Decoding Vawtrak\NeverQuest Traffic

This is not a post about the capabilities of this particular malware - this is about decoding the network traffic generated from an infected machine. StopMalvertising has a really nice write-up here: Analysis of vawtrak if you want to learn more about the malware.

Like all good malware, once a machine is infected, Vawtrak will send communications to it's C2 servers .  In this case, the traffic is encoded:

Observing the behavior of the malware on my system - I noticed that the malware only generated traffic when I had a browser open.  Looking at CloudStrike... I could see that the malware has injected itself into my browsers.

Looking at the malware in IDA and Olly provide no useful information, and I could not get the maware to execute within the debugger.

My next step was to use memory analysis to see if that provided any clues.  I took a memory dump of my infected machine after I had started IE and then started analysis using volatility.

Using the malfind plugin, I could see several injected processes, but the one I really wanted was in the IE and FireFox processes. 


Now that I had a memory address, I reverted back to a clean VM and tried again.  Using Olly (opened before I infected the machine), I attached to the IE process and put a breakpoint on what I thought was the infected memory section.

... insert lots of trial and error ...

What I was able to discover is that the traffic I saw was encoded using XOR with a random number generator with the seed included in the first 8 bytes of the payload:

Using python I was able to develop this decoder:

Decoding the above traffic yields:
C:\Users\dkilman\Dropbox>decode.py
id=68F33EA70000006700000000000F00000000&iv=00000022&av=00000000&info=020000020501010100030A28&proxy=none
!SCORE!

Link to the code: http://cybersecuritymave-techie.blogspot.com/2014/07/decodepy.html
Link to a pcap parser that will decode the vawtrak data: https://github.com/dominique97/vaw_decode

decode.py

## Author: Dominique Kilman
## Name: decode.py
## Copyright (c) 2014 Dominique Kilman. All rights reserved.

def rand(seed1):
    seed = (seed1 * 0x343fd) + 0x269ec3
    newSeed = seed & 0xffffffff
    ran = ((seed >> 16) & 0x7fff)
    modifier = ran & 0xff
    return [newSeed, modifier]

#test2 = encoded payload (after the first 8)
test2 = "\x9f \x0a \xc6 \xde \x21 \xcf \x53 \xea \x5a \x6a \xad \x38 \x70 \x30 \x8b \x39 \x60 \xe2 \x5f \x8e \x0a \x71 \xdb \x2d \x99 \xbb \xb3 \x03 \x38 \xf8 \xb8 \x59 \x9d \x74 \xba \x37 \x61 \x13 \xf9 \xd0 \xad \x3e \x1e \xfa \xee \x46 \x50 \x30 \x89 \x87 \x44 \xa5 \x7c \x8e \xa2 \x45 \x0c \xcc \x9f \x1d \x90 \x43 \x95 \x5a \x08 \x0c \xe6 \x5a \xa6 \xf8 \x66 \xdc \x2f \xb0 \xac \xcd \x5b \x58 \xe7 \xe1 \xe2 \xf3 \x0c \x6c \x39 \xec \x3b \xda \x89 \xdd \xde \x2e \xa0 \x18 \x5c \x5f \x15 \xe9 \xfa \x47 \xb1 \xd1 \x47 \x27"
seed = 0x2c4f5a543d6d6910 # first 8 of payload

newTest = test2.split(' ')
modchar = ''
resultLine = ''

for i in range(0,len(newTest)):
#for i in range(0,72):
    res = rand(seed)
    seed = res[0]
    modchar += str(int(res[1])) + ','
    try:
        test2 = ord(newTest[i]) ^ res[1]
    except:
        test2=0
    try:
        resultLine += str(unichr(int(test2)))
    except:
        test2=0

print resultLine