OO.exe is a Remote Access Trojan (RAT) known as Bladabindi written in .NET. This is sometimes associated with NJRAT and has been modified heavily over the last several years. Filename OO.exe MD5 22e7c961504b78aefa4ab6b0398ef583 Sample Download Sample Video None

DETAILS

netsh firewall add allowedprogram "[malware path]" "[malware name]" ENABLE

When executed, OO.exe will copy and execute itself in the %TEMP% directory, setup persistence (see persistence), and kill the original executable . The program will then add a firewall rule with the following command:

Once network access has been achieved, the trojan will beacon to the C&C server found in it’s configuration. The configuration for the current file contains various parameters to include current MUTEX and the C&C IP/Port. These settings can be found near offset 0x4a9a as depicted in the image to the right.













download files from a remote computer and/or the Internet

run executable files

update itself to a newer version

uninstall itself

send the list of running processes to a remote computer

terminate running processes

execute shell commands

delete Registry entries

create Registry entries

capture screenshots

DROPPED FILES

C:\Users\User\AppData\Local\Temp\OO.exe

PERSISTENCE

C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OO.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\[path-to-malware\OO.exe]





NETWORK PROTOCOL ANALYSIS

































NETWORK PROTOCOL COMMAND TABLE









NETWORK VULNERABILITY The network protocol used by this RAT is easily interpreted using common techniques. The lack of authentication with the C&C and the failure to employ basic encryption/obfuscation leaves this RAT vulnerable to tampering/exploitation. The network protocol used by this RAT is easily interpreted using common techniques. The lack of authentication with the C&C and the failure to employ basic encryption/obfuscation leaves this RAT vulnerable to tampering/exploitation.

DETECTION The following SNORT Signature will detect Bladabindi network communications.



alert tcp any any -> any any ( msg:"Bladabindi RAT Network Traffic"; pcre:"/^[0-9]{3}\0[a-zA-Z]{2,4}\|'\|'\|/"; )

CONCLUSION

The trojan’s initial beacons contain limited system survey information (left image). The next packet contains the implant’s current configuration settings (right image - Shown B64 decoded).When the trojan successfully connects to the C&C server it can perform the following RAT functionality:The Bladabindi trojan communicates via TCP, does not authenticate with the C&C, and does not use any obfuscation/encryption aside from Base64 in some fields.The first 4 bytes represent packet length [TotalPacketLength - 4] in ASCII. The ASCII number takes up the first 3 bytes and must be NULL terminated at the 4th byte.The next set of bytes contain a command sent to the implant from the controller. In my testing this field ranged from 2 to 4 bytes and used ASCII characters (see command table below).The next field represents a custom delimiter for separating commands/data/parameters. In my testing this always contained the ASCII string |’|’| and is most likely configurable via the implant’s settings. The number of delimiters vary depending on the command. In the following example we see 3 parameters being passed to the implant [ ~, examples, 1234 ].Disassembling Bladabindi reveals the command table function “Ind”. Many of the commands were implemented through dynamic network analysis. Some command functionality was determined through code analysis and not replication.The Bladabindi RAT is very malicious, but it isn’t special. It employs common persistence techniques, is heavily detected by Antivirus engines, and its functionality is mirrored by nearly every RAT on the market. The real danger with this trojan is its susceptibility to remote exploitation by other actors.