DoublePulsar Backdoor

This post explains DoublePulsar Backdoor and how WannaCry Ransomware uses it to spread Itself.

EternalBlue Installing DoublePulasr Backdoor

EternalBlue exploits vulnerability in SMB protocol and execute shell code.Offset of shell code in EternalBlue binary that is present in shadow broker dump.

Shellcode finds address of srv.sys (SMB Driver) and replace address of srv!SrvTransactionNotImplemented function in srv!SrvTransaction2DispatchTable with its own function address as shown below.

Offset of function code in EternalBlue binary which replaces srv!SrvTransactionNotImplemented function address in srv!SrvTransaction2DispatchTable.

Before overwriting srv!SrvTransactionNotImplemented function in srv!SrvTransaction2DispatchTable with  its own function address shell code allocates memory using ExAllocatePool API and write function bytes.

Function code is stored at 0x48 offset from memory address return by ExAllocatePool API.

Signature Value is calculated as shown below -

(Dword Value ^ (Memory Address Return by ExAllocatePool+0x1000) ^ Address of ExAllocatePool API ^ Address of ExFreePool ^ Address of srv!SrvTransaction2DispatchTable)

0x872d9158 ^ (0x85355000+0x1000) ^ 0x82a1e976 ^ 0x82b35a67 ^ 0x92d5a530 = 0x90DFE779

How WannaCry uses DoublePulsar backdoor to spread itself
The configuration xml file of DoublePulsar from shadow broker dump shows it supports below function
1. Ping
2. RunDLL
3. RunShellcode.

When WannaCry Starts spreading it checks whether Double Pulsar Backdoor is already present for which WannaCry sends Ping command to backdoor.
Request for Ping command is as shown below-

As soon as DoublePulsar backdoor receives request. It reads Trans2.Timeout value to get command byte.

Converting Trans2.Timeout value to command byte.

In above request Trans2.Timeout = 01 34 ee 00.
Command value = (0x01 + 0x34 + 0xee + 0x00) & 0xFF = 0x123 & FF = 0x23
Command Bytes is 0x23 which is Ping Request. In response to Ping request Backdoor sends the Signature Value mentioned above in SMBHeader.Signature.

Backdoor uses SMBHeader.Multiplex ID as status field. If request is successful backdoor increments the Multiplex ID in request packet by 0x10(16).As shown above Multiplex ID in Ping request is 0x41(65) therefore MultiplexID in response will be 0x51(81).

Response Packet as shown below. SMBHeader.Signature set to 0x79E7DF90 and MultiplexID set to 0x51(81).

As soon as WannaCry receives response from Backdoor it checks the MutiplexID value of SMB Header. If value is 0x51(81) that means Ping Request is successful and DoublePulsar Backdoor is present on remote machine. WannaCry reads SMBHeader.Signature value and derives XOR key which will be used to encrypt the payload.

Deriving XOR key from SMBHeader.Signature value 0x90dfe779

XOR key = ((((0x90dfe779 & 0xFF00) or (0x90dfe779 << 0x10)) << 8) | (((0x90dfe779 & 0x0FF0000) or (0x90dfe779 >> 0x10)) >> 8)) ^ ((0x90dfe779 + 0x90dfe779))

XOR key = (0x79e70000 or 0xdf90) ^ (0x21bfcef2)
XOR key = 0x79e7df90 ^ 0x21bfcef2 = 0x58581162.

Xoring payload(shellcode and wannacry dll) with derived XOR key.

send the payload(shellcode + wanacry dll) in chunk of 0x1000(4096) bytes  to backdoor.

When backdoor receives the request it reads the command value from Trans2.Timeout.
Trans2.Timeout = 25 89 1a 00
Command = (0x25 + 0x89 + 0x1a + 0x00) & 0xFF = 0xC8 & 0xFF = 0xC8.
As mentioned above 0xC8 means RunShellCode.
Encrypted payload is in Trans2.SESSION_SETUP.Data field.
Trans2.SESSION_SETUP.Parameters is of 0xC (12) bytes and contains below information encrypted by XOR key.
1. Total Size of Payload
2. Chunk Size
3. Offset of Chunk in Payload

Trans2.SESSION_SETUP.Parameters value = 6a620858 62015858 62115858
  1. Total Size of Payload = (0x5808626a) ^ (0x58581162) = 0x507308
  2.  Chunk Size = (0x58580162) ^ (0x58581162) = 0x1000(4096)
  3. Offset of Chunk in Payload = (0x58581162) ^ (0x58581162) = 0

Another example of Trans2.SESSION_SETUP.Parameters value = 6a620858 62015858 62015858
  1. Total Size of Payload = (0x5808626a) ^ (0x58581162) = 0x507308
  2. Chunk Size = (0x58580162) ^ (0x58580162) = 0x1000(4096)
  3. Offset of Chunk in Payload = (0x58580162) ^ (0x58581162) = 0x1000(4096)

Backdoor Allocates Memory of total size of payload (0x507308) using ExAllocatePool API. Copies the chunk to allocated memory.

Decrypt chunk using XOR key. When all the chunks of shell code is received and decrypted. Backdoor begin with execution of payload.


Popular posts from this blog

VIrtual Machine Detection Techniques

Debugging MBR : IDA Pro and Bochs Emulator

Analyzing ATM Malwares

Google CTF 2017 : Android RE Challenge

Samsung CTF : Chicken or Egg Reversing Challenge

FireEye FLARE CTF 2017 : APK Challenge 8

FireEye FLARE CTF 2017 : PEWPEWBOAT Challenge 5

NotPetya\Petya : Overwriting System MBR

WannaCry Encryption Flow