The same sample of LokiBot is used in all three parts.
Sample of original LokiBot MD5: 5A50DA910E7220FC790313F37C79A6C1
[Github - Pass:infected]
[ANYRUN - Pass:infected]
[TRIA.GE - Pass:infected]
This LokiBot sample is delivered via GULoader downloader.
GULoader is well known downloader written in assembly and wrapped in VB5/6 executable.
LokiBot is well known password stealer.
More Info GULoader: [Malpedia - GULoader]
More Info LokiBot: [Malpedia - LokiBot]
Video: [[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2]
Eventhough GULoader is performing many Anti-Debug and Anti-VM checks, this sample is not cheking Virtualbox VM and Kernel debugger. So we can simply defeat the GULoader Anti-Debug with Remote Kernel debugging in Virtualbox Guest VM.
Setting up WINDBG Preview and VirtualBox for Remote Kernel Debugging:
Guest VM:
CMD as administrator:
bcdedit /debug on
bcdedit /dbgsettings serial debugport:1 baudrate:115200 (assuming the port is COM1)
shut down the VM
HOST:
Go into the settings for our Virtualbox Windows VM:
Serial Ports -> Port1 -> Enable serial port
Port number COM1
Port Mode -> Host Pipe
Uncheck “Connect to existing pipe/socket”
Path/Address -> \.\pipe\MalDBG
Start VM
Install Windbg Preview
Go to File -> "Start Debugging” and select “Attach to Kernel”
Go to COM tab -> Check Pipe and Reconnect
Resets 0
Baud Rate 115200
Port \.\pipe\MalDBG
Uncheck Break on connection
Click OK - To attach to kernel of our VM
Attach windbg remote kernel debug.
Check all in Guest VM with processhacker or processexplorer.
Run LokiBot.
After spawning child process, suspend Guest VM in kernel debug.
!process 0 0 - list process and find LokiBot eprocess.
bu /p fffffa8005a13060 nt!NtTerminateProcess - breakpoint on LokiBot process termination (eprocess).
g - continue.
!process -1 0 - after reaching breakpoint on LokiBot process termination, confirm that we are in the LokiBot process context.
.reload - reload symbols after reaching breakpoint.
lmu - list usermode modules and note the start and end address of main LokiBot module.
.writemem C:\Users\DFIR_GUY\Desktop\lokibot\VIDEO\dumped\xxx.bin 0x00400000 0x004a2000 - save the memory range of main LokiBot module to file.
Now we have unpacked LokiBot main module.
It is still mapped VA.
We can unmap it with pe_unmapper - pe_unmapper64.exe /in xxx.bin /base 400000 /out lokibot_unpacked.bin
Check repaired, unpacked, unmapped LokiBot with Pe-bear and strings
Unpacked, repaired, unmapped LokiBot: [Github Download - Pass:infected]
Video: [[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python]
During my analysis the C2 was still active.
But in case the C2 becomes unreachable/down and we have the served payload, we can reimplement C2 functionality.
In this Video we are reimplementing the C2 in Python3.
All needed files (C2 Python Implemetation with certs) here: [www folder]
Served Encrypted LokiBot payload from Google drive here: [encrypted_lokibot_downloaded_googledrive.bin]
Run Wireshark + ProcessHacker and get Network IOCs from running LokiBot sample.
Network IOCs:
drive.google.com - encrypted payload delivery (GULoader C2)
63.141.228.141 - C2 exfiltrating stolen data (LokiBot C2)
There is a little problem that LokiBot is performing direct IP HTTP to C2 (In this case 63.141.228.141)
External IP redirection could be quite difficult on WindowsOS so we can cheat a little like this.
For simplicity (We can avoid direct IP (63.141.228.141) HTTP traffic redirection):
This will add IP 63.141.228.141 to LoopBack interface so our Loopback interface will have 2 IP assigned (127.0.0.1 and 63.141.228.141):
netsh interface ipv4 add address "Loopback" 63.141.228.141
To show all IPs assigned to our all interfaces (check loopback):
netsh interface ipv4 show addresses
Only for deleting the added IP 63.141.228.141 from LoopBack interface:
netsh interface ipv4 delete address "Loopback" 63.141.228.141
Now it is possible to run our Python C2 to be listening on IP 63.141.228.141 (IP of LokiBot C2)
GULoader is performing C2 HTTPS communication to drive.google.com with TLS.
We must spoof the certificate for "drive.google.com":
Generating Certificate + RSA private key in openssl for "drive.google.com:": “openssl req -new -x509 -keyout cert.pem -out cert.pem -nodes -days 365”:
Common name:drive.google.com
Redirect hostname "drive.google.com" to our newly assigned IP on LoopBack interface:
Add record to hosts file to redirect dns (drive.google.com):
63.141.228.141 drive.google.com
Import public cert "server.pem" (certmgr.msc) to "Trusted Root Certification Authorities"
Both Python C2 will listen on our newly assigned IP on LoopBack interface (63.141.228.141):
Run Python3 C2 for drive.google.com.[HTTPS_WEB_SERVER_GET.py]
Run Python3 C2 for IP 63.141.228.141.[HTTP_WEB_SERVER_POST.py]
Run Wireshark (LoopBack) + ProcessHacker.
Run LokiBot sample.
Suspend LokiBot process (with ProcessHacker) after data exfiltration (HTTP POST to IP 63.141.228.141).
Dump the main module of LokiBot process 0x00400000 (Using ProcessHacker) - Be careful about strange Memory protection N/A (Change it before dumping using ProcessHacker)
Use pe_unmapper - pe_unmapper64.exe /in xxx.bin /base 400000 /out lokibot_unpacked.bin
Check repaired, unpacked, unmapped LokiBot with Pe-bear and strings
Decrypt C2 communication to drive.google.com in Wireshark using privkey.pem
Video: [[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite]
Using Remnux as default Gateway + Inetsim + BurpSuite:
More here: https://medium.com/@atomixgray/basic-malware-lab-a021a6d639cb
Basically - Remnux is Dafault Gateway for Window VM victim
Inetsim is simulating DNS, HTTP, HTTPS etc...
Burpsuit is listening HTTPS/HTTP, for TLS it is generating Certificates on the fly according the requested host and redirecting to inetsim.
Inetsim is serving encrypted payload [encrypted_lokibot_downloaded_googledrive.bin]
Network IOCs:
drive.google.com - encrypted payload delivery (GULoader C2)
63.141.228.141 - C2 exfiltrating stolen data (LokiBot C2)
Remnux VM:
Rerouting all external IP, dst port 80 (example: 63.141.228.141 to localhost) - needed if no DNS is used and there is direct IP connection
Add:
sudo sysctl -w net.ipv4.conf.all.route_localnet=1 # to enable redirecting to localhost
sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to 127.0.0.1:80
To be able to use InetSIM DNS server simulator you should disable systemd-resolved as this will conflict with InetSIMS.
Add:
sudo systemctl disable systemd-resolved.service
sudo service systemd-resolved stop
If you want to remove later the prerouting:
sudo iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to 127.0.0.1:80
Inetsim:
modify config ("/etc/inetsim/inetsim.conf"):
start_service dns
service_bind_address 0.0.0.0
dns_default_ip 192.168.56.10
http_bind_port 8081
https_bind_port 8443
https_default_fakefile encrypted_lokibot_downloaded_googledrive.bin application/octet-stream
cp encrypted_lokibot_downloaded_googledrive.bin /var/lib/inetsim/http/fakefiles/encrypted_lokibot_downloaded_googledrive.bin
chmod 777 /var/lib/inetsim/http/fakefiles/encrypted_lokibot_downloaded_googledrive.bin
Burpsuite:
Proxy Listener options:
interface (all) *:443, redirect to localhost 8443, Check the box Support invisible proxying
interface (all) *:80 redirect to localhost 8081, Check the box Support invisible proxying
interface (all) *:8080 - for downloading the cert and importing as root trusted
Windows VM:
Virvtualbox HOST only adapter - the same as Remnux
Remnux IP - 192.168.56.10
Windows VM IP - 192.168.56.7
Change TCP/IP IPv4:
Static IP - 192.168.56.7
Gateway - 192.168.56.10
DNS - 192.168.56.10
Download burpsuite CA cert from 192.168.56.10:8080 and install it to "Trusted Root Certification Authorities"
Run LokiBot sample.
Suspend LokiBot process (with ProcessHacker) after data exfiltration (HTTP POST to IP 63.141.228.141).
Dump the main module of LokiBot process 0x00400000 (Using ProcessHacker) - Be careful about strange Memory protection N/A (Change it before dumping using ProcessHacker)
Use pe_unmapper - pe_unmapper64.exe /in xxx.bin /base 400000 /out lokibot_unpacked.bin
Check repaired, unpacked, unmapped LokiBot with Pe-bear and strings
Check the Burpsuite in Remnux for all relevant Network traffic.
Video: In process...
VirtualBox - https://www.virtualbox.org/wiki/Downloads
WinDbg Preview - https://www.microsoft.com/en-us/p/windbg-preview/9pgjgd53tn86?activetab=pivot:overviewtab
pe_unmapper -https://github.com/hasherezade/libpeconv/tree/master/pe_unmapper
PE-SIEVE - https://github.com/hasherezade/pe-sieve
PE-bear - https://github.com/hasherezade/pe-bear-releases
Strings Explorer Context - http://sandsprite.com/iDef/MAP/
IDA Free/Pro - https://hex-rays.com/ida-free/
Remnux - https://remnux.org/
INetSim - https://www.inetsim.org/
BurpSuite - https://portswigger.net/burp
OpenSSL - https://www.openssl.org/
Shellcode Hashes (Python2 Script + IDA Plugin) - https://github.com/fireeye/flare-ida
Wireshark - https://www.wireshark.org/download.html