KrakenHTTP – Not Sinking My Ship Part 1

February 17, 2015

So I recently got contacted by someone who said they had KrakenHTTP and wondered if I wanted it. I have been waiting for a while to grab my hands on this, not because it looked amazing. Simply, it was shouting so much on forums on how wonderful it was that I wanted to disprove that it was that great.

The first big let down is that it’s ioncube encoded, I don’t know why some malware developers think it’s appropriate to obfuscate their source. When I’m saying it’s inappropriate I’m not saying this as a researcher but looking a clients viewpoint. You buy yourself a server and decide to start a botnet, you view around forums around various botnets and find “KrakenHTTP”. You purchase this botnet to find out the panel files are encoded with Ioncube (a popular PHP encoder). I am now suspicious on what sort of code is within the panel code and wonder if there is a possibility of a backdoor or bot stealing code? There’s a reason why big names keep things open source kids.

Let’s start off with the executable. First of all, they have packed it with a very popular packer UPX, although at first I discovered this in the debugger I was using, you can simply look at the hex to identify the ASCII characters to see a UPX signature. If I was a network administrator, I would have a whitelist for UPX signatures, far too many executables which utilise UPX are malware.

upx

After successfully unpacking that (Manually or through UPX decompressor arguement), we can now move on to the main business the exe. I will note I’m not covering everything here, simply the highlights for me. It’s 10:00PM and I have other things sadly to attend to.

Forum Post Advertising Kraken

 

Once we have unpacked the executable I am astounded that one of the first strings at the entry point is the (RC4?) encrypted C&C. Kraken also utilises base64 for %APPDATA% and %WINDIR% among others.strings

I’m not the greatest at cryptography but came under the conclusion it was RC4, comparing from other pieces of malware it seemed like the popular RC4 was used once again (correct me if I’m wrong). One of the first things Kraken will do will decode the strings that are fused with the executable. One of the first is the path to VBoxTray.exe, which I assume (I have VMware) is VirtualBox.

vboxNext is what looks to be the C&C, after a loop in which set a simple breakpoint we can see the host is defaulting to the includes folder. The rest of the files that aren’t includes are most likely to do with the administration of the botnet.

hostWe then call CreateMutexW to create a mutex called “yourhavebecracked”. An interesting name I must say. But ok. We then move on to some evasion, first of all is Wireshark in which Kraken uses a few tricks with the windows API to check whether anything under the name Wireshark is apparent, this also goes for Fiddler as well.

wireshark

I have simply NOP’d out the VMware code for Kraken so it cannot detect that I am indeed running VMware. Interesting thing is, VirtualBox string was encoded, but VMware isn’t. What’s up with that? Anyway, it simply checked whether files from a 32 or 64 bit system existed a.k.a checked the programs folder for VMware files. It then further identifies the machine by checking AMD, NVIDIA and ATI folders in the program files segment of Windows. Further on, it also checks for Steam and Origin folders. Oh Kraken, you. Infact, it does this to also identify if Google Chrome is present, Mozilla Firefox, and every AV that a western country uses. Not the best of methods in my opinion. I’ve decided to just give one screenshot of this, it’s not like it’s groundbreaking stuff.

videocardetect

Kraken then moves on to placing itself within the system. Of course it decides to have hidden attributes for every folder and file it create but it plants smss.exe and another folder containing smss.exe down at C:\Documents and Settings\[username]\Application Data\System\Oracle I will say now that I am using XP with this analysis, as I simply prefer it when looking at malware.

kwl

From then we move on to FileZilla and find out if we have any servers that we can scrape. Surprisingly works quite well for botnets. A weird amount of people do use FileZilla for FTP. Whether it be for corporate or personal websites, a botnet owner usually doesn’t care, they just want the server resources.

filezillaa

The amount of HTTP calls back to the server would be slightly worrying for me if I was a botnet owner. This calls back twice (day.php, ip.php) simply to know what day it is and what IP the user has. What strikes me is this could been done with one request and yet they have decided to have two separate HTTP calls. I thought botnets were supposed to be as quiet as possible.

ip

To further the embarrassment, it then proceeds to check the country by inputting the IP it just got from the server, and then sends it back to file called country.php with a request called IP.  After a while it proceeds to check in via idcontact.php, here is a typical URL pattern. Another is get.php

idcontact.php?COMPUTER=&steam=0&origin=0&webnavig=1&java

get.php?IP=&COMPUTER=&OS=WindowsXP&COUNTRY=Unknown&HWID=

For now I’ll leave you with this from Krakens advert “Kraken use some very well know process name trusted in Windows” smss.exe is routinely used in Windows malware, it’s like me saying naming my executable to firefox.exe is trusted in Windows because it’s a well known browser. Until part 2.

2 Comments
Anon
May 1, 2015 @ 10:40 am

No program is uncrackable. It’s easy to ruin anyone’s work. Try make one yourself, and I’ll be the first one who would crack it.

Reply
    jack
    May 2, 2015 @ 7:55 pm

    Anonymous and hostile. Well maybe I shall rise to the occasion and take that offer.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


*