DanaBot Core

• Overview
• Samples
• Old Core
• New Core

Overview

In our previous post we took a look at an older version of the Danabot loader used to download and inject the core module. In this post we will take a look at a current loader-core combination.

The older version of the loader is still in operation but this new version that contains the core embedded in it is distributed in parrallel. The core has also changed significantly and we will be using an older version of the core as a reference.

Samples

• Older version of Danabot core used for reference 77ff83cc49d6c1b71c474a17eeaefad0f0a71df0a938190bf9a9a7e22531c292
• Packed "loader" used to distribute new core 97cdac23e6b4a18d9dd86a4d21ce9e7e0f719806b34e0cf7f68f002f1cdcc84b
• Unpacked new core 755fd2c9045fa4fc3e4bd4319245418053fc7b4db9e072ec16aac6b854cadaaf

Old Core

Using the old core as a reference we can easily locate the config and identify the struct (record) that contains the config info.

• Locating the C2s is simple as they are plaintext
• We can see these are assigned to some sort of global struct
• By tracing cross references to the struct we can find the Finalize method used to clean it up which has a reference to the record name MyRecord
• Using IDR we can find the definition of MyRecord and convert this into a struct for IDA giving us deep insight into the member names and their purpose.

struct MUserNatifer
{
  _BYTE Notify_Command[33];
  _BYTE Notify_Upload[32];
  _BYTE Notify_Online[33];
};


struct MyRegRecord
{
  int AccID;
  int WinBit;
  int OS;
  int Port;
  int SniffPort;
  int TorPort;
  int Port64x;
  int TimeZone;
  int TimeOut;
  int Version;
  int TorActive;
  int OProx;
  int OPort;
  int LogOn;
  _BYTE BotID[33];
  _BYTE BuildsID[33];
  _BYTE ProxyData[32];
  MUserNatifer MDServerInfo;
};

struct MyRecord
{
  MyRegRecord SaveReg;
  int Process;
  int FullPath;
  int DataPath;
  int FunStart;
  int MemDataBase;
  int BotStealerData;
  int BotCommand;
  int OnlineMem;
  int LogsSendMem;
  int InjectionProcess;
  int PubKeyMem;
  int DropKeyMem;
  int TorModuleMem;
  int ProcessMem;
  int MemStartMem;
  int CommandIDList;
  int ExecuteIDList;
  int BotInfo;
  int VNCProcess;
  int StealerActive;
  int StealerTimeOut;
  int Integrity;
  int PID;
  int Root;
  int Session;
  int TorActive;
  int TorDisable;
};

New Core

Now that we know the name of the record used to control the bot we can use locate it in the new core and use it to identify updates in functionality, as well as searching in the binary for interesting information.

• Locate MyRecord in IDR
• Build a struct which can be compared against the older version of the core
• Use IDR (record offset) to locate the record definition in ida and then trace cross references from it
• Using the cross references find the Finalize method and locate the global struct
• Apply the new struct types to the global struct and use this to identify key functionality and data in the binary

struct MyRegRecord
{
  int LoaderMode;
  int WinBit;
  int OS;
  int TimeZone;
  int TimeOut;
  int Version;
  int TorEnable;
  int TorPort;
  int LogOn;
  _BYTE IDBot[32];
  _BYTE ProxyData[32];
  MUserNatifer MDServerInfo;
};

struct MyRecord
{
  void *MyModuleData_32;
  void *MyModuleData_64;
  void *MyTorModuleMem;
  void *EXELoaderMem;
  void *DLLLoaderMem;
  void *MemServiceSession;
  void *MemDataBase;
  void *BotStealerData;
  void *BotCommand;
  void *OnlineMem;
  void *LogsSendMem;
  void *InjectionProcess;
  void *MemStartMem;
  void *PubKeyMem;
  void *OnlinePub;
  void *ServerKey_Priv;
  void *ServerKey_Pub;
  void *ClientKey_Pub;
  void *TaskMgrKey_Pub;
  void *CommandIDList;
  void *ExecuteIDList;
  void *ExecuteFileList;
  void *VideoCommandList;
  void *KeyLoggerCommandList;
  void *MScreenList;
  void *MScreenOperation;
  void *MJabberList;
  void *MJabberConnect;
  void *TFilterAction;
  MyRegRecord Record;
  char *Process;
  char *MyPath;
  char *EXEPath;
  char *DLLPath;
  char *UpdateName;
  char *ServiceName;
  char *DataPath;
  char *PathMD5;
  char *RegDataName;
  char *User;
  char *ComputerName;
  char *FilterActionID;
  void *Video;
  char *VideoID;
  char *FWindowName;
  char *FWindowClass;
  void *BotInfo;
  int BotInfoInit;
  int Port;
  int SniffPort;
  unsigned int MWindow;
  int SteallerComplete;
  int VNCProcess;
  int UacStarter;
  int StealerActive;
  int StealerInit;
  int AutoKeyLog;
  int InitInjectionData;
  int InitDetours;
  int InitKeyLog;
  int BotInstall;
  int SaveConfig;
  int ServerSock;
  int ProcessorType;
  int NeedHidden;
  char *HiddenID;
  char *StealerID;
  char *InstallId;
  char *FunMemParam;
  char *G_FullInj;
  char *G_FullRedir;
  char *G_FullBlock;
  int SnifferActive;
  int SnifferInit;
  int VideoActive;
  int FFExists;
  int CrtInit;
  int InjectInit;
  int ExeProcessStarter;
  int CertInstall;
  int UacActive;
  int StealerTimeOut;
  void *StealerTimeDate;
  int Integrity;
  int CurrentIPConnect;
  int CurrentPort;
  int PID;
  int Admin;
  int Root;
  int Session;
  int UserID;
  int UpdateStart;
  int TorActive;
  int TorExists;
  unsigned int TrSniffer;
  unsigned int TrRegEdit;
  unsigned int TrStealer;
  unsigned int TrConnect;
  int TaskMgrPid;
  unsigned int Sock64xProcess;
  unsigned int Sock32xProcess;
  unsigned int SockTaskMgr;
  void *x64ProcRec;
  void *x32ProcRec;
  void *FunStarter;
};