10.3809 12.9659C10.3346 12.7331 10.2204 12.5193 10.0525 12.3515C9.8847 12.1836 9.67089 12.0694 9.43811 12.0231C9.20533 11.9768 8.96405 12.0005 8.74478 12.0913C8.52551 12.1822 8.33809 12.336 8.20624 12.5333ZM12.012 17.424C13.0771 17.4681 14.1246 17.1416 14.976 16.5V16.548C15.0075 16.5173 15.0327 16.4806 15.05 16.4402C15.0674 16.3997 15.0766 16.3563 15.0772 16.3122C15.0777 16.2682 15.0696 16.2245 15.0533 16.1837C15.0369 16.1428 15.0127 16.1055 14.982 16.074C14.9513 16.0425 14.9146 16.0173 14.8742 16C14.8337 15.9826 14.7903 15.9734 14.7462 15.9728C14.7022 15.9723 14.6585 15.9804 14.6177 15.9967C14.5768 16.0131 14.5395 16.0373 14.508 16.068C13.7797 16.5904 12.895 16.8487 12 16.8C11.1061 16.8399 10.2255 16.5732 9.504 16.044C9.44182 15.993 9.36289 15.9669 9.28256 15.9708C9.20222 15.9748 9.12622 16.0085 9.06935 16.0653C9.01247 16.1222 8.97879 16.1982 8.97484 16.2786C8.97089 16.3589 8.99697 16.4378 9.048 16.5C9.89937 17.1416 10.9469 17.4681 12.012 17.424ZM14.0933 14.2458C14.2907 14.3776 14.5227 14.448 14.76 14.448L14.748 14.496C14.9107 14.4978 15.0721 14.4664 15.2223 14.4038C15.3725 14.3413 15.5084 14.2488 15.6218 14.1321C15.7352 14.0154 15.8236 13.8768 15.8818 13.7248C15.9399 13.5728 15.9665 13.4106 15.96 13.248C15.96 13.0107 15.8896 12.7787 15.7578 12.5813C15.6259 12.384 15.4385 12.2302 15.2192 12.1393C14.9999 12.0485 14.7587 12.0248 14.5259 12.0711C14.2931 12.1174 14.0793 12.2316 13.9115 12.3995C13.7436 12.5673 13.6294 12.7811 13.5831 13.0139C13.5368 13.2467 13.5605 13.4879 13.6513 13.7072C13.7422 13.9265 13.896 14.1139 14.0933 14.2458Z" fill="currentColor"></path></svg><span>Reddit</span></a></div></div></article></main><footer class="mt-auto text-xs md:text-sm"><div class="container py-6 flex flex-col md:flex-row gap-2 md:gap-0 justify-between items-center"><div class="text-zinc-300"><nav><ul class="flex space-x-4"><li><a class="hover:text-white font-medium" href="/security-labs/sitemap.xml">Sitemap</a></li><li><a class="hover:text-white font-medium flex items-center space-x-1" href="https://elastic.co?utm_source=elastic-search-labs&amp;utm_medium=referral&amp;utm_campaign=search-labs&amp;utm_content=footer"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" aria-hidden="true" class="inline-block w-3 h-3"><path stroke-linecap="round" stroke-linejoin="round" d="M13.5 6H5.25A2.25 2.25 0 003 8.25v10.5A2.25 2.25 0 005.25 21h10.5A2.25 2.25 0 0018 18.75V10.5m-10.5 6L21 3m0 0h-5.25M21 3v5.25"></path></svg><span>Elastic.co</span></a></li><li><a class="hover:text-white font-medium flex items-center space-x-1" href="https://twitter.com/elasticseclabs"><svg class="w-4 h-4 inline-block w-3 h-3" viewBox="0 0 24 24"><path fill="currentColor" d="M23.954 4.569c-.885.389-1.83.653-2.825.772a4.98 4.98 0 002.187-2.746 9.955 9.955 0 01-3.157 1.204 4.98 4.98 0 00-8.49 4.54A14.128 14.128 0 011.69 3.05a4.98 4.98 0 001.54 6.638A4.94 4.94 0 011.2 8.62v.06a4.98 4.98 0 004 4.87 4.94 4.94 0 01-2.24.086 4.98 4.98 0 004.64 3.45A9.97 9.97 0 010 20.35a14.075 14.075 0 007.59 2.22c9.16 0 14.17-7.583 14.17-14.17 0-.217-.005-.434-.015-.65a10.128 10.128 0 002.485-2.58l-.001-.001z"></path></svg><span>@elasticseclabs</span></a></li></ul></nav></div><div class="flex flex-col space-y-1 text-zinc-300"><p>© <!-- -->2024<!-- -->. Elasticsearch B.V. All Rights Reserved.</p></div></div></footer></main></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{"article":{"title":"BUGHATCH Malware Analysis","slug":"bughatch-malware-analysis","date":"2022-09-09","description":"Elastic Security has performed a deep technical analysis of the BUGHATCH malware. This includes capabilities as well as defensive countermeasures.","image":"libraries-edev-ops-1680x980.jpg","subtitle":"Malware analysis of the BUGHATCH downloader.","tags":["bughatch","cuba","ref9019"],"body":{"raw":"\n## Key takeaways\n\n- Elastic Security Labs is releasing a BUGHATCH malware analysis report from a recent [campaign](https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis)\n- This report covers detailed code analysis, network communication protocols, command handling, and observed TTPs\n- From this research we produced a [YARA rule](https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_Bughatch.yar) to detect the BUGHATCH downloader\n\n## Preamble\n\nBUGHATCH is an implant of a custom C2 deployed during the CUBA ransomware campaigns we observed in February of 2022, this tool was most likely built by the threat actor themselves as it was not used previously.\n\nBUGHATCH is capable of downloading and executing commands and arbitrary code, it gives the operator the freedom to execute payloads with different techniques like reflection, shellcode execution, system command execution, and so on. The samples we have seen were not obfuscated and were deployed using a custom obfuscated in-memory dropper written in PowerShell and referred to as [TERMITE by Mandiant](https://www.mandiant.com/resources/unc2596-cuba-ransomware).\n\nIn this document, we will go through the execution flow of BUGHATCH highlighting its functionalities and code execution techniques, a YARA rule and the MITRE ATT\u0026CK mapping can be found in the appendix.\n\nIn this analysis we will describe the following:\n\n- Token adjustment\n- Information collection\n- Threading and thread synchronization\n- Network communication protocol\n- Command handling\n\n\u003e For information on the CUBA ransomware campaign and associated malware analysis, check out our blog posts detailing this:\n\u003e\n\u003e - [CUBA Ransomware Campaign](https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis)\n\u003e - [CUBA Malware Analysis](https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis)\n\n## Static analysis\n\n| | |\n| ------------ | ---------------------------------------------------------------- | --- |\n| SHA256 | F1325F8A55164E904A4B183186F44F815693A008A9445D2606215A232658C3CF |\n| File Size | 35840 bytes |\n| File Type: | Win32 executable |\n| Signed? | No |\n| Packer? | No |\n| Compiler | Visual Studio 2017 - 15.5.0 preview 2 |\n| Compile Time | Sun Feb 06 21:05:18 2022 | UTC |\n| Entropy | 6.109 |\n\n### Sections\n\n| | | | | | |\n| ------ | -------------- | ------------ | -------- | ------- | -------------------------------- |\n| Name | VirtualAddress | Virtual Size | Raw Size | Entropy | MD5 |\n| .text | 0x1000 | 0x6000 | 0x5400 | 5.933 | A6E30CCF838569781703C943F18DC3F5 |\n| .rdata | 0x7000 | 0x3000 | 0x2A00 | 6.217 | 9D9AD1251943ECACE81644A7AC320B3C |\n| .data | 0xA000 | 0x1000 | 0x400 | 1.163 | B983B8EB258220628BE2A88CA44286B4 |\n| .reloc | 0xB000 | 0x424 | 0x600 | 5.235 | 39324A58D79FC5B8910CBD9AFBF1A6CB |\n\n## Code analysis\n\nBUGHATCH is an in-memory implant loaded by an obfuscated PowerShell script that decodes and executes an embedded shellcode blob in its allocated memory space using common Windows APIs ( **VirtualAlloc** , **CreateThread, WaitForSingleObject** ).\n\nThe PowerShell loader uses inline C# to load APIs needed for shellcode injection as seen in the following pseudocode.\n\n\n\nThe PowerShell script is obfuscated with random functions and variable names and contains the shellcode in a reverse-Base64 format.\n\n\n\nThe script first decodes the reverse-Base64 encoded data, then allocates a memory region with **VirtualAlloc** before copying the shellcode into it. Finally, the script executes the shellcode by creating a new thread with the **CreateThread** API.\n\n\n\nThe shellcode downloads another shellcode blob and the encrypted PE implant from the C2 server, this second shellcode decrypts and reflectively loads the PE malware.\n\nThis section dives deeper into the BUGHATCH execution flow, threading and encryption implementation, communication protocol with C2, and finally supported commands and payload execution techniques implemented.\n\nThe following is a diagram summarizing the execution flow of the implant:\n\n\n\n\n\n### Token adjustment\n\nThe implant starts by elevating permissions using the **SeDebugPrivilege** method, enabling the malware to access and read the memory of other processes. It leverages common Windows APIs to achieve this as shown in the pseudocode below:\n\n\n\n### Information collection\n\nThe malware collects host-based information used to fingerprint the infected system, this information will be stored in a custom structure that will be 2-byte XOR encrypted and sent to the C2 server in an HTTP POST request.\n\nThe following lists the collected information:\n\n- Current value of the performance counter\n- Network information\n- System information\n- Token information\n- Domain and Username of the current process\n- Current process path\n\n#### Current value of the performance counter\n\nUsing the **QueryPerformanceCounter** API, it collects the amount of time since the system was last booted. This value will be used to compute the 2-byte XOR encryption key to encrypt communications between the implant and the C2 server, a detailed analysis of the encryption implementation will follow.\n\n\n\n#### Network information\n\nIt collects the addresses of network interfaces connected to the infected machine by using the **GetIpAddrTable** Windows API.\n\n\n\n#### System information\n\nBUGHATCH collects key system information which includes:\n\n- Windows major release, minor release, and build number\n- Processor architecture (either 32-bit or 64-bit)\n- Computer name\n\n\n\n#### Token information\n\nThe agent proceeds to collect the current process token group membership, it invokes the **AllocateAndInitializeSid** API followed by the **CheckTokenMembership** API, concatenating the [SDDL SID strings](https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings) for every group the process token is part of. While not unique to BUGHATCH, this is detected by Elastic's [Enumeration of Privileged Local Groups Membership](https://www.elastic.co/guide/en/security/current/enumeration-of-privileged-local-groups-membership.html) detection rule.\n\n\n\n#### Domain and username of the current process\n\nThe malware opens a handle to the current process with **OpenProcessToken** and gets the structure that contains the user account of the token with **GetTokenInformation**. It then retrieves the username and domain of the user account with the **LookupAccountSidW** API and concatenates the 2 strings in the following format: **DOMAIN\\USERNAME**.\n\n\n\n#### Current process path\n\nFinally, it collects the current process path with **GetModuleFileNameW**. The malware then encrypts the entire populated structure with a simple 2-byte XOR algorithm, this encryption implementation is detailed later in the report.\n\n## Threading and thread synchronization\n\nThe implant is multithreaded; it uses two different linked lists, one is filled with the commands received from the C2 server and the other is filled with the output of the commands executed.\n\nIt spawns 5 worker threads, each handling a command received from the C2 server by accessing the appropriate linked list using the **CriticalSection** object. The main process’ thread also retrieves the command's output from the second linked list using the **CriticalSection** object for synchronization purposes, to avoid any race conditions.\n\n\n\n## Network communication protocol\n\nIn this section we will detail:\n\n- Base communication protocol\n- Encryption implementation\n\nThe implant we analyzed uses HTTP(S) for communications. On top of the SSL encryption of the protocol, the malware and C2 encrypt the data with a 2-byte XOR key computed by the malware for each new session. The values to compute the 2-byte XOR key are prepended at the beginning of the base protocol packet which the server extracts to decrypt/encrypt commands.\n\nWhen launched, the malware will first send an HTTP POST request to the C2 server containing all the collected information extracted from the victim’s machine, the C2 then responds with the operator’s command if available, or else the agent sleeps for 60 seconds. After executing the command and only if the output of the executed command is available, the malware will send a POST request containing both the collected information and the command’s output, otherwise, it sends the collected information and waits for new commands.\n\n\n\n### Base communication protocol\n\nThe author(s) of BUGHATCH implemented a custom network protocol, the following is the syntax that the agent and server use for their communication:\n\n\n\n- **XOR key values:** The values to compute the 2-byte XOR encryption key used to encrypt the rest of the data\n- **Separator:** A static value ( **0x389D3AB7** ) that separates **Msg** chunks, example: the server can send different instructions in the same HTTP request separated by the **Separator**\n- **Chunk length:** Is the length of the **Msg** , **Separator** and **Chunk length**\n- **Msg:** Is the message to be sent, the message differs from the agent to the server.\n\nWe will dive deeper into the encapsulation of the **Msg** for both the agent and the server.\n\n\n\n### Encryption implementation\n\nThe malware uses 2-byte XOR encryption when communicating with the C\u0026C server; a 2-byte XOR key is generated and computed by the implant for every session with the C2 server.\n\nThe agent uses two DWORD values returned by **QueryPerformanceCounter** API as stated earlier, it then computes a 2-byte XOR key by XOR-encoding the DWORD values and then multiplying and adding hardcoded values. The following is a Python pseudocode of how the KEY is computed:\n\n```\ntmp = (PerformanceCount[0] ^ PerformanceCount[1]) \u0026 0xFFFFFFFF\nXorKey = (0x343FD * tmp + 0x269EC3)\u0026 0xFFFFFFFF\nXorKey = p16(XorKey \u003e\u003e 16).ljust(2, b'\\x00')\n```\n\n\n\n## Command handling\n\nIn this section, we will dive deeper into the functionalities implemented in the agent and their respective **Msg** structure that will be encapsulated in the base communication protocol structure as mentioned previously.\n\nOnce the working threads are started, the main thread will continue beaconing to the C2 server to retrieve commands. The main loop is made up of the following:\n\n- Send POST request\n- Decrypt the received command and add it to the linked list\n- Sleep for 60 seconds\n\nA working thread will first execute the **RemoveEntryRecvLinkedList** function that accesses and retrieves the data sent by the C2 server from the linked list.\n\n\n\nThe thread will then de-encapsulate the data received from the C2 and extract the **Msg(Command)**. The malware implements different functionalities according to a command flag, the table below illustrates the functionalities of each command:\n\n| | |\n| ------------ | --------------------------------------------------------------------- |\n| Command FLAG | Description |\n| 1 | Group functions related to code and command execution |\n| 2 | Group functions related to utilities like impersonation and migration |\n| 3 | Process injection of a PE file in a suspended child process |\n\n### Command 1\n\nThis command gives access to functionalities related to payload execution, from DLL to PE executable to PowerShell and cmd scripts.\n\nSome of the sub-commands use pipes to redirect the standard input/output of the child process, which enables the attacker to execute payloads and retrieve its output, for example, PowerShell or Mimikatz, etc…\n\nThe following is the list of sub commands:\n\n| | | |\n| ---------------- | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |\n| Sub Command Flag | Function Name | Functionality description |\n| 2 | ReflectivelyExecutePERemote | Reflectively loads PE files in a child process and redirects its standard input output, the output will be sent to the operator C2 server |\n| 3 | DropPEDiskExecute | Drops a PE file to disk and executes it, the execution output is then sent to the operator’s C2 server |\n| 4 | SelfShellcodeExecute | Executes a shellcode in the same process |\n| 5 | RemoteShellcodeExecute | Executes a shellcode in a suspended spawned child process |\n| 6 | ExecuteCmd | Executes a CMD script/command |\n| 7 | ExecutePowershell | Executes a Powershell script/command |\n| 9 | ReflectivelyLoadDllRemote | Executes a DLL reflectively in a remote process using CreateRemoteThread API |\n\nThe following is the structure that is used by the above commands:\n\n```\nstruct ExecutePayloadCommandStruct\n{\n DWORD commandFlag;\n DWORD field_0;\n DWORD subCommandFlag_1;\n DWORD readPipeTimeOut_2;\n DWORD payloadSize_3;\n DWORD commandLineArgumentSize_4;\n DWORD STDINDataSize_5;\n CHAR payload_cmdline_stdin[n];\n};\n```\n\n- **commandFlag:** Indicates the command\n- **subCommandFlag:** Indicates the subcommand\n- **readPipeTimeOut:** Indicates the timeout for reading the output of child processes from a pipe\n- **payloadSize:** Indicates the payload size\n- **commandLineArgumentSize:** Indicates length of the command line arguments when executing the payload, example a PE binary\n- **STDINDataSize:** Indicates the length of the standard input data that will be sent to the child process\n- **Payload_cmdline_stdin:** Can contain the payload PE file for example, its command line arguments and the standard input data that will be forwarded to the child process, the malware knows the beginning and end of each of these using their respective length.\n\n#### ReflectivelyExecutePERemote\n\nThe agent reflectively loads PE binaries in the memory space of a created process in a suspended state (either **cmd.exe** or **svchost.exe** ). The agent leverages [anonymous (unnamed) pipes](https://docs.microsoft.com/en-us/windows/win32/ipc/anonymous-pipes) within Windows to redirect the created child process's standard input and output handles. It first creates an anonymous pipe that will be used to retrieve the output of the created process, then the pipe handles are specified in the **STARTUPINFO** structure of the child process.\n\n\n\nAfter creating the suspended process, the malware allocates a large memory block to write shellcode and a XOR encrypted PE file.\n\nThe shellcode will 2-byte XOR decrypt and load the embedded PE similar to ( **Command 3** ). This command can load 64bit and 32bit binaries, each architecture has its own shellcode PE loader, after injecting the shellcode it will point the instruction pointer of the child process’s thread to the shellcode and resume the thread.\n\n\n\nThe following is an example of a packet captured from our custom emulated C2 server, we can see the structure discussed earlier on the left side and the packet bytes on the right side, for each command implemented in the malware, a packet example will be given.\n\n\n\n#### DropPEDiskExecute\n\nWith this subcommand, the operator can drop a PE file on disk and execute it. The agent has 3 different implementations depending on the PE file type, GUI Application, CUI (Console Application), or a DLL.\n\nFor CUI binaries, the malware first generates a random path in the temporary folder and writes the PE file to it using **CreateFileA** and **WriteFile** API.\n\n\n\nIt then creates a process of the dropped binary file as a child process by redirecting its standard input and output handles; after execution of the payload the output is sent to the operator’s C2 server.\n\nFor GUI PE binaries, the agent simply writes it to disk and executes it directly with **CreateProcessA** API.\n\nAnd lastly, for DLL PE files, the malware first writes the DLL to a randomly generated path in the temporary folder, then uses **c:\\windows\\system32\\rundll32.exe** or **c:\\windows\\syswow64\\rundll32.exe** (depending on the architecture of the DLL) to run either an exported function specified by the operator or the function **start** if no export functions were specified.\n\n\n\n\n\n#### SelfShellcodeExecute\n\nThis subcommand tasks the agent to execute shellcode in its own memory space by allocating a memory region using **VirtualAlloc** API and then copying the shellcode to it, the shellcode is executed by creating a thread using **CreateThread** API.\n\n\n\n\n\n#### RemoteShellcodeExecute\n\nThis sub-command can be used to execute a 32-bit or a 64-bit position independent shellcode in another process memory space.\n\nSimilarly to the **SpawnAgent** subcommand, the malware creates a suspended **svchost.exe** process with **CreateProcessA** API, allocates a memory region for the shellcode sent by the C2 server with **VirtualAllocEx** , and writes to it with **WriteProcessMemory** , it then sets the suspended thread instruction pointer to point to the injected shellcode with **SetThreadContext** and finally it will resume the thread with **ResumeThread** to execute the payload.\n\n\n\n\n\n\n\n#### ExecuteCmd and ExecutePowershell\n\nAn operator can execute PowerShell scripts or CMD scripts in the infected machine, the malware can either write the script to a file in the temporary folder with a randomly generated name as follow: **`TEMP\u003cdigits\u003e.PS1`** for PowerShell or **`TEMP\u003cdigits\u003e.CMD`** for a Command shell. The malware then passes parameters to it if specified by the malicious actor and executes it, the malware uses named pipes to retrieve the output of the PowerShell process.\n\n\n\n\n\n#### ReflectivelyLoadDllRemote\n\nExecute reflectively a 32-bit or 64-bit DLL in a process created in a suspended state, the following summarizes the execution flow:\n\n- Check if the PE file is a 32 or 64-bit DLL\n- Create a suspended **svchost.exe** process\n- Allocate memory for the DLL and the parameter for the DLL if specified by the C2 command with the **VirtualAllocEx** API\n- Write to the remotely allocated memory withthe **WriteProcessMemory** API the DLL and the parameter if specified\n- Create a remote thread to execute the injected DLL with the **CreateRemoteThread** API\n\n\n\n\n\n### Command 2\n\nThe command 2 has multiple sub functionalities as shown in the command table above, according to a subCommandFlag the malware can do 6 different operations as follows:\n\n| | | |\n| ---------------- | --------------------- | ---------------------------- |\n| Sub Command Flag | Function Name | Functionality description |\n| 1 | ExitProcess | Exit process |\n| 2 | SelfDeleteExitProcess | Self delete and exit process |\n| 3 | SpawnAgent64 | Spawn 64-bit agent |\n| 4 | SpawnAgent32 | Spawn 32-bit agent |\n| 0x1001 | ImpersonateToken | Impersonate explorer |\n| 0x1002 | MigrateC2 | Change C2 config |\n\nThe following is the structure that is used by the above commands:\n\n```\nstruct ImpersonateReplicateStruct\n{\n int subCommandFlag;\n int impersonateExplorerToken;\n char padding[16];\n __int16 isParameterSet;\n WCHAR w_parameters[n];\n};\n```\n\n#### ExitProcess\n\nCalls the **ExitProcess(0)** API to terminate.\n\n\n\n#### SelfDeleteExitProcess\n\nThe agent gets the PATH of the current process with **GetModuleFileNameA** and then executes the following command to self-delete: **cmd.exe /c del FILEPATH \\\\\u003e\\\\\u003e NUL** using **CreateProcessA** then simply exit the process with **ExitProcess(0)**.\n\n\n\n#### SpawnAgent64 and SpawnAgent32\n\nWhen subcommands 3 or 4 are specified, the malware will spawn another agent on the same machine depending on the subcommand sent by the C2, as shown in the table above.\n\nThe malware first retrieves the C2 IP address embedded in it, it will then do an HTTP GET request to download a packed agent in shellcode format, in the sample we analyzed **/Agent32.bin** URI is for the 32-bit agent, and **/Agent64.bin** is for 64-bit the agent.\n\n\n\nThe malware then creates a suspended **svchost.exe** process with **CreateProcessA** API, writes the agent shellcode to the process, sets its instruction pointer to point to the injected shellcode with **SetThreadContext** , and finally it will resume the thread with **ResumeThread** to execute the injected payload.\n\n\n\n#### ImpersonateToken\n\nThis subcommand is specific to process tokens; an attacker can either impersonate the **explorer.exe** token or create a token from credentials (Domain\\Username, Password) sent by the C2 to spawn another instance of the current process.\n\n\n\nIt will first check if the current process is a local system account or local service account or network service account by testing whether the given process token is a member of the group with the specified RID ( **SECURITY_LOCAL_SYSTEM_RID** , **SECURITY_LOCAL_SERVICE_RID** , **SECURITY_NETWORK_SERVICE_RID** ) respectively.\n\n\n\nThen depending if the operator specified credentials or not, the malware will first call **LogonUserW** with the Domain\\User and password to create a token then it will spawn another instance of the current process with this token.\n\n\n\nIf not, the implant will impersonate the **explore.exe** process by duplicating its token with **DuplicateTokenEx** and then spawn the current process with the duplicated token if no credentials are specified.\n\n\n\n#### MigrateC2\n\nThe operator can migrate the implant to another C2 server by specifying the subcommand **0x1001** with the IP address of the new C2.\n\n\n\n\n\n### Command 3\n\nWhen command 3 is received the malware will reflectively load a PE file embedded as payload in the C\u0026C request in another process's memory space, the following is an overview of the execution:\n\n- Determine the type and architecture of the PE file\n- Create a suspended process\n- Allocate a large memory in the suspended process\n- Write a shellcode in the allocated memory that will locate, decrypt and reflectively load the PE file\n- 2-byte XOR encrypt the PE file and append it after the shellcode\n- Set the EIP context of the suspended process to execute the shellcode\n\nThe shellcode will then reflectively load the PE file\n\n\n\nThe agent first parses the PE file received from the C2 server to determine the type and architecture of the PE file.\n\n\n\nAnd according to this information, a Windows signed executable will be chosen to inject into.\n\nIf the PE file is CUI (Console User Interface), the malware will choose **cmd.exe** , however, if it is GUI (Graphical User Interface) or a DLL PE file it will choose **svchost.exe**.\n\n\n\nThe malware will then create a suspended process with **CreateProcessA** API (either **cmd.exe** or **svchost.exe** ) and allocate a large amount of memory with **VirtualAllocEx** in the created process, it will then copy a position independent shellcode stored in the **.rdata** section to the newly allocated memory that is responsible for locating according to a specific tag the appended PE file, decrypt it and reflectively load it in memory.\n\nThen it appends after the shellcode a 12 bytes structure composed of a tag, the size of the PE file, and a 2-byte XOR key.\n\nIt will then 2-byte XOR encrypt the PE file and append it after the structure, the following is an overview of the written data to the allocated memory:\n\n| | | | | |\n| --------- | --- | ------- | -------------- | ---------------------------- |\n| SHELLCODE | TAG | PE SIZE | 2-byte XOR KEY | 2-byte XOR encrypted PE file |\n\n\n\nThe agent will then set the thread context with **SetThreadContext** and point the instruction pointer of the suspended process to the shellcode then it will simply resume the execution with **ResumeThread**.\n\nThe shellcode will first locate the 2-byte XOR encrypted PE file according to the tag value ( **0x80706050** ), it will then 2-byte XOR decrypt it and load it reflectively on the same process memory.\n\n## Observed adversary tactics and techniques\n\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that advanced persistent threats use against enterprise networks.\n\n### Tactics\n\nTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action.\n\n- [Execution](https://attack.mitre.org/tactics/TA0002)\n- [Collection](https://attack.mitre.org/tactics/TA0009)\n- [Command and Control](https://attack.mitre.org/tactics/TA0011)\n- [Exfiltration](https://attack.mitre.org/tactics/TA0010)\n\n### Techniques / sub techniques\n\nTechniques and Sub techniques represent how an adversary achieves a tactical goal by performing an action.\n\n- [Command and Scripting Interpreter: Windows Command Shell](https://attack.mitre.org/techniques/T1059/003/)\n- [Encrypted Channel: Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002/)\n- [Encrypted Channel: Symmetric Cryptography](https://attack.mitre.org/techniques/T1573/001/)\n- [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041/)\n- [Automated Collection](https://attack.mitre.org/techniques/T1119/)\n- [Native API](https://attack.mitre.org/techniques/T1106/)\n\n## Detections\n\n### Detection rules\n\nThe following detection rule was observed during the analysis of the BUGHATCH sample. This rule is not exclusive to BUGHATCH activity.\n\n- [Enumeration of Privileged Local Groups Membership](https://www.elastic.co/guide/en/security/current/enumeration-of-privileged-local-groups-membership.html#enumeration-of-privileged-local-groups-membership)\n\n### YARA rule\n\nElastic Security has created a [YARA rule](https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_Bughatch.yar) to identify this activity.\n\n```\nrule Windows_Trojan_BUGHATCH {\n meta:\n author = “Elastic Security”\n creation_date = \"2022-05-09\"\n last_modified = \"2022-06-09\"\n license = “Elastic License v2”\n os = \"Windows\"\n arch = \"x86\"\n category_type = \"Trojan\"\n family = \"BUGHATCH\"\n threat_name = \"Windows.Trojan.BUGHATCH\"\n reference_sample = \"b495456a2239f3ba48e43ef295d6c00066473d6a7991051e1705a48746e8051f\"\n\n strings:\n $a1 = { 8B 45 ?? 33 D2 B9 A7 00 00 00 F7 F1 85 D2 75 ?? B8 01 00 00 00 EB 33 C0 }\n $a2 = { 8B 45 ?? 0F B7 48 04 81 F9 64 86 00 00 75 3B 8B 55 ?? 0F B7 42 16 25 00 20 00 00 ?? ?? B8 06 00 00 00 EB ?? }\n $a3 = { 69 4D 10 FD 43 03 00 81 C1 C3 9E 26 00 89 4D 10 8B 55 FC 8B 45 F8 0F B7 0C 50 8B 55 10 C1 EA 10 81 E2 FF FF 00 00 33 CA 8B 45 FC 8B 55 F8 66 89 0C 42 }\n $c1 = \"-windowstyle hidden -executionpolicy bypass -file\"\n $c2 = \"C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"\n $c3 = \"ReflectiveLoader\"\n $c4 = \"\\\\Sysnative\\\\\"\n $c5 = \"TEMP%u.CMD\"\n $c6 = \"TEMP%u.PS1\"\n $c7 = \"\\\\TEMP%d.%s\"\n $c8 = \"NtSetContextThread\"\n $c9 = \"NtResumeThread\"\n\n condition:\n any of ($a*) or 6 of ($c*)\n}\n```\n","code":"var Component=(()=\u003e{var d=Object.create;var a=Object.defineProperty;var m=Object.getOwnPropertyDescriptor;var p=Object.getOwnPropertyNames;var g=Object.getPrototypeOf,u=Object.prototype.hasOwnProperty;var f=(n,e)=\u003e()=\u003e(e||n((e={exports:{}}).exports,e),e.exports),w=(n,e)=\u003e{for(var i in e)a(n,i,{get:e[i],enumerable:!0})},o=(n,e,i,l)=\u003e{if(e\u0026\u0026typeof e==\"object\"||typeof e==\"function\")for(let r of p(e))!u.call(n,r)\u0026\u0026r!==i\u0026\u0026a(n,r,{get:()=\u003ee[r],enumerable:!(l=m(e,r))||l.enumerable});return n};var y=(n,e,i)=\u003e(i=n!=null?d(g(n)):{},o(e||!n||!n.__esModule?a(i,\"default\",{value:n,enumerable:!0}):i,n)),b=n=\u003eo(a({},\"__esModule\",{value:!0}),n);var c=f((E,s)=\u003e{s.exports=_jsx_runtime});var P={};w(P,{default:()=\u003eT,frontmatter:()=\u003eC});var t=y(c()),C={title:\"BUGHATCH Malware Analysis\",slug:\"bughatch-malware-analysis\",date:\"2022-09-09\",subtitle:\"Malware analysis of the BUGHATCH downloader.\",description:\"Elastic Security has performed a deep technical analysis of the BUGHATCH malware. This includes capabilities as well as defensive countermeasures.\",author:[{slug:\"salim-bitam\"}],image:\"libraries-edev-ops-1680x980.jpg\",category:[{slug:\"malware-analysis\"}],tags:[\"bughatch\",\"cuba\",\"ref9019\"]};function h(n){let e=Object.assign({h2:\"h2\",ul:\"ul\",li:\"li\",a:\"a\",p:\"p\",blockquote:\"blockquote\",h3:\"h3\",div:\"div\",table:\"table\",thead:\"thead\",tr:\"tr\",th:\"th\",tbody:\"tbody\",td:\"td\",strong:\"strong\",img:\"img\",h4:\"h4\",pre:\"pre\",code:\"code\"},n.components);return(0,t.jsxs)(t.Fragment,{children:[(0,t.jsx)(e.h2,{id:\"key-takeaways\",children:\"Key takeaways\"}),`\n`,(0,t.jsxs)(e.ul,{children:[`\n`,(0,t.jsxs)(e.li,{children:[\"Elastic Security Labs is releasing a BUGHATCH malware analysis report from a recent \",(0,t.jsx)(e.a,{href:\"https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\",rel:\"nofollow\",children:\"campaign\"})]}),`\n`,(0,t.jsx)(e.li,{children:\"This report covers detailed code analysis, network communication protocols, command handling, and observed TTPs\"}),`\n`,(0,t.jsxs)(e.li,{children:[\"From this research we produced a \",(0,t.jsx)(e.a,{href:\"https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_Bughatch.yar\",rel:\"nofollow\",children:\"YARA rule\"}),\" to detect the BUGHATCH downloader\"]}),`\n`]}),`\n`,(0,t.jsx)(e.h2,{id:\"preamble\",children:\"Preamble\"}),`\n`,(0,t.jsx)(e.p,{children:\"BUGHATCH is an implant of a custom C2 deployed during the CUBA ransomware campaigns we observed in February of 2022, this tool was most likely built by the threat actor themselves as it was not used previously.\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"BUGHATCH is capable of downloading and executing commands and arbitrary code, it gives the operator the freedom to execute payloads with different techniques like reflection, shellcode execution, system command execution, and so on. The samples we have seen were not obfuscated and were deployed using a custom obfuscated in-memory dropper written in PowerShell and referred to as \",(0,t.jsx)(e.a,{href:\"https://www.mandiant.com/resources/unc2596-cuba-ransomware\",rel:\"nofollow\",children:\"TERMITE by Mandiant\"}),\".\"]}),`\n`,(0,t.jsx)(e.p,{children:\"In this document, we will go through the execution flow of BUGHATCH highlighting its functionalities and code execution techniques, a YARA rule and the MITRE ATT\u0026CK mapping can be found in the appendix.\"}),`\n`,(0,t.jsx)(e.p,{children:\"In this analysis we will describe the following:\"}),`\n`,(0,t.jsxs)(e.ul,{children:[`\n`,(0,t.jsx)(e.li,{children:\"Token adjustment\"}),`\n`,(0,t.jsx)(e.li,{children:\"Information collection\"}),`\n`,(0,t.jsx)(e.li,{children:\"Threading and thread synchronization\"}),`\n`,(0,t.jsx)(e.li,{children:\"Network communication protocol\"}),`\n`,(0,t.jsx)(e.li,{children:\"Command handling\"}),`\n`]}),`\n`,(0,t.jsxs)(e.blockquote,{children:[`\n`,(0,t.jsx)(e.p,{children:\"For information on the CUBA ransomware campaign and associated malware analysis, check out our blog posts detailing this:\"}),`\n`,(0,t.jsxs)(e.ul,{children:[`\n`,(0,t.jsx)(e.li,{children:(0,t.jsx)(e.a,{href:\"https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis\",rel:\"nofollow\",children:\"CUBA Ransomware Campaign\"})}),`\n`,(0,t.jsx)(e.li,{children:(0,t.jsx)(e.a,{href:\"https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis\",rel:\"nofollow\",children:\"CUBA Malware Analysis\"})}),`\n`]}),`\n`]}),`\n`,(0,t.jsx)(e.h2,{id:\"static-analysis\",children:\"Static analysis\"}),`\n`,(0,t.jsx)(e.p,{children:`| | |\n| ------------ | ---------------------------------------------------------------- | --- |\n| SHA256 | F1325F8A55164E904A4B183186F44F815693A008A9445D2606215A232658C3CF |\n| File Size | 35840 bytes |\n| File Type: | Win32 executable |\n| Signed? | No |\n| Packer? | No |\n| Compiler | Visual Studio 2017 - 15.5.0 preview 2 |\n| Compile Time | Sun Feb 06 21:05:18 2022 | UTC |\n| Entropy | 6.109 |`}),`\n`,(0,t.jsx)(e.h3,{id:\"sections\",children:\"Sections\"}),`\n`,(0,t.jsx)(e.div,{className:\"table-container\",children:(0,t.jsxs)(e.table,{children:[(0,t.jsx)(e.thead,{children:(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.th,{}),(0,t.jsx)(e.th,{}),(0,t.jsx)(e.th,{}),(0,t.jsx)(e.th,{}),(0,t.jsx)(e.th,{}),(0,t.jsx)(e.th,{})]})}),(0,t.jsxs)(e.tbody,{children:[(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"Name\"}),(0,t.jsx)(e.td,{children:\"VirtualAddress\"}),(0,t.jsx)(e.td,{children:\"Virtual Size\"}),(0,t.jsx)(e.td,{children:\"Raw Size\"}),(0,t.jsx)(e.td,{children:\"Entropy\"}),(0,t.jsx)(e.td,{children:\"MD5\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\".text\"}),(0,t.jsx)(e.td,{children:\"0x1000\"}),(0,t.jsx)(e.td,{children:\"0x6000\"}),(0,t.jsx)(e.td,{children:\"0x5400\"}),(0,t.jsx)(e.td,{children:\"5.933\"}),(0,t.jsx)(e.td,{children:\"A6E30CCF838569781703C943F18DC3F5\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\".rdata\"}),(0,t.jsx)(e.td,{children:\"0x7000\"}),(0,t.jsx)(e.td,{children:\"0x3000\"}),(0,t.jsx)(e.td,{children:\"0x2A00\"}),(0,t.jsx)(e.td,{children:\"6.217\"}),(0,t.jsx)(e.td,{children:\"9D9AD1251943ECACE81644A7AC320B3C\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\".data\"}),(0,t.jsx)(e.td,{children:\"0xA000\"}),(0,t.jsx)(e.td,{children:\"0x1000\"}),(0,t.jsx)(e.td,{children:\"0x400\"}),(0,t.jsx)(e.td,{children:\"1.163\"}),(0,t.jsx)(e.td,{children:\"B983B8EB258220628BE2A88CA44286B4\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\".reloc\"}),(0,t.jsx)(e.td,{children:\"0xB000\"}),(0,t.jsx)(e.td,{children:\"0x424\"}),(0,t.jsx)(e.td,{children:\"0x600\"}),(0,t.jsx)(e.td,{children:\"5.235\"}),(0,t.jsx)(e.td,{children:\"39324A58D79FC5B8910CBD9AFBF1A6CB\"})]})]})]})}),`\n`,(0,t.jsx)(e.h2,{id:\"code-analysis\",children:\"Code analysis\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"BUGHATCH is an in-memory implant loaded by an obfuscated PowerShell script that decodes and executes an embedded shellcode blob in its allocated memory space using common Windows APIs ( \",(0,t.jsx)(e.strong,{children:\"VirtualAlloc\"}),\" , \",(0,t.jsx)(e.strong,{children:\"CreateThread, WaitForSingleObject\"}),\" ).\"]}),`\n`,(0,t.jsx)(e.p,{children:\"The PowerShell loader uses inline C# to load APIs needed for shellcode injection as seen in the following pseudocode.\"}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image12.jpg\",alt:\"Pseudocode PowerShell inline C#\",width:\"1440\",height:\"737\"})}),`\n`,(0,t.jsx)(e.p,{children:\"The PowerShell script is obfuscated with random functions and variable names and contains the shellcode in a reverse-Base64 format.\"}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image10.png\",alt:\"Pseudocode embedded shellcode in Base64 format\",width:\"1440\",height:\"375\"})}),`\n`,(0,t.jsxs)(e.p,{children:[\"The script first decodes the reverse-Base64 encoded data, then allocates a memory region with \",(0,t.jsx)(e.strong,{children:\"VirtualAlloc\"}),\" before copying the shellcode into it. Finally, the script executes the shellcode by creating a new thread with the \",(0,t.jsx)(e.strong,{children:\"CreateThread\"}),\" API.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image38.jpg\",alt:\"Pseudocode PowerShell creates a new thread to execute the shellcode\",width:\"1440\",height:\"128\"})}),`\n`,(0,t.jsx)(e.p,{children:\"The shellcode downloads another shellcode blob and the encrypted PE implant from the C2 server, this second shellcode decrypts and reflectively loads the PE malware.\"}),`\n`,(0,t.jsx)(e.p,{children:\"This section dives deeper into the BUGHATCH execution flow, threading and encryption implementation, communication protocol with C2, and finally supported commands and payload execution techniques implemented.\"}),`\n`,(0,t.jsx)(e.p,{children:\"The following is a diagram summarizing the execution flow of the implant:\"}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image16.png\",alt:\"Execution flow diagram of BUGHATCH\",width:\"1440\",height:\"1576\"})}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image15.jpg\",alt:\"Pseudocode of the main function\",width:\"874\",height:\"1032\"})}),`\n`,(0,t.jsx)(e.h3,{id:\"token-adjustment\",children:\"Token adjustment\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"The implant starts by elevating permissions using the \",(0,t.jsx)(e.strong,{children:\"SeDebugPrivilege\"}),\" method, enabling the malware to access and read the memory of other processes. It leverages common Windows APIs to achieve this as shown in the pseudocode below:\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image20.jpg\",alt:\"\",width:\"1292\",height:\"646\"})}),`\n`,(0,t.jsx)(e.h3,{id:\"information-collection\",children:\"Information collection\"}),`\n`,(0,t.jsx)(e.p,{children:\"The malware collects host-based information used to fingerprint the infected system, this information will be stored in a custom structure that will be 2-byte XOR encrypted and sent to the C2 server in an HTTP POST request.\"}),`\n`,(0,t.jsx)(e.p,{children:\"The following lists the collected information:\"}),`\n`,(0,t.jsxs)(e.ul,{children:[`\n`,(0,t.jsx)(e.li,{children:\"Current value of the performance counter\"}),`\n`,(0,t.jsx)(e.li,{children:\"Network information\"}),`\n`,(0,t.jsx)(e.li,{children:\"System information\"}),`\n`,(0,t.jsx)(e.li,{children:\"Token information\"}),`\n`,(0,t.jsx)(e.li,{children:\"Domain and Username of the current process\"}),`\n`,(0,t.jsx)(e.li,{children:\"Current process path\"}),`\n`]}),`\n`,(0,t.jsx)(e.h4,{id:\"current-value-of-the-performance-counter\",children:\"Current value of the performance counter\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"Using the \",(0,t.jsx)(e.strong,{children:\"QueryPerformanceCounter\"}),\" API, it collects the amount of time since the system was last booted. This value will be used to compute the 2-byte XOR encryption key to encrypt communications between the implant and the C2 server, a detailed analysis of the encryption implementation will follow.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image42.jpg\",alt:\"Pseudocode QueryPerformanceCounter function\",width:\"1138\",height:\"300\"})}),`\n`,(0,t.jsx)(e.h4,{id:\"network-information\",children:\"Network information\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"It collects the addresses of network interfaces connected to the infected machine by using the \",(0,t.jsx)(e.strong,{children:\"GetIpAddrTable\"}),\" Windows API.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image22.jpg\",alt:\"Pseudocode collecting interface addresses\",width:\"1162\",height:\"644\"})}),`\n`,(0,t.jsx)(e.h4,{id:\"system-information\",children:\"System information\"}),`\n`,(0,t.jsx)(e.p,{children:\"BUGHATCH collects key system information which includes:\"}),`\n`,(0,t.jsxs)(e.ul,{children:[`\n`,(0,t.jsx)(e.li,{children:\"Windows major release, minor release, and build number\"}),`\n`,(0,t.jsx)(e.li,{children:\"Processor architecture (either 32-bit or 64-bit)\"}),`\n`,(0,t.jsx)(e.li,{children:\"Computer name\"}),`\n`]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image18.jpg\",alt:\"Pseudocode collecting system information\",width:\"1440\",height:\"879\"})}),`\n`,(0,t.jsx)(e.h4,{id:\"token-information\",children:\"Token information\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"The agent proceeds to collect the current process token group membership, it invokes the \",(0,t.jsx)(e.strong,{children:\"AllocateAndInitializeSid\"}),\" API followed by the \",(0,t.jsx)(e.strong,{children:\"CheckTokenMembership\"}),\" API, concatenating the \",(0,t.jsx)(e.a,{href:\"https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings\",rel:\"nofollow\",children:\"SDDL SID strings\"}),\" for every group the process token is part of. While not unique to BUGHATCH, this is detected by Elastic's \",(0,t.jsx)(e.a,{href:\"https://www.elastic.co/guide/en/security/current/enumeration-of-privileged-local-groups-membership.html\",rel:\"nofollow\",children:\"Enumeration of Privileged Local Groups Membership\"}),\" detection rule.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image29.jpg\",alt:\"Pseudocode collecting token group membership information\",width:\"1440\",height:\"643\"})}),`\n`,(0,t.jsx)(e.h4,{id:\"domain-and-username-of-the-current-process\",children:\"Domain and username of the current process\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"The malware opens a handle to the current process with \",(0,t.jsx)(e.strong,{children:\"OpenProcessToken\"}),\" and gets the structure that contains the user account of the token with \",(0,t.jsx)(e.strong,{children:\"GetTokenInformation\"}),\". It then retrieves the username and domain of the user account with the \",(0,t.jsx)(e.strong,{children:\"LookupAccountSidW\"}),\" API and concatenates the 2 strings in the following format: \",(0,t.jsx)(e.strong,{children:\"DOMAIN\\\\USERNAME\"}),\".\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image14.jpg\",alt:\"\",width:\"1440\",height:\"1119\"})}),`\n`,(0,t.jsx)(e.h4,{id:\"current-process-path\",children:\"Current process path\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"Finally, it collects the current process path with \",(0,t.jsx)(e.strong,{children:\"GetModuleFileNameW\"}),\". The malware then encrypts the entire populated structure with a simple 2-byte XOR algorithm, this encryption implementation is detailed later in the report.\"]}),`\n`,(0,t.jsx)(e.h2,{id:\"threading-and-thread-synchronization\",children:\"Threading and thread synchronization\"}),`\n`,(0,t.jsx)(e.p,{children:\"The implant is multithreaded; it uses two different linked lists, one is filled with the commands received from the C2 server and the other is filled with the output of the commands executed.\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"It spawns 5 worker threads, each handling a command received from the C2 server by accessing the appropriate linked list using the \",(0,t.jsx)(e.strong,{children:\"CriticalSection\"}),\" object. The main process\\u2019 thread also retrieves the command's output from the second linked list using the \",(0,t.jsx)(e.strong,{children:\"CriticalSection\"}),\" object for synchronization purposes, to avoid any race conditions.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image45.jpg\",alt:\"Pseudocode of the thread creation function\",width:\"1100\",height:\"452\"})}),`\n`,(0,t.jsx)(e.h2,{id:\"network-communication-protocol\",children:\"Network communication protocol\"}),`\n`,(0,t.jsx)(e.p,{children:\"In this section we will detail:\"}),`\n`,(0,t.jsxs)(e.ul,{children:[`\n`,(0,t.jsx)(e.li,{children:\"Base communication protocol\"}),`\n`,(0,t.jsx)(e.li,{children:\"Encryption implementation\"}),`\n`]}),`\n`,(0,t.jsx)(e.p,{children:\"The implant we analyzed uses HTTP(S) for communications. On top of the SSL encryption of the protocol, the malware and C2 encrypt the data with a 2-byte XOR key computed by the malware for each new session. The values to compute the 2-byte XOR key are prepended at the beginning of the base protocol packet which the server extracts to decrypt/encrypt commands.\"}),`\n`,(0,t.jsx)(e.p,{children:\"When launched, the malware will first send an HTTP POST request to the C2 server containing all the collected information extracted from the victim\\u2019s machine, the C2 then responds with the operator\\u2019s command if available, or else the agent sleeps for 60 seconds. After executing the command and only if the output of the executed command is available, the malware will send a POST request containing both the collected information and the command\\u2019s output, otherwise, it sends the collected information and waits for new commands.\"}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image32.png\",alt:\"Example of an implant HTTP POST request to an emulated C2 server\",width:\"1440\",height:\"370\"})}),`\n`,(0,t.jsx)(e.h3,{id:\"base-communication-protocol\",children:\"Base communication protocol\"}),`\n`,(0,t.jsx)(e.p,{children:\"The author(s) of BUGHATCH implemented a custom network protocol, the following is the syntax that the agent and server use for their communication:\"}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/BugHatchanalysisreport_html.jpg\",alt:\"BUGHATCH agent and server communications\",width:\"1440\",height:\"149\"})}),`\n`,(0,t.jsxs)(e.ul,{children:[`\n`,(0,t.jsxs)(e.li,{children:[(0,t.jsx)(e.strong,{children:\"XOR key values:\"}),\" The values to compute the 2-byte XOR encryption key used to encrypt the rest of the data\"]}),`\n`,(0,t.jsxs)(e.li,{children:[(0,t.jsx)(e.strong,{children:\"Separator:\"}),\" A static value ( \",(0,t.jsx)(e.strong,{children:\"0x389D3AB7\"}),\" ) that separates \",(0,t.jsx)(e.strong,{children:\"Msg\"}),\" chunks, example: the server can send different instructions in the same HTTP request separated by the \",(0,t.jsx)(e.strong,{children:\"Separator\"})]}),`\n`,(0,t.jsxs)(e.li,{children:[(0,t.jsx)(e.strong,{children:\"Chunk length:\"}),\" Is the length of the \",(0,t.jsx)(e.strong,{children:\"Msg\"}),\" , \",(0,t.jsx)(e.strong,{children:\"Separator\"}),\" and \",(0,t.jsx)(e.strong,{children:\"Chunk length\"})]}),`\n`,(0,t.jsxs)(e.li,{children:[(0,t.jsx)(e.strong,{children:\"Msg:\"}),\" Is the message to be sent, the message differs from the agent to the server.\"]}),`\n`]}),`\n`,(0,t.jsxs)(e.p,{children:[\"We will dive deeper into the encapsulation of the \",(0,t.jsx)(e.strong,{children:\"Msg\"}),\" for both the agent and the server.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image40.jpg\",alt:\"Pseudocode extracting commands according to the separator value\",width:\"1200\",height:\"364\"})}),`\n`,(0,t.jsx)(e.h3,{id:\"encryption-implementation\",children:\"Encryption implementation\"}),`\n`,(0,t.jsx)(e.p,{children:\"The malware uses 2-byte XOR encryption when communicating with the C\u0026C server; a 2-byte XOR key is generated and computed by the implant for every session with the C2 server.\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"The agent uses two DWORD values returned by \",(0,t.jsx)(e.strong,{children:\"QueryPerformanceCounter\"}),\" API as stated earlier, it then computes a 2-byte XOR key by XOR-encoding the DWORD values and then multiplying and adding hardcoded values. The following is a Python pseudocode of how the KEY is computed:\"]}),`\n`,(0,t.jsx)(e.pre,{children:(0,t.jsx)(e.code,{children:`tmp = (PerformanceCount[0] ^ PerformanceCount[1]) \u0026 0xFFFFFFFF\nXorKey = (0x343FD * tmp + 0x269EC3)\u0026 0xFFFFFFFF\nXorKey = p16(XorKey \u003e\u003e 16).ljust(2, b'\\\\x00')\n`})}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image9.jpg\",alt:\"Pseudocode of the encryption implementation\",width:\"996\",height:\"674\"})}),`\n`,(0,t.jsx)(e.h2,{id:\"command-handling\",children:\"Command handling\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"In this section, we will dive deeper into the functionalities implemented in the agent and their respective \",(0,t.jsx)(e.strong,{children:\"Msg\"}),\" structure that will be encapsulated in the base communication protocol structure as mentioned previously.\"]}),`\n`,(0,t.jsx)(e.p,{children:\"Once the working threads are started, the main thread will continue beaconing to the C2 server to retrieve commands. The main loop is made up of the following:\"}),`\n`,(0,t.jsxs)(e.ul,{children:[`\n`,(0,t.jsx)(e.li,{children:\"Send POST request\"}),`\n`,(0,t.jsx)(e.li,{children:\"Decrypt the received command and add it to the linked list\"}),`\n`,(0,t.jsx)(e.li,{children:\"Sleep for 60 seconds\"}),`\n`]}),`\n`,(0,t.jsxs)(e.p,{children:[\"A working thread will first execute the \",(0,t.jsx)(e.strong,{children:\"RemoveEntryRecvLinkedList\"}),\" function that accesses and retrieves the data sent by the C2 server from the linked list.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image43.jpg\",alt:\"Pseudocode retrieves data sent by the C2\",width:\"1328\",height:\"704\"})}),`\n`,(0,t.jsxs)(e.p,{children:[\"The thread will then de-encapsulate the data received from the C2 and extract the \",(0,t.jsx)(e.strong,{children:\"Msg(Command)\"}),\". The malware implements different functionalities according to a command flag, the table below illustrates the functionalities of each command:\"]}),`\n`,(0,t.jsx)(e.div,{className:\"table-container\",children:(0,t.jsxs)(e.table,{children:[(0,t.jsx)(e.thead,{children:(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.th,{}),(0,t.jsx)(e.th,{})]})}),(0,t.jsxs)(e.tbody,{children:[(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"Command FLAG\"}),(0,t.jsx)(e.td,{children:\"Description\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"1\"}),(0,t.jsx)(e.td,{children:\"Group functions related to code and command execution\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"2\"}),(0,t.jsx)(e.td,{children:\"Group functions related to utilities like impersonation and migration\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"3\"}),(0,t.jsx)(e.td,{children:\"Process injection of a PE file in a suspended child process\"})]})]})]})}),`\n`,(0,t.jsx)(e.h3,{id:\"command-1\",children:\"Command 1\"}),`\n`,(0,t.jsx)(e.p,{children:\"This command gives access to functionalities related to payload execution, from DLL to PE executable to PowerShell and cmd scripts.\"}),`\n`,(0,t.jsx)(e.p,{children:\"Some of the sub-commands use pipes to redirect the standard input/output of the child process, which enables the attacker to execute payloads and retrieve its output, for example, PowerShell or Mimikatz, etc\\u2026\"}),`\n`,(0,t.jsx)(e.p,{children:\"The following is the list of sub commands:\"}),`\n`,(0,t.jsx)(e.div,{className:\"table-container\",children:(0,t.jsxs)(e.table,{children:[(0,t.jsx)(e.thead,{children:(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.th,{}),(0,t.jsx)(e.th,{}),(0,t.jsx)(e.th,{})]})}),(0,t.jsxs)(e.tbody,{children:[(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"Sub Command Flag\"}),(0,t.jsx)(e.td,{children:\"Function Name\"}),(0,t.jsx)(e.td,{children:\"Functionality description\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"2\"}),(0,t.jsx)(e.td,{children:\"ReflectivelyExecutePERemote\"}),(0,t.jsx)(e.td,{children:\"Reflectively loads PE files in a child process and redirects its standard input output, the output will be sent to the operator C2 server\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"3\"}),(0,t.jsx)(e.td,{children:\"DropPEDiskExecute\"}),(0,t.jsx)(e.td,{children:\"Drops a PE file to disk and executes it, the execution output is then sent to the operator\\u2019s C2 server\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"4\"}),(0,t.jsx)(e.td,{children:\"SelfShellcodeExecute\"}),(0,t.jsx)(e.td,{children:\"Executes a shellcode in the same process\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"5\"}),(0,t.jsx)(e.td,{children:\"RemoteShellcodeExecute\"}),(0,t.jsx)(e.td,{children:\"Executes a shellcode in a suspended spawned child process\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"6\"}),(0,t.jsx)(e.td,{children:\"ExecuteCmd\"}),(0,t.jsx)(e.td,{children:\"Executes a CMD script/command\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"7\"}),(0,t.jsx)(e.td,{children:\"ExecutePowershell\"}),(0,t.jsx)(e.td,{children:\"Executes a Powershell script/command\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"9\"}),(0,t.jsx)(e.td,{children:\"ReflectivelyLoadDllRemote\"}),(0,t.jsx)(e.td,{children:\"Executes a DLL reflectively in a remote process using CreateRemoteThread API\"})]})]})]})}),`\n`,(0,t.jsx)(e.p,{children:\"The following is the structure that is used by the above commands:\"}),`\n`,(0,t.jsx)(e.pre,{children:(0,t.jsx)(e.code,{children:`struct ExecutePayloadCommandStruct\n{\n DWORD commandFlag;\n DWORD field_0;\n DWORD subCommandFlag_1;\n DWORD readPipeTimeOut_2;\n DWORD payloadSize_3;\n DWORD commandLineArgumentSize_4;\n DWORD STDINDataSize_5;\n CHAR payload_cmdline_stdin[n];\n};\n`})}),`\n`,(0,t.jsxs)(e.ul,{children:[`\n`,(0,t.jsxs)(e.li,{children:[(0,t.jsx)(e.strong,{children:\"commandFlag:\"}),\" Indicates the command\"]}),`\n`,(0,t.jsxs)(e.li,{children:[(0,t.jsx)(e.strong,{children:\"subCommandFlag:\"}),\" Indicates the subcommand\"]}),`\n`,(0,t.jsxs)(e.li,{children:[(0,t.jsx)(e.strong,{children:\"readPipeTimeOut:\"}),\" Indicates the timeout for reading the output of child processes from a pipe\"]}),`\n`,(0,t.jsxs)(e.li,{children:[(0,t.jsx)(e.strong,{children:\"payloadSize:\"}),\" Indicates the payload size\"]}),`\n`,(0,t.jsxs)(e.li,{children:[(0,t.jsx)(e.strong,{children:\"commandLineArgumentSize:\"}),\" Indicates length of the command line arguments when executing the payload, example a PE binary\"]}),`\n`,(0,t.jsxs)(e.li,{children:[(0,t.jsx)(e.strong,{children:\"STDINDataSize:\"}),\" Indicates the length of the standard input data that will be sent to the child process\"]}),`\n`,(0,t.jsxs)(e.li,{children:[(0,t.jsx)(e.strong,{children:\"Payload_cmdline_stdin:\"}),\" Can contain the payload PE file for example, its command line arguments and the standard input data that will be forwarded to the child process, the malware knows the beginning and end of each of these using their respective length.\"]}),`\n`]}),`\n`,(0,t.jsx)(e.h4,{id:\"reflectivelyexecuteperemote\",children:\"ReflectivelyExecutePERemote\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"The agent reflectively loads PE binaries in the memory space of a created process in a suspended state (either \",(0,t.jsx)(e.strong,{children:\"cmd.exe\"}),\" or \",(0,t.jsx)(e.strong,{children:\"svchost.exe\"}),\" ). The agent leverages \",(0,t.jsx)(e.a,{href:\"https://docs.microsoft.com/en-us/windows/win32/ipc/anonymous-pipes\",rel:\"nofollow\",children:\"anonymous (unnamed) pipes\"}),\" within Windows to redirect the created child process's standard input and output handles. It first creates an anonymous pipe that will be used to retrieve the output of the created process, then the pipe handles are specified in the \",(0,t.jsx)(e.strong,{children:\"STARTUPINFO\"}),\" structure of the child process.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image41.jpg\",alt:\"Pseudocode for anonymous pipe creation\",width:\"777\",height:\"227\"})}),`\n`,(0,t.jsx)(e.p,{children:\"After creating the suspended process, the malware allocates a large memory block to write shellcode and a XOR encrypted PE file.\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"The shellcode will 2-byte XOR decrypt and load the embedded PE similar to ( \",(0,t.jsx)(e.strong,{children:\"Command 3\"}),\" ). This command can load 64bit and 32bit binaries, each architecture has its own shellcode PE loader, after injecting the shellcode it will point the instruction pointer of the child process\\u2019s thread to the shellcode and resume the thread.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image2.jpg\",alt:\"Pseudocode of Reflective Loading PE into child processes\",width:\"1146\",height:\"678\"})}),`\n`,(0,t.jsx)(e.p,{children:\"The following is an example of a packet captured from our custom emulated C2 server, we can see the structure discussed earlier on the left side and the packet bytes on the right side, for each command implemented in the malware, a packet example will be given.\"}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image7.png\",alt:\"Example of a ReflectivelyExecutePERemote command received from an emulated C2\",width:\"1440\",height:\"231\"})}),`\n`,(0,t.jsx)(e.h4,{id:\"droppediskexecute\",children:\"DropPEDiskExecute\"}),`\n`,(0,t.jsx)(e.p,{children:\"With this subcommand, the operator can drop a PE file on disk and execute it. The agent has 3 different implementations depending on the PE file type, GUI Application, CUI (Console Application), or a DLL.\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"For CUI binaries, the malware first generates a random path in the temporary folder and writes the PE file to it using \",(0,t.jsx)(e.strong,{children:\"CreateFileA\"}),\" and \",(0,t.jsx)(e.strong,{children:\"WriteFile\"}),\" API.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image39.jpg\",alt:\"Pseudocode writing payload to disk\",width:\"550\",height:\"298\"})}),`\n`,(0,t.jsx)(e.p,{children:\"It then creates a process of the dropped binary file as a child process by redirecting its standard input and output handles; after execution of the payload the output is sent to the operator\\u2019s C2 server.\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"For GUI PE binaries, the agent simply writes it to disk and executes it directly with \",(0,t.jsx)(e.strong,{children:\"CreateProcessA\"}),\" API.\"]}),`\n`,(0,t.jsxs)(e.p,{children:[\"And lastly, for DLL PE files, the malware first writes the DLL to a randomly generated path in the temporary folder, then uses \",(0,t.jsx)(e.strong,{children:\"c:\\\\windows\\\\system32\\\\rundll32.exe\"}),\" or \",(0,t.jsx)(e.strong,{children:\"c:\\\\windows\\\\syswow64\\\\rundll32.exe\"}),\" (depending on the architecture of the DLL) to run either an exported function specified by the operator or the function \",(0,t.jsx)(e.strong,{children:\"start\"}),\" if no export functions were specified.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image1.jpg\",alt:\"Pseudocode running the payload dropped by DropPEDiskExecute function\",width:\"754\",height:\"347\"})}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image34.png\",alt:\"Example of a SelfShellcodeExecute command received from an emulated C2\",width:\"1440\",height:\"230\"})}),`\n`,(0,t.jsx)(e.h4,{id:\"selfshellcodeexecute\",children:\"SelfShellcodeExecute\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"This subcommand tasks the agent to execute shellcode in its own memory space by allocating a memory region using \",(0,t.jsx)(e.strong,{children:\"VirtualAlloc\"}),\" API and then copying the shellcode to it, the shellcode is executed by creating a thread using \",(0,t.jsx)(e.strong,{children:\"CreateThread\"}),\" API.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image37.jpg\",alt:\"Pseudocode of SelfShellcodeExecute command\",width:\"738\",height:\"124\"})}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image35.jpg\",alt:\"Example of a SelfShellcodeExecute command received from an emulated C2\",width:\"1440\",height:\"254\"})}),`\n`,(0,t.jsx)(e.h4,{id:\"remoteshellcodeexecute\",children:\"RemoteShellcodeExecute\"}),`\n`,(0,t.jsx)(e.p,{children:\"This sub-command can be used to execute a 32-bit or a 64-bit position independent shellcode in another process memory space.\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"Similarly to the \",(0,t.jsx)(e.strong,{children:\"SpawnAgent\"}),\" subcommand, the malware creates a suspended \",(0,t.jsx)(e.strong,{children:\"svchost.exe\"}),\" process with \",(0,t.jsx)(e.strong,{children:\"CreateProcessA\"}),\" API, allocates a memory region for the shellcode sent by the C2 server with \",(0,t.jsx)(e.strong,{children:\"VirtualAllocEx\"}),\" , and writes to it with \",(0,t.jsx)(e.strong,{children:\"WriteProcessMemory\"}),\" , it then sets the suspended thread instruction pointer to point to the injected shellcode with \",(0,t.jsx)(e.strong,{children:\"SetThreadContext\"}),\" and finally it will resume the thread with \",(0,t.jsx)(e.strong,{children:\"ResumeThread\"}),\" to execute the payload.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image26.jpg\",alt:\"Pseudocode writes shellcode to remote process\",width:\"526\",height:\"157\"})}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image13.jpg\",alt:\"Pseudocode set EIP of child process using SetThreadContext\",width:\"849\",height:\"109\"})}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image23.jpg\",alt:\"Example of a RemoteShellcodeExecute command received from an emulated C2\",width:\"1440\",height:\"275\"})}),`\n`,(0,t.jsx)(e.h4,{id:\"executecmd-and-executepowershell\",children:\"ExecuteCmd and ExecutePowershell\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"An operator can execute PowerShell scripts or CMD scripts in the infected machine, the malware can either write the script to a file in the temporary folder with a randomly generated name as follow: \",(0,t.jsx)(e.strong,{children:(0,t.jsx)(e.code,{children:\"TEMP\u003cdigits\u003e.PS1\"})}),\" for PowerShell or \",(0,t.jsx)(e.strong,{children:(0,t.jsx)(e.code,{children:\"TEMP\u003cdigits\u003e.CMD\"})}),\" for a Command shell. The malware then passes parameters to it if specified by the malicious actor and executes it, the malware uses named pipes to retrieve the output of the PowerShell process.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image30.jpg\",alt:\"Pseudocode of ExecuteCmd command\",width:\"1112\",height:\"622\"})}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image8.jpg\",alt:\"Example of an ExecutePowershell command received from an emulated C2\",width:\"1440\",height:\"210\"})}),`\n`,(0,t.jsx)(e.h4,{id:\"reflectivelyloaddllremote\",children:\"ReflectivelyLoadDllRemote\"}),`\n`,(0,t.jsx)(e.p,{children:\"Execute reflectively a 32-bit or 64-bit DLL in a process created in a suspended state, the following summarizes the execution flow:\"}),`\n`,(0,t.jsxs)(e.ul,{children:[`\n`,(0,t.jsx)(e.li,{children:\"Check if the PE file is a 32 or 64-bit DLL\"}),`\n`,(0,t.jsxs)(e.li,{children:[\"Create a suspended \",(0,t.jsx)(e.strong,{children:\"svchost.exe\"}),\" process\"]}),`\n`,(0,t.jsxs)(e.li,{children:[\"Allocate memory for the DLL and the parameter for the DLL if specified by the C2 command with the \",(0,t.jsx)(e.strong,{children:\"VirtualAllocEx\"}),\" API\"]}),`\n`,(0,t.jsxs)(e.li,{children:[\"Write to the remotely allocated memory withthe \",(0,t.jsx)(e.strong,{children:\"WriteProcessMemory\"}),\" API the DLL and the parameter if specified\"]}),`\n`,(0,t.jsxs)(e.li,{children:[\"Create a remote thread to execute the injected DLL with the \",(0,t.jsx)(e.strong,{children:\"CreateRemoteThread\"}),\" API\"]}),`\n`]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image19.jpg\",alt:\"Pseudocode of a ReflectivelyLoadDllRemote command\",width:\"699\",height:\"502\"})}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image34.png\",alt:\"Example of a ReflectivelyLoadDllRemote command received from an emulated C2\",width:\"1440\",height:\"230\"})}),`\n`,(0,t.jsx)(e.h3,{id:\"command-2\",children:\"Command 2\"}),`\n`,(0,t.jsx)(e.p,{children:\"The command 2 has multiple sub functionalities as shown in the command table above, according to a subCommandFlag the malware can do 6 different operations as follows:\"}),`\n`,(0,t.jsx)(e.div,{className:\"table-container\",children:(0,t.jsxs)(e.table,{children:[(0,t.jsx)(e.thead,{children:(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.th,{}),(0,t.jsx)(e.th,{}),(0,t.jsx)(e.th,{})]})}),(0,t.jsxs)(e.tbody,{children:[(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"Sub Command Flag\"}),(0,t.jsx)(e.td,{children:\"Function Name\"}),(0,t.jsx)(e.td,{children:\"Functionality description\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"1\"}),(0,t.jsx)(e.td,{children:\"ExitProcess\"}),(0,t.jsx)(e.td,{children:\"Exit process\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"2\"}),(0,t.jsx)(e.td,{children:\"SelfDeleteExitProcess\"}),(0,t.jsx)(e.td,{children:\"Self delete and exit process\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"3\"}),(0,t.jsx)(e.td,{children:\"SpawnAgent64\"}),(0,t.jsx)(e.td,{children:\"Spawn 64-bit agent\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"4\"}),(0,t.jsx)(e.td,{children:\"SpawnAgent32\"}),(0,t.jsx)(e.td,{children:\"Spawn 32-bit agent\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"0x1001\"}),(0,t.jsx)(e.td,{children:\"ImpersonateToken\"}),(0,t.jsx)(e.td,{children:\"Impersonate explorer\"})]}),(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"0x1002\"}),(0,t.jsx)(e.td,{children:\"MigrateC2\"}),(0,t.jsx)(e.td,{children:\"Change C2 config\"})]})]})]})}),`\n`,(0,t.jsx)(e.p,{children:\"The following is the structure that is used by the above commands:\"}),`\n`,(0,t.jsx)(e.pre,{children:(0,t.jsx)(e.code,{children:`struct ImpersonateReplicateStruct\n{\n int subCommandFlag;\n int impersonateExplorerToken;\n char padding[16];\n __int16 isParameterSet;\n WCHAR w_parameters[n];\n};\n`})}),`\n`,(0,t.jsx)(e.h4,{id:\"exitprocess\",children:\"ExitProcess\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"Calls the \",(0,t.jsx)(e.strong,{children:\"ExitProcess(0)\"}),\" API to terminate.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image25.png\",alt:\"Example of an ExitProcess command received from an emulated C2\",width:\"1440\",height:\"168\"})}),`\n`,(0,t.jsx)(e.h4,{id:\"selfdeleteexitprocess\",children:\"SelfDeleteExitProcess\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"The agent gets the PATH of the current process with \",(0,t.jsx)(e.strong,{children:\"GetModuleFileNameA\"}),\" and then executes the following command to self-delete: \",(0,t.jsx)(e.strong,{children:\"cmd.exe /c del FILEPATH \\\\\u003e\\\\\u003e NUL\"}),\" using \",(0,t.jsx)(e.strong,{children:\"CreateProcessA\"}),\" then simply exit the process with \",(0,t.jsx)(e.strong,{children:\"ExitProcess(0)\"}),\".\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image17.png\",alt:\"Example of a SelfDeleteExitProcess command received from an emulated C2\",width:\"1440\",height:\"166\"})}),`\n`,(0,t.jsx)(e.h4,{id:\"spawnagent64-and-spawnagent32\",children:\"SpawnAgent64 and SpawnAgent32\"}),`\n`,(0,t.jsx)(e.p,{children:\"When subcommands 3 or 4 are specified, the malware will spawn another agent on the same machine depending on the subcommand sent by the C2, as shown in the table above.\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"The malware first retrieves the C2 IP address embedded in it, it will then do an HTTP GET request to download a packed agent in shellcode format, in the sample we analyzed \",(0,t.jsx)(e.strong,{children:\"/Agent32.bin\"}),\" URI is for the 32-bit agent, and \",(0,t.jsx)(e.strong,{children:\"/Agent64.bin\"}),\" is for 64-bit the agent.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image33.jpg\",alt:\"Pseudocode spawning another agent\",width:\"1440\",height:\"761\"})}),`\n`,(0,t.jsxs)(e.p,{children:[\"The malware then creates a suspended \",(0,t.jsx)(e.strong,{children:\"svchost.exe\"}),\" process with \",(0,t.jsx)(e.strong,{children:\"CreateProcessA\"}),\" API, writes the agent shellcode to the process, sets its instruction pointer to point to the injected shellcode with \",(0,t.jsx)(e.strong,{children:\"SetThreadContext\"}),\" , and finally it will resume the thread with \",(0,t.jsx)(e.strong,{children:\"ResumeThread\"}),\" to execute the injected payload.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image5.png\",alt:\"Example of a SpawnAgent32 command received from an emulated C2\",width:\"1440\",height:\"170\"})}),`\n`,(0,t.jsx)(e.h4,{id:\"impersonatetoken\",children:\"ImpersonateToken\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"This subcommand is specific to process tokens; an attacker can either impersonate the \",(0,t.jsx)(e.strong,{children:\"explorer.exe\"}),\" token or create a token from credentials (Domain\\\\Username, Password) sent by the C2 to spawn another instance of the current process.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image44.jpg\",alt:\"Pseudocode ImpersonateToken command\",width:\"1440\",height:\"336\"})}),`\n`,(0,t.jsxs)(e.p,{children:[\"It will first check if the current process is a local system account or local service account or network service account by testing whether the given process token is a member of the group with the specified RID ( \",(0,t.jsx)(e.strong,{children:\"SECURITY_LOCAL_SYSTEM_RID\"}),\" , \",(0,t.jsx)(e.strong,{children:\"SECURITY_LOCAL_SERVICE_RID\"}),\" , \",(0,t.jsx)(e.strong,{children:\"SECURITY_NETWORK_SERVICE_RID\"}),\" ) respectively.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image36.jpg\",alt:\"Pseudocode check token group membership\",width:\"1150\",height:\"202\"})}),`\n`,(0,t.jsxs)(e.p,{children:[\"Then depending if the operator specified credentials or not, the malware will first call \",(0,t.jsx)(e.strong,{children:\"LogonUserW\"}),\" with the Domain\\\\User and password to create a token then it will spawn another instance of the current process with this token.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image24.jpg\",alt:\"Pseudocode LogonUserW to create a token\",width:\"1440\",height:\"347\"})}),`\n`,(0,t.jsxs)(e.p,{children:[\"If not, the implant will impersonate the \",(0,t.jsx)(e.strong,{children:\"explore.exe\"}),\" process by duplicating its token with \",(0,t.jsx)(e.strong,{children:\"DuplicateTokenEx\"}),\" and then spawn the current process with the duplicated token if no credentials are specified.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image21.png\",alt:\"Example of an ImpersonateToken command received from an emulated C2\",width:\"1440\",height:\"171\"})}),`\n`,(0,t.jsx)(e.h4,{id:\"migratec2\",children:\"MigrateC2\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"The operator can migrate the implant to another C2 server by specifying the subcommand \",(0,t.jsx)(e.strong,{children:\"0x1001\"}),\" with the IP address of the new C2.\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image4.jpg\",alt:\"Pseudocode migrating the implant\",width:\"1440\",height:\"329\"})}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image31.png\",alt:\"Example of a MigrateC2 command received from an emulated C2\",width:\"1440\",height:\"170\"})}),`\n`,(0,t.jsx)(e.h3,{id:\"command-3\",children:\"Command 3\"}),`\n`,(0,t.jsx)(e.p,{children:\"When command 3 is received the malware will reflectively load a PE file embedded as payload in the C\u0026C request in another process's memory space, the following is an overview of the execution:\"}),`\n`,(0,t.jsxs)(e.ul,{children:[`\n`,(0,t.jsx)(e.li,{children:\"Determine the type and architecture of the PE file\"}),`\n`,(0,t.jsx)(e.li,{children:\"Create a suspended process\"}),`\n`,(0,t.jsx)(e.li,{children:\"Allocate a large memory in the suspended process\"}),`\n`,(0,t.jsx)(e.li,{children:\"Write a shellcode in the allocated memory that will locate, decrypt and reflectively load the PE file\"}),`\n`,(0,t.jsx)(e.li,{children:\"2-byte XOR encrypt the PE file and append it after the shellcode\"}),`\n`,(0,t.jsx)(e.li,{children:\"Set the EIP context of the suspended process to execute the shellcode\"}),`\n`]}),`\n`,(0,t.jsx)(e.p,{children:\"The shellcode will then reflectively load the PE file\"}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image6.jpg\",alt:\"Pseudocode for Command 3's main logic\",width:\"1440\",height:\"929\"})}),`\n`,(0,t.jsx)(e.p,{children:\"The agent first parses the PE file received from the C2 server to determine the type and architecture of the PE file.\"}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image28.jpg\",alt:\"Pseudocode determines the PE file architecture\",width:\"1122\",height:\"944\"})}),`\n`,(0,t.jsx)(e.p,{children:\"And according to this information, a Windows signed executable will be chosen to inject into.\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"If the PE file is CUI (Console User Interface), the malware will choose \",(0,t.jsx)(e.strong,{children:\"cmd.exe\"}),\" , however, if it is GUI (Graphical User Interface) or a DLL PE file it will choose \",(0,t.jsx)(e.strong,{children:\"svchost.exe\"}),\".\"]}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image11.jpg\",alt:\"Options for malware to inject into\",width:\"1164\",height:\"774\"})}),`\n`,(0,t.jsxs)(e.p,{children:[\"The malware will then create a suspended process with \",(0,t.jsx)(e.strong,{children:\"CreateProcessA\"}),\" API (either \",(0,t.jsx)(e.strong,{children:\"cmd.exe\"}),\" or \",(0,t.jsx)(e.strong,{children:\"svchost.exe\"}),\" ) and allocate a large amount of memory with \",(0,t.jsx)(e.strong,{children:\"VirtualAllocEx\"}),\" in the created process, it will then copy a position independent shellcode stored in the \",(0,t.jsx)(e.strong,{children:\".rdata\"}),\" section to the newly allocated memory that is responsible for locating according to a specific tag the appended PE file, decrypt it and reflectively load it in memory.\"]}),`\n`,(0,t.jsx)(e.p,{children:\"Then it appends after the shellcode a 12 bytes structure composed of a tag, the size of the PE file, and a 2-byte XOR key.\"}),`\n`,(0,t.jsx)(e.p,{children:\"It will then 2-byte XOR encrypt the PE file and append it after the structure, the following is an overview of the written data to the allocated memory:\"}),`\n`,(0,t.jsx)(e.div,{className:\"table-container\",children:(0,t.jsxs)(e.table,{children:[(0,t.jsx)(e.thead,{children:(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.th,{}),(0,t.jsx)(e.th,{}),(0,t.jsx)(e.th,{}),(0,t.jsx)(e.th,{}),(0,t.jsx)(e.th,{})]})}),(0,t.jsx)(e.tbody,{children:(0,t.jsxs)(e.tr,{children:[(0,t.jsx)(e.td,{children:\"SHELLCODE\"}),(0,t.jsx)(e.td,{children:\"TAG\"}),(0,t.jsx)(e.td,{children:\"PE SIZE\"}),(0,t.jsx)(e.td,{children:\"2-byte XOR KEY\"}),(0,t.jsx)(e.td,{children:\"2-byte XOR encrypted PE file\"})]})})]})}),`\n`,(0,t.jsx)(e.p,{children:(0,t.jsx)(e.img,{src:\"/assets/images/bughatch-malware-analysis/image27.jpg\",alt:\"Pseudocode write shellcode and PE to child process\",width:\"1440\",height:\"524\"})}),`\n`,(0,t.jsxs)(e.p,{children:[\"The agent will then set the thread context with \",(0,t.jsx)(e.strong,{children:\"SetThreadContext\"}),\" and point the instruction pointer of the suspended process to the shellcode then it will simply resume the execution with \",(0,t.jsx)(e.strong,{children:\"ResumeThread\"}),\".\"]}),`\n`,(0,t.jsxs)(e.p,{children:[\"The shellcode will first locate the 2-byte XOR encrypted PE file according to the tag value ( \",(0,t.jsx)(e.strong,{children:\"0x80706050\"}),\" ), it will then 2-byte XOR decrypt it and load it reflectively on the same process memory.\"]}),`\n`,(0,t.jsx)(e.h2,{id:\"observed-adversary-tactics-and-techniques\",children:\"Observed adversary tactics and techniques\"}),`\n`,(0,t.jsx)(e.p,{children:\"Elastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that advanced persistent threats use against enterprise networks.\"}),`\n`,(0,t.jsx)(e.h3,{id:\"tactics\",children:\"Tactics\"}),`\n`,(0,t.jsx)(e.p,{children:\"Tactics represent the why of a technique or sub-technique. It is the adversary\\u2019s tactical goal: the reason for performing an action.\"}),`\n`,(0,t.jsxs)(e.ul,{children:[`\n`,(0,t.jsx)(e.li,{children:(0,t.jsx)(e.a,{href:\"https://attack.mitre.org/tactics/TA0002\",rel:\"nofollow\",children:\"Execution\"})}),`\n`,(0,t.jsx)(e.li,{children:(0,t.jsx)(e.a,{href:\"https://attack.mitre.org/tactics/TA0009\",rel:\"nofollow\",children:\"Collection\"})}),`\n`,(0,t.jsx)(e.li,{children:(0,t.jsx)(e.a,{href:\"https://attack.mitre.org/tactics/TA0011\",rel:\"nofollow\",children:\"Command and Control\"})}),`\n`,(0,t.jsx)(e.li,{children:(0,t.jsx)(e.a,{href:\"https://attack.mitre.org/tactics/TA0010\",rel:\"nofollow\",children:\"Exfiltration\"})}),`\n`]}),`\n`,(0,t.jsx)(e.h3,{id:\"techniques--sub-techniques\",children:\"Techniques / sub techniques\"}),`\n`,(0,t.jsx)(e.p,{children:\"Techniques and Sub techniques represent how an adversary achieves a tactical goal by performing an action.\"}),`\n`,(0,t.jsxs)(e.ul,{children:[`\n`,(0,t.jsx)(e.li,{children:(0,t.jsx)(e.a,{href:\"https://attack.mitre.org/techniques/T1059/003/\",rel:\"nofollow\",children:\"Command and Scripting Interpreter: Windows Command Shell\"})}),`\n`,(0,t.jsx)(e.li,{children:(0,t.jsx)(e.a,{href:\"https://attack.mitre.org/techniques/T1573/002/\",rel:\"nofollow\",children:\"Encrypted Channel: Asymmetric Cryptography\"})}),`\n`,(0,t.jsx)(e.li,{children:(0,t.jsx)(e.a,{href:\"https://attack.mitre.org/techniques/T1573/001/\",rel:\"nofollow\",children:\"Encrypted Channel: Symmetric Cryptography\"})}),`\n`,(0,t.jsx)(e.li,{children:(0,t.jsx)(e.a,{href:\"https://attack.mitre.org/techniques/T1041/\",rel:\"nofollow\",children:\"Exfiltration Over C2 Channel\"})}),`\n`,(0,t.jsx)(e.li,{children:(0,t.jsx)(e.a,{href:\"https://attack.mitre.org/techniques/T1119/\",rel:\"nofollow\",children:\"Automated Collection\"})}),`\n`,(0,t.jsx)(e.li,{children:(0,t.jsx)(e.a,{href:\"https://attack.mitre.org/techniques/T1106/\",rel:\"nofollow\",children:\"Native API\"})}),`\n`]}),`\n`,(0,t.jsx)(e.h2,{id:\"detections\",children:\"Detections\"}),`\n`,(0,t.jsx)(e.h3,{id:\"detection-rules\",children:\"Detection rules\"}),`\n`,(0,t.jsx)(e.p,{children:\"The following detection rule was observed during the analysis of the BUGHATCH sample. This rule is not exclusive to BUGHATCH activity.\"}),`\n`,(0,t.jsxs)(e.ul,{children:[`\n`,(0,t.jsx)(e.li,{children:(0,t.jsx)(e.a,{href:\"https://www.elastic.co/guide/en/security/current/enumeration-of-privileged-local-groups-membership.html#enumeration-of-privileged-local-groups-membership\",rel:\"nofollow\",children:\"Enumeration of Privileged Local Groups Membership\"})}),`\n`]}),`\n`,(0,t.jsx)(e.h3,{id:\"yara-rule\",children:\"YARA rule\"}),`\n`,(0,t.jsxs)(e.p,{children:[\"Elastic Security has created a \",(0,t.jsx)(e.a,{href:\"https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_Bughatch.yar\",rel:\"nofollow\",children:\"YARA rule\"}),\" to identify this activity.\"]}),`\n`,(0,t.jsx)(e.pre,{children:(0,t.jsx)(e.code,{children:`rule Windows_Trojan_BUGHATCH {\n meta:\n author = \\u201CElastic Security\\u201D\n creation_date = \"2022-05-09\"\n last_modified = \"2022-06-09\"\n license = \\u201CElastic License v2\\u201D\n os = \"Windows\"\n arch = \"x86\"\n category_type = \"Trojan\"\n family = \"BUGHATCH\"\n threat_name = \"Windows.Trojan.BUGHATCH\"\n reference_sample = \"b495456a2239f3ba48e43ef295d6c00066473d6a7991051e1705a48746e8051f\"\n\n strings:\n $a1 = { 8B 45 ?? 33 D2 B9 A7 00 00 00 F7 F1 85 D2 75 ?? B8 01 00 00 00 EB 33 C0 }\n $a2 = { 8B 45 ?? 0F B7 48 04 81 F9 64 86 00 00 75 3B 8B 55 ?? 0F B7 42 16 25 00 20 00 00 ?? ?? B8 06 00 00 00 EB ?? }\n $a3 = { 69 4D 10 FD 43 03 00 81 C1 C3 9E 26 00 89 4D 10 8B 55 FC 8B 45 F8 0F B7 0C 50 8B 55 10 C1 EA 10 81 E2 FF FF 00 00 33 CA 8B 45 FC 8B 55 F8 66 89 0C 42 }\n $c1 = \"-windowstyle hidden -executionpolicy bypass -file\"\n $c2 = \"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\"\n $c3 = \"ReflectiveLoader\"\n $c4 = \"\\\\\\\\Sysnative\\\\\\\\\"\n $c5 = \"TEMP%u.CMD\"\n $c6 = \"TEMP%u.PS1\"\n $c7 = \"\\\\\\\\TEMP%d.%s\"\n $c8 = \"NtSetContextThread\"\n $c9 = \"NtResumeThread\"\n\n condition:\n any of ($a*) or 6 of ($c*)\n}\n`})})]})}function x(n={}){let{wrapper:e}=n.components||{};return e?(0,t.jsx)(e,Object.assign({},n,{children:(0,t.jsx)(h,n)})):h(n)}var T=x;return b(P);})();\n;return Component;"},"_id":"articles/bughatch-malware-analysis.mdx","_raw":{"sourceFilePath":"articles/bughatch-malware-analysis.mdx","sourceFileName":"bughatch-malware-analysis.mdx","sourceFileDir":"articles","contentType":"mdx","flattenedPath":"articles/bughatch-malware-analysis"},"type":"Article","imageUrl":"/assets/images/bughatch-malware-analysis/libraries-edev-ops-1680x980.jpg","readingTime":"34 min read","series":"","url":"/bughatch-malware-analysis","headings":[{"level":2,"title":"Key takeaways","href":"#key-takeaways"},{"level":2,"title":"Preamble","href":"#preamble"},{"level":2,"title":"Static analysis","href":"#static-analysis"},{"level":3,"title":"Sections","href":"#sections"},{"level":2,"title":"Code analysis","href":"#code-analysis"},{"level":3,"title":"Token adjustment","href":"#token-adjustment"},{"level":3,"title":"Information collection","href":"#information-collection"},{"level":4,"title":"Current value of the performance counter","href":"#current-value-of-the-performance-counter"},{"level":4,"title":"Network information","href":"#network-information"},{"level":4,"title":"System information","href":"#system-information"},{"level":4,"title":"Token information","href":"#token-information"},{"level":4,"title":"Domain and username of the current process","href":"#domain-and-username-of-the-current-process"},{"level":4,"title":"Current process path","href":"#current-process-path"},{"level":2,"title":"Threading and thread synchronization","href":"#threading-and-thread-synchronization"},{"level":2,"title":"Network communication protocol","href":"#network-communication-protocol"},{"level":3,"title":"Base communication protocol","href":"#base-communication-protocol"},{"level":3,"title":"Encryption implementation","href":"#encryption-implementation"},{"level":2,"title":"Command handling","href":"#command-handling"},{"level":3,"title":"Command 1","href":"#command-1"},{"level":4,"title":"ReflectivelyExecutePERemote","href":"#reflectivelyexecuteperemote"},{"level":4,"title":"DropPEDiskExecute","href":"#droppediskexecute"},{"level":4,"title":"SelfShellcodeExecute","href":"#selfshellcodeexecute"},{"level":4,"title":"RemoteShellcodeExecute","href":"#remoteshellcodeexecute"},{"level":4,"title":"ExecuteCmd and ExecutePowershell","href":"#executecmd-and-executepowershell"},{"level":4,"title":"ReflectivelyLoadDllRemote","href":"#reflectivelyloaddllremote"},{"level":3,"title":"Command 2","href":"#command-2"},{"level":4,"title":"ExitProcess","href":"#exitprocess"},{"level":4,"title":"SelfDeleteExitProcess","href":"#selfdeleteexitprocess"},{"level":4,"title":"SpawnAgent64 and SpawnAgent32","href":"#spawnagent64-and-spawnagent32"},{"level":4,"title":"ImpersonateToken","href":"#impersonatetoken"},{"level":4,"title":"MigrateC2","href":"#migratec2"},{"level":3,"title":"Command 3","href":"#command-3"},{"level":2,"title":"Observed adversary tactics and techniques","href":"#observed-adversary-tactics-and-techniques"},{"level":3,"title":"Tactics","href":"#tactics"},{"level":3,"title":"Techniques / sub techniques","href":"#techniques--sub-techniques"},{"level":2,"title":"Detections","href":"#detections"},{"level":3,"title":"Detection rules","href":"#detection-rules"},{"level":3,"title":"YARA rule","href":"#yara-rule"}],"author":[{"title":"Salim Bitam","slug":"salim-bitam","description":"Elastic Security Labs Team Research Engineer II, Malware","body":{"raw":"","code":"var Component=(()=\u003e{var l=Object.create;var i=Object.defineProperty;var x=Object.getOwnPropertyDescriptor;var f=Object.getOwnPropertyNames;var g=Object.getPrototypeOf,_=Object.prototype.hasOwnProperty;var d=(t,e)=\u003e()=\u003e(e||t((e={exports:{}}).exports,e),e.exports),j=(t,e)=\u003e{for(var n in e)i(t,n,{get:e[n],enumerable:!0})},o=(t,e,n,s)=\u003e{if(e\u0026\u0026typeof e==\"object\"||typeof e==\"function\")for(let a of f(e))!_.call(t,a)\u0026\u0026a!==n\u0026\u0026i(t,a,{get:()=\u003ee[a],enumerable:!(s=x(e,a))||s.enumerable});return t};var p=(t,e,n)=\u003e(n=t!=null?l(g(t)):{},o(e||!t||!t.__esModule?i(n,\"default\",{value:t,enumerable:!0}):n,t)),M=t=\u003eo(i({},\"__esModule\",{value:!0}),t);var m=d((D,c)=\u003e{c.exports=_jsx_runtime});var y={};j(y,{default:()=\u003ew,frontmatter:()=\u003eb});var r=p(m()),b={title:\"Salim Bitam\",description:\"Elastic Security Labs Team Research Engineer II, Malware\",slug:\"salim-bitam\"};function u(t){return(0,r.jsx)(r.Fragment,{})}function h(t={}){let{wrapper:e}=t.components||{};return e?(0,r.jsx)(e,Object.assign({},t,{children:(0,r.jsx)(u,t)})):u(t)}var w=h;return M(y);})();\n;return Component;"},"_id":"authors/salim-bitam.mdx","_raw":{"sourceFilePath":"authors/salim-bitam.mdx","sourceFileName":"salim-bitam.mdx","sourceFileDir":"authors","contentType":"mdx","flattenedPath":"authors/salim-bitam"},"type":"Author","imageUrl":"","url":"/authors/salim-bitam"}],"category":[{"title":"Malware analysis","slug":"malware-analysis","body":{"raw":"","code":"var Component=(()=\u003e{var u=Object.create;var s=Object.defineProperty;var x=Object.getOwnPropertyDescriptor;var f=Object.getOwnPropertyNames;var _=Object.getPrototypeOf,g=Object.prototype.hasOwnProperty;var j=(t,n)=\u003e()=\u003e(n||t((n={exports:{}}).exports,n),n.exports),M=(t,n)=\u003e{for(var e in n)s(t,e,{get:n[e],enumerable:!0})},i=(t,n,e,o)=\u003e{if(n\u0026\u0026typeof n==\"object\"||typeof n==\"function\")for(let r of f(n))!g.call(t,r)\u0026\u0026r!==e\u0026\u0026s(t,r,{get:()=\u003en[r],enumerable:!(o=x(n,r))||o.enumerable});return t};var d=(t,n,e)=\u003e(e=t!=null?u(_(t)):{},i(n||!t||!t.__esModule?s(e,\"default\",{value:t,enumerable:!0}):e,t)),p=t=\u003ei(s({},\"__esModule\",{value:!0}),t);var l=j((X,c)=\u003e{c.exports=_jsx_runtime});var D={};M(D,{default:()=\u003eC,frontmatter:()=\u003ew});var a=d(l()),w={title:\"Malware analysis\",slug:\"malware-analysis\"};function m(t){return(0,a.jsx)(a.Fragment,{})}function y(t={}){let{wrapper:n}=t.components||{};return n?(0,a.jsx)(n,Object.assign({},t,{children:(0,a.jsx)(m,t)})):m(t)}var C=y;return p(D);})();\n;return Component;"},"_id":"categories/malware-analysis.mdx","_raw":{"sourceFilePath":"categories/malware-analysis.mdx","sourceFileName":"malware-analysis.mdx","sourceFileDir":"categories","contentType":"mdx","flattenedPath":"categories/malware-analysis"},"type":"Category","url":"/categories/malware-analysis"}]},"seriesArticles":null},"__N_SSG":true},"page":"/[slug]","query":{"slug":"bughatch-malware-analysis"},"buildId":"kahZ-cxorFKvHlgt0NoHQ","assetPrefix":"/security-labs","isFallback":false,"gsp":true,"scriptLoader":[]}</script></body></html>