Statik Analiz - WTS Session Hijacker | Tehdit: YUKSEK

Dosya Kimligi

SHA256068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274
Boyut396,288 byte (PE32 GUI x86, 4 section)
Entropi7.64 (packed) -- .rsrc 7.81 (300KB sifreli payload)
Timestamp2015-03-24 (fake / spoofed) -- Visual C++ 6.0

RDP/WTS Oturum Saldirisi

WTS HIJACKER: RDP oturum ele gecirme ve token hirsizligi!
WTSEnumerateSessionsW -- Aktif RDP oturumlarini listele\nWTSEnumerateServersA -- Network RDP sunucularini tara\nWTSQueryUserToken -- Aktif kullanici tokenini al\nWTSQuerySessionInformationA -- Oturum detaylarini sorgula\nWTSSetSessionInformationW -- Oturum ayarlarini degistir\nWTSVirtualChannelRead -- RDP virtual kanal okuma\n\n-- Tum Windows Terminal Services API seti: tam RDP hijack yetenegi\n-- WTSQueryUserToken + LogonUserW = oturum token hirsizligi + impersonation

Token Hirsizligi + Yetki Escalation

LogonUserW -- Kimlik bilgileriyle kullanici girisi\nAuthzAddSidsToContext -- Token context`e SID ekle\nAuthzInitializeContextFromSid -- SID`den context olustur\nCryptSignHashW -- Kripto imza\nClearEventLogA -- Etkinlik gunluklarini temizle\nControlService -- Servis kontrol (AV kill / WinDefend durdur?)\n\n-- authz.dll kullanimi: SYSTEM yetkisi icin SID manipulasyonu\n-- ClearEventLogA: izleri gizlemek icin event log temizle\n-- Lateral movement: WTS API ile agdaki tum RDP sunucularini tara

Obfuske API Cagrilari

cxrotepg.dll -- XOR obfuske DLL adi (kernel32/ntdll olabilir)\ncaab__o_es_Memory -- VirtualAllocEx veya NtAllocateVirtualMemory\nekatu___lloc -- VirtualAlloc (XOR ile dogrulanmis)\n.rsrc -- 300 KB sifreli payload (calisma zamaninda dekript edilir)\n\nOzel hex kodlama: ABCDEFGHIJKLMNO@ alfabesi (16 sembol, 4-bit nibble)

IOC

SHA256068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274
MD5f0b9f50c6a247ac5ca9cc95135b83dcf
WTS APIWTSEnumerateSessionsW + WTSQueryUserToken (tam RDP hijack)
AuthZAuthzAddSidsToContext + AuthzInitializeContextFromSid (token eskalasyon)
Payload300KB sifresiz .rsrc bolumu (runtime decryption)

WTSSessionHijacker — Malware Profile

RDP/WTS session hijacking tool using Windows Terminal Services API (wtsapi32.dll). Enumerates all RDP sessions (WTSEnumerateSessionsW), steals user tokens (WTSQueryUserToken), performs credential-based logon (LogonUserW), and escalates via authz.dll (AuthzAddSidsToContext). Clears event logs (ClearEventLogA) and can control services (ControlService). 300KB encrypted .rsrc payload decrypted at runtime. API calls obfuscated with custom XOR encoding.

Malware Type
RAT
Programming Language
C/C++
C2 Protocol
custom
Target Systems
Kuresel/Kurumsal

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (1 indicators)

IOC — WTSSessionHijacker
# SHA256 068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274
TypeValueNote
sha256 068af8016c36fce5cf1e1a4722c1dc0d6e02cb6ed58b61c2ba99a54d294cc274
Tags
wts-rdp-session-hijackingwts-enumeratesessionsw-wts-queryusertokenlogonuserw-credential-authauthzaddsidstocontext-authzinitializecontextfromsid-sid-escalationcleareventloga-log-tampercontrolservice-av-kill300kb-encrypted-rsrc-payloadobfuscated-api-calls-xor-kernel32wtsapi32-dll-full-rdp-hijacklateral-movement-rdpspoofed-timestamp-2015-vc6