A detailed analysis of the Menorah malware used by APT34

Executive summary 摘要

Menorah malware was used by the APT34 group, which targeted organizations in the Middle East and was discovered by Trend Micro in August this year. The malware creates a mutex to ensure that only one copy is running at a single time. It extracts the hostname and the username and computes a hash that identifies the infected machine. The following commands are implemented: create new processes, list files and subdirectories from a specific directory, exfiltrate arbitrary files, and download files on the host.
Menorah 恶意软件被 APT34 组织使用，该组织以中东的组织为目标，并于今年 8 月被趋势科技发现。该恶意软件会创建一个互斥锁，以确保一次只运行一个副本。它提取主机名和用户名，并计算标识受感染计算机的哈希值。实现以下命令：创建新进程、列出特定目录中的文件和子目录、泄露任意文件以及下载主机上的文件。

Analysis and findings 分析和发现

SHA256: 64156f9ca51951a9bf91b5b74073d31c16873ca60492c25895c1f0f074787345
SHA256： 64156f9ca51951a9bf91b5b74073d31c16873ca60492c25895c1f0f074787345

The malware must run with a parameter that is equal to the first two letters from the current directory, as highlighted below.
恶意软件必须使用等于当前目录中前两个字母的参数运行，如下所示。

Figure 1 图1

It creates a mutex called “115CF7F6-69B4-49EE-B453-BAF00531AC52” to ensure that only one copy of the malware is running at a single time (Figure 2).
它创建一个名为“115CF7F6-69B4-49EE-B453-BAF00531AC52”的互斥锁，以确保一次只运行恶意软件的一个副本（图 2）。

Figure 2 图2

The process sets the interval of a timer to 32 seconds, which ensures a continuous communication with the C2 server:
该过程将计时器的间隔设置为 32 秒，这确保了与 C2 服务器的持续通信：

Figure 3 图3

The hostname and username are retrieved, and then the malware computes the MD5 hash of the concatenation between these two values:
检索主机名和用户名，然后恶意软件计算这两个值之间串联的 MD5 哈希值：

Figure 4 图4

Figure 5 图5

The following string is constructed “d@<MD5 hash>@HostName|Username”, as highlighted in Figure 6.
以下字符串构造为“d@@HostName|Username“，如图 6 所示。

Figure 6 图6

The C2 server “http[:]//tecforsc-001-site1.gtempurl[.]com/ads.asp” is hard-coded in the malware (see Figure 7).
C2 服务器 “http[：]//tecforsc-001-site1.gtempurl[.]com/ads.asp“在恶意软件中被硬编码（参见图 7）。

Figure 7 图7

Figure 8 图8

Figure 9 图9

The binary chooses a random number between 3 and 14 and generates a string of characters based on a hard-coded “key”, as shown below:
二进制文件选择一个介于 3 和 14 之间的随机数，并基于硬编码的“密钥”生成一串字符，如下所示：

Figure 10 图10

Figure 11 图11

The encoded string that identifies the host is exfiltrated to the C2 server via a POST request. The server response is read using the GetResponse, GetResponseStream, and ReadToEnd functions:
标识主机的编码字符串通过 POST 请求泄露到 C2 服务器。使用 GetResponse、GetResponseStream 和 ReadToEnd 函数读取服务器响应：

Figure 12 图12

Figure 13 图13

The malicious process creates a new thread that handles the C2 server response:
恶意进程会创建一个处理 C2 服务器响应的新线程：

Figure 14 图14

The server response has the following structure “[@<Value>@]”. The extracted value is Base64-decoded and decrypted using the XOR operator. The decrypted string has the following structure “Param1@Param2@Param3”. Param2 is a command ID that can be 1 or 2, and Param3 is the command to be executed that is Base64-encoded.
服务器响应具有以下结构“[@@]”。提取的值使用 XOR 运算符进行 Base64 解码和解密。解密的字符串具有以下结构“Param1@Param2@Param3”。Param2 是可以是 1 或 2 的命令 ID，Param3 是要执行的 Base64 编码的命令。

Figure 15 图15

Figure 16 图16

Command starts with “+sp” – Create a process and exfiltrate its output
命令以“+sp”开头 – 创建一个进程并泄露其输出

The third parameter also contains a process name that will be spawned by the malware:
第三个参数还包含将由恶意软件生成的进程名称：

Figure 17 图17

Figure 18 图18

The CommandLineToArgvW API is used to obtain an array of pointers to the cmdline arguments. The binary creates an anonymous pipe using CreatePipe, and the read handle is made inheritable, as shown below:
CommandLineToArgvW API 用于获取指向 cmdline 参数的指针数组。二进制文件使用 CreatePipe 创建匿名管道，并且读取句柄可继承，如下所示：

Figure 19 图19

Figure 20 图20

The malware creates a new process via a function call to the CreateProcess function. The process’ output is read using the PeekNamedPipe and Read methods, and then exfiltrated to the C2 server:
恶意软件通过对 CreateProcess 函数的函数调用创建一个新进程。使用 PeekNamedPipe 和 Read 方法读取进程的输出，然后泄露到 C2 服务器：

Figure 21 图21

Command starts with “+nu” – Send a specific string to the C2 server
命令以“+nu”开头 – 向 C2 服务器发送特定字符串

The following string is sent to the C2 server “1.1.1|http[:]//tecforsc-001-site1.gtempurl[.]com/ads.asp” (see Figure 22).
以下字符串将发送到 C2 服务器“1.1.1|http[：]//tecforsc-001-site1.gtempurl[.]com/ads.asp“（参见图 22）。

Figure 22 图22

Command starts with “+fl” – List files and subdirectories from a directory
命令以“+fl”开头 – 列出目录中的文件和子目录

The third parameter also contains a directory name:
第三个参数还包含目录名称：

Figure 23 图23

The process calls the GetFiles and GetDirectories functions to extract the files and subdirectories from the main directory. For each of these, the LastWriteTime property is extracted:
该过程调用 GetFiles 和 GetDirectories 函数，以从主目录中提取文件和子目录。对于其中每个属性，将提取 LastWriteTime 属性：

Figure 24 图24

Figure 25 图25

The number of files and subdirectories is also added to the structure constructed above:
文件和子目录的数量也被添加到上面构造的结构中：

Figure 26 图26

Command starts with “+dn” – Exfiltrate file content to the C2 server
命令以“+dn”开头 – 将文件内容泄露到 C2 服务器

The third parameter specifies a file that will be exfiltrated. The process reads the file content using the ReadAllBytes method (Figure 27).
第三个参数指定将要泄露的文件。该过程使用 ReadAllBytes 方法读取文件内容（图 27）。

Figure 27 图27

The file name, along with the content that is Base64-encoded, is transmitted to the C2 server:
文件名以及 Base64 编码的内容将传输到 C2 服务器：

Figure 28 图28

Depending if the file is found on the local machine, one of the following messages is sent to the C2 server:
根据是否在本地计算机上找到该文件，将向 C2 服务器发送以下消息之一：

Figure 29 图29

If the command ID is 2, then the malware creates a file that is populated with content received from the C2 server (Figure 30).
如果命令 ID 为 2，则恶意软件会创建一个文件，其中填充了从 C2 服务器接收的内容（图 30）。

Figure 30

The confirmation message that is sent to the server contains the file path created earlier:
发送到服务器的确认消息包含之前创建的文件路径：

Figure 31 图31

Indicators of Compromise 入侵指标

SHA256 SHA256的

64156f9ca51951a9bf91b5b74073d31c16873ca60492c25895c1f0f074787345

MUTEX 互斥锁

115CF7F6-69B4-49EE-B453-BAF00531AC52

C2 SERVER C2 服务器

http[:]//tecforsc-001-site1.gtempurl[.]com/ads.asp
http[：]//tecforsc-001-site1.gtempurl[.]com/ads.asp

原文始发于Vlad Pasca：A detailed analysis of the Menorah malware used by APT34