This article was written during BSidesLV, BlackHat and Defcon events.
** We highly recommend you to try to do the analysis by yourself before looking at this article. Here is a fake one cfd26988d55294870f2676117cf1307ca4acdf8d **
A remote administration tool (also known as a RAT) is a piece of software that allows a remote “operator” to control a system as if he has physical access to that system. While desktop sharing and remote administration have many legal uses, such software is usually associated with criminal or malicious activity. In this example we are going to take a look at Cybergate RAT which have its configuration hardcoded. Our goal is to decrypt and retrieve its configuration.
To get the SHA1 you can use
rahash2 -a sha1 sample.exe or
ph sha1 $s @ 0. The
$s variable contains the binary size, see
?$? to get the complete list of variable.
See also rahash2 tutorial on
To get the complete list of strings, use
rabin2 -zz sample.exe or
You can also get them in json format by appending
rabin2 -zzj sample.exe or
You can notice that in the sample there is a huge proportion of
###@###. To give you a hint, it is very frequent that basic RAT store their configuration in an encrypted form and use delimiter to seperate the various elements, like
###@###http://urlofattacker###@###enableFTP=true###@###. You can also see that this string is stored in the
.rsrc. section. If you want more context, you can simply use
rafind2 -X -s "###" sample.exe.
Information of the binary
- Get Information:
rabin2 -I sample.exeor
- Get Entrypoint:
rabin2 -e sample.exeor
- Get Sections:
rabin2 -S sample.exeor
- Get imports:
rabin2 -i sample.exeor
- Get libraries:
rabin2 -L sample.exeor
- Get Entropy:
rahash2 -B -b 512 -a entropy sample.exeor
You can of course combine everything into one command:
Imports are giving us an indication about what resource are manipulated, you can get them with
rabin2 -i sample.exe, as mentionned previously.
We want to open and analyse the binary the dumb way
r2 -A (-A is using
[0x0040e1a8]> aaa see why it is a bad practice here: http://radare.today/posts/analysis-by-default/).
We know that the configuration is located in the
.rsrc segment. By checking the imports we know that what resources are manipulated: Let see where this takes place by looking at the XREFS.
In the visual mode we can visit
VF to get all flags, then go to the hud, using
_ we can search for
If you select
imp.kernel32.dll_LoadResource, which appears to be a relocation,
x is giving us the xref and we can use
0 shortcut (keyboard) to seek to the first (and only) reference. We can do it again as it was just a relocation and we land on
We now use visual graph using
V don’t forget to activate comment using
As we can see this function primary purpose is clearly to load the resource. Let’s rename it using
r (as in rename) followed by
Let see the xref of this function.
fcn.00406380. We can see that this function is manipulationg
mov edx, 0x406460 ; "####@####" 0x00406460.
If we look at the function called after this using keyboard
g followed by the letter in brackets:
[b].. we can see lot of them looks like garbage but one clearly stand out: .
We can see a loop with a buffer being xored
xor dl, 0xbc.
We can now proceed decryption the dirty way. First we reopen the binary in raw + write mode using
oonn+ then we use
wox to xor the binary.
[0x0040e1a8]> wox 0xbc $s @ 0. Now relaunching the
[0x0040e1a8]> izz we can see the decrypted configuration!
If you are looking for Malware RAT Family easy to analyze, please check out RATDecoders.
– Maxime M., Incident Intelligence Analyst @ FireEye (aka Maijin)