{"id":7255,"date":"2017-04-06T08:14:34","date_gmt":"2017-04-06T16:14:34","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/04\/06\/news-1046\/"},"modified":"2017-04-06T08:14:34","modified_gmt":"2017-04-06T16:14:34","slug":"news-1046","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/04\/06\/news-1046\/","title":{"rendered":"Diamond Fox – part 2: let’s dive in the code"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Thu, 06 Apr 2017 15:00:30 +0000<\/strong><\/p>\n

In a\u00a0previous post<\/a> we made an initial analysis of a Diamond Fox bot delivered by the Nebula Exploit Kit (more about the campaign can be found here<\/a>). We described the way to unpack the protection layer in order to get the core, written in Visual Basic, that can be decompiled. In this second part of the series, we will take a deeper look into the code and analyze the bot’s features and code design.<\/p>\n

Analyzed samples<\/h3>\n

988e9fa903cc2fbb80e7221072fb2221<\/a> \u2013 Diamond Fox Crystal (final VB payload)<\/p>\n

3ef960da3e4bc4bc7c05d02fbf121d4e<\/a> – old Diamond Fox (final VB payload)<\/p>\n

Changelog<\/h3>\n

In the release that is sold on the black market, the authors included a changelog describing all versions up to the current one (codenamed Crystal). Below, you can see the related fragment:<\/p>\n

Crystal Version<\/strong>  [+] Loader core recoded  [+] Improved Size: 17.5 kb  [+] Added unlimited panel list  [+] Added domain generation algorithm  [+] Added RunOne startup  [+] Added Polices startup  [+] Added auto-screenshots  [+] added Install redirects  [+] Added Anti-WinPcap  [+] Added Anti-Virustotal VM  [+] Added Anti-Emulation  [-] Removed Anti-Wine  [-] Moved Startup Persistance to Persistance  [+] Added Botkiller  [+] Added Anti-Avast Sandbox  [+] Added PE configuration storage  [+] Improved Configuration preview  [+] Added optional usb spread on lite bot  [+] Added RDP plugin  [+] Added VNC Grabber  [+] Added remote shell  [+] Added Close bot command  [+] Added Shutdown PC command  [+] Improved web panel installer  [+] Added Restart PC command  [+] Added more bot selection options on tasks  [+] Improved task manager  [+] Added search on reports  [+] Improved panel settings  [+] Added Layer7 DDoS  [+] Added reports bars statistics  [+] Added New\/dead bots per week statistics  [+] Updated Geodata  [+] Added Bot remover tool  [+] Added DGA tool  [+] Improved real-time notifications on panel  [+] Added Desktop\/Laptop Detection  [+] Added administrator detection  [+] Improved bot full information  [+] Added mark as favorite  [-] removed %PROGRAMFILES% installation path  [+] added %USERPROFILE% installation path  [-] removed %WINDIR% installation path  [+] added %LOCALAPPDATA% installation path  [-] Removed winlogon startup  [+] Added schtaks startup  [-] Removed Anti-apateDNS  [-] Removed Anti-Norman  [-] Removed Anti-wiresshark  [-] Removed Xor Encryption  [+] Added captcha on web panel login  [+] Added antibruter forcer on web panel login  [+] Added new panel logo  [+] Improved Crypto wallet stealer (+24)  [+] Improved Homepage changer (added internet explorer)  [+] Improved Keylogger(added clipboard detector and window title trigger)  [+] Improved bot speed  [+] Improved bot compatibility  [+] Improved bot stability  [-] Removed Services tab on web panel  [+] Added protected folder on installation  [+] Now the webpanel can be installed on windows without errors  <\/pre>\n
Decompiling<\/h3>\n
As we mentioned in the previous post, Diamond Fox is written in Visual Basic and after unpacking it can be decompiled by VB Decompiler. Unfortunately, the results of the decompilation are not fully accurate and some parts of the code are difficult to analyze. However, we can still figure out the most important actions performed by the malware.<\/p>\n
We provided a partially cleaned version of the decompiled code: https:\/\/gist.github.com\/hasherezade\/79de1509c8565ec7496cd554092df6f8#file-module1-vb<\/a>.<\/p>\n
Execution flow<\/h3>\n
Diamond Fox starts its execution from decrypting and parsing the configuration – in this edition, it is stored in the section “L!NK<\/em>“. Then, depending on the configuration, some further features are enabled or disabled. For example, it may deploy defensive checks – against sandboxes and Virtual Machines.<\/p>\n
\"\"<\/p>\n
The stored parameters are encrypted and they are decrypted at runtime – however, the decryption function is no longer a simple XOR known from the previous versions:<\/p>\n
\"\"<\/p>\n
(see a partially cleaned version of this function: https:\/\/gist.github.com\/hasherezade\/79de1509c8565ec7496cd554092df6f8#file-decrypt-vb<\/a> )<\/strong><\/em><\/p>\n
Along with the features that can be enabled or disabled depending on the configuration, Diamond Fox offers features that are controlled from the CnC.<\/p>\n
Reading response from the CnC:<\/p>\n
\"\"<\/p>\n
Parsing commands and executing appropriate actions (commands are identified by numbers – from 0 to 25):<\/p>\n
\"\"<\/p>\n
Features<\/h3>\n
Let’s have a look inside the code and follow the features mentioned by the authors.<\/p>\n
[+] Loader core recoded<\/pre>\n
The code of the malware has been reorganized and its big portions have been rewritten. It can be noticed at first sight\u00a0if we decompile the new version and compare it versus the old one. In the current version everything is in one module, while in the previous cases the code was subdivided into various modules.<\/p>\n
Old Diamond Fox decompiled (fragment):<\/p>\n
\"\"<\/p>\n
We can see the code subdivided on modules with descriptive names, making analysis easier. In the new version, we will not find this familiar layout.<\/p>\n
Decompiled code of Diamond Fox Crystal (the new one):<\/p>\n
\"\"<\/p>\n
The new version introduced a different way of storing the configuration. Now, the encrypted configuration is in the dedicated section named “L!NK<\/em>“.<\/p>\n
[+] Added domain generation algorithm<\/pre>\n
In the analyzed sample this feature was not enabled and the CnC address was static. However, looking at\u00a0the code we can find a domain generation algorithm (DGA) is based on the current date:
 \"\"<\/a><\/p>\n
(see a partially cleaned version of this function: https:\/\/gist.github.com\/hasherezade\/79de1509c8565ec7496cd554092df6f8#file-domain_generate-vb<\/a>)<\/em><\/p>\n
[+] Added Anti-Emulation<\/pre>\n
Checking if the sample is not running in a\u00a0VM or sandbox by attempting to load DLLs associated with the virtual environment:<\/p>\n