Analysis of SamoRAT

Analysis of SamoRAT

Introduction

We recently came across a .NET malware sample known as SamoRAT whose main purpose is to receive and execute different commands on the infected device. Also, it can download and execute other malicious programs. In this blog, we will take you through the analysis of SamoRAT Sample.

Static Analysis

Main Function:

The Program once executed checks for some Anti-Analysis features on the host machine. It then checks if only single instance of the program is running on the machine and if an instance is already running, new instance will exit automatically.

Fig 1. Main Function
Fig 1. Main Function

Finally, after passing the malicious program starts and registers itself to the C&C server and starts receiving remote commands.

Anti-Analysis and Anti-VM Check:

SamoRAT employs the use of anti-analysis check for detecting when it is being analyzed by AV systems, allowing it to change its behavior so that no alarms are triggered by the antivirus software’s.

Fig 2. Anti-Analysis
Fig 2. Anti-Analysis

It checks for following things,

  1. Detects the Manufacturer Name for VMware and VirtualBox.
  2. Checks if the program is not attached with debugger.
  3. Checks OS of the Host System whether it is Windows XP.
  4. Checks for SbieDll.dll to detect if the program is executed with sandboxie.
  5. Checks the disk size of the host machine whether it is small.

If any of the condition is detected the program will exit itself to avoid the detection. This code snippet is reused from the open source Async RAT.

Mutex Generation:

After passing the anti-analysis check, the program checks if only single instance is running on the machine by checking mutex named SamoRAT

Fig 3. Mutex
Fig 3. Mutex

If the mutex is not found, the program generates a mutex indicating that a instance is created.

Bypass AV Systems:

SamoRAT has the functionality to stop Windows Defender process and disable it’s features by editing registries to avoid detection in run-time.

Fig 4. Windows Defender Bypass
Fig 4. Windows Defender Bypass

It also runs some PowerShell commands to disable additional features of windows defender.

Fig 5. Disable Additional Features
Fig 5. Disable Additional Features
Persistence:

SamoRAT copies the main executable to the Microsoft Network folder and renames itself to WinServices.exe.

Fig 6. WinServices.exe
Fig 6. WinServices.exe

To achieve persistence, it creates scheduled tasks or modifies windows registries depending on administrator privileges for running at start-up.

Fig 7. Persistence
Registration:

Once the program is installed it registers itself to the C&C server by sending a POST request to api.samorat.com.

Fig 8. Registration Request

A request with method=registerClient is made to inform attacker that the program is successfully installed. Also, if the program crashes in the process of execution a crash report is uploaded in an image format as CrashReport.png

Command Handler:

Once the program is registered again a POST request is made to the same address to indicate that it is online and ready to receive commands

SamoRAT can receive 4 types of command which are as followed,

  1. DOEX: This command is used for downloading and installing other malicious programs on the infected host.
  2. UNINSTALL: This command instructs the program to uninstall itself and retrieve the changes made to the system.
  3. DISABLEUAC: This command is used for bypassing the windows defender features.
  4. STARTCAPTURE: This command captures the screenshots of infected host.

When the program recieves DOEX commands it downloads the program from link received and executes it as GoogleCrashHandler.exe

Fig 9. DOEX command
Fig 9. DOEX command

On receiving the UNINSTALL command, program deletes registries and schedules tasks it had created during the stage of persistence.

Fig 10. UNINSTALL command
Fig 10. UNINSTALL command

It also creates and executes a .bat file with random name to delete all the files associated with the program.

Fig 11. Delete Files.
Fig 11. Delete Files.

Network Analysis:

SamoRAT enumerates basic information related to the host machine configuration and sends it to C&C Server.

Here is the snapshot of the pcap file generated while monitoring the network traffic,

Fig 12. Network Traffic for Registration
Fig 12. Network Traffic for Registration
Fig 13. Network Traffic for Crash Report
Fig 13. Network Traffic for Crash Report
Fig 14. Network Traffic for online indication
Fig 14. Network Traffic for online indication

The system enemuration code is shown below,

Fig 15. System Enumeration
Fig 15. System Enumeration

Xunison Protection:

Xunison has detections in place to protect against this attack or vulnerabilities exploited, so customers with updated Xbrain intrusion prevention signatures are protected against this attack. Users should also ensure that they update their Xbrain regularly to prevent attackers from exploiting known vulnerabilities.

Xunison Signature:

INFECTED: SAMORAT REGISTRATION REQUEST DETECTED AND BLOCKED

INFECTED: SAMORAT CNC CONNECTION DETECTED AND BLOCKED

IOCs:

Domain:
api.samorat.com
Malware Hashes:
22f372a62b10bd40e04174512b0251bb0a2f49d243cb45dad8c91c21557ed301

F434312e8ce38172180f281f6b3951879e82f42a07362f89179d91ded810feea

6da43ab65ad746f074ebe81583774975da27fa4dea4a0b66da03667cc4264cd2

fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46

8957d0b2b03b8f56fa7d60f4cafbe98f12adae548e66e21ec25e5cb224979e36

32bcf0951b1cbe7e95d31e81b450aaf2ab3eb24374eda37266490ed61eb3aa0d

21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e

39cb36fcd31d2322d55ea0c4bd3261fda84b765ed9063920ec2631d481b92468

3cec6353715ef1c5848d8f39d2f24ac225834f6720328eebec7eeda75a3067dd

Bc2dea607c192b1745f12161ad1d50bd42031c01188cf9008cd3743504c56308

We are always looking to hear from the technical community and customers, so if you have any suggestions, comments, questions or want to enquire about any cybersecurity solution or topics then please feel free to email us at security@xunison.com

Author: Mitesh Wani

Twitter: https://twitter.com/kalki_poison

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp
Share on pinterest
Pinterest
Share on email
Email