Statik Analiz - WTS Session Hijacker | Tehdit: YUKSEK
Dosya Kimligi
| SHA256 | 068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274 |
|---|---|
| Boyut | 396,288 byte (PE32 GUI x86, 4 section) |
| Entropi | 7.64 (packed) -- .rsrc 7.81 (300KB sifreli payload) |
| Timestamp | 2015-03-24 (fake / spoofed) -- Visual C++ 6.0 |
RDP/WTS Oturum Saldirisi
WTS HIJACKER: RDP oturum ele gecirme ve token hirsizligi!
WTSEnumerateSessionsW -- Aktif RDP oturumlarini listele\nWTSEnumerateServersA -- Network RDP sunucularini tara\nWTSQueryUserToken -- Aktif kullanici tokenini al\nWTSQuerySessionInformationA -- Oturum detaylarini sorgula\nWTSSetSessionInformationW -- Oturum ayarlarini degistir\nWTSVirtualChannelRead -- RDP virtual kanal okuma\n\n-- Tum Windows Terminal Services API seti: tam RDP hijack yetenegi\n-- WTSQueryUserToken + LogonUserW = oturum token hirsizligi + impersonation
Token Hirsizligi + Yetki Escalation
LogonUserW -- Kimlik bilgileriyle kullanici girisi\nAuthzAddSidsToContext -- Token context`e SID ekle\nAuthzInitializeContextFromSid -- SID`den context olustur\nCryptSignHashW -- Kripto imza\nClearEventLogA -- Etkinlik gunluklarini temizle\nControlService -- Servis kontrol (AV kill / WinDefend durdur?)\n\n-- authz.dll kullanimi: SYSTEM yetkisi icin SID manipulasyonu\n-- ClearEventLogA: izleri gizlemek icin event log temizle\n-- Lateral movement: WTS API ile agdaki tum RDP sunucularini tara
Obfuske API Cagrilari
cxrotepg.dll -- XOR obfuske DLL adi (kernel32/ntdll olabilir)\ncaab__o_es_Memory -- VirtualAllocEx veya NtAllocateVirtualMemory\nekatu___lloc -- VirtualAlloc (XOR ile dogrulanmis)\n.rsrc -- 300 KB sifreli payload (calisma zamaninda dekript edilir)\n\nOzel hex kodlama: ABCDEFGHIJKLMNO@ alfabesi (16 sembol, 4-bit nibble)
IOC
| SHA256 | 068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274 |
|---|---|
| MD5 | f0b9f50c6a247ac5ca9cc95135b83dcf |
| WTS API | WTSEnumerateSessionsW + WTSQueryUserToken (tam RDP hijack) |
| AuthZ | AuthzAddSidsToContext + AuthzInitializeContextFromSid (token eskalasyon) |
| Payload | 300KB sifresiz .rsrc bolumu (runtime decryption) |
WTSSessionHijacker — Malware Profile
RDP/WTS session hijacking tool using Windows Terminal Services API (wtsapi32.dll). Enumerates all RDP sessions (WTSEnumerateSessionsW), steals user tokens (WTSQueryUserToken), performs credential-based logon (LogonUserW), and escalates via authz.dll (AuthzAddSidsToContext). Clears event logs (ClearEventLogA) and can control services (ControlService). 300KB encrypted .rsrc payload decrypted at runtime. API calls obfuscated with custom XOR encoding.
Malware Type
RAT
Programming Language
C/C++
C2 Protocol
custom
Target Systems
Kuresel/Kurumsal
Capabilities & Behavior
Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması
IOC List (1 indicators)
IOC — WTSSessionHijacker
# SHA256
068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274
| Type | Value | Note |
|---|---|---|
| sha256 | 068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274 |