THE CRYPTER BIBLE

With 5 comments

Crypter Bible

Everything you need to know. We explain features, options, settings, basic knowledge, detections, how to not ruin your stub and ultimately how not to annoy the crypter owner.

Terms & Definitions

  • RunPE
    • RunPE is the piece of code made to Inject the Payload into the memory of the chosen process.
  • Injection
    • The process of placing the Payload into the memory space of a chosen process.
    • Most commonly injected processes are:
      • svchost.exe
      • RegAsm.exe
      • explorer.exe
      • Default Browser (ie chrome.exe, firefox.exe, iexplorer.exe)
      • Itself (Meaning the payload is injected into the running process, ie your crypted file)
      • vbc.exe
      • cvtres.exe
  • PayLoad
    • In noob terms the file you chose to encrypt.
  • Encryption
    • The algorithm to “protect” and transform the bytes of a chosen file, making them unrecognisable and totally different from original bytes.
  • Stub
    • The program created to store your encrypted payload and to inject it in memory when ran.
    • This is where the Scantime Detections will come from.
  • Private Stub
    • Same as above, except you should be the only person using the stub.
    • Code is essentially different from public stubs, making it harder to detect Scantime.
    • Longer FUD time.

How does it work?

  • The image bellow illustrates very simply what a crypter does to your server.
    OsmM9Tr

Scantime vs Runtime

  • Scantime Definition
    • A file is scantime detected if before it’s ran the AV detects it, or when a scan is ran the file is found and marked as a threat.
    • Scantime Detections are caused by visible instructions or PE info such as Assembly/Icon, Cloned Certificates, Resources Type and Size, Instructions and more.
    • That means that Essentially what RAT/Server you crypt will make little to no difference on scantime detections as the file is encrypted in an unrecognizable way.
    • Safe places to test your Scantime Results:
  • Runtime Definition
    • A file is Runtime Detected if, only after the file is ran, it triggers the AV program to block, stop or delete the program in question.
    • Runtime Detections are caused by behaviour. Basically how your file acts and runs can prompt a runtime detection.
    • The RAT/Server you crypt WILL affect the Runtime Detection.
    • To avoid Runtime Detections you should refrain from using overused settings. i.e. Rootkits will most likely prompt a detection. Your best bet is to use as little options as possible from the server and more from the crypter. Why? Because it is easy to target the behaviour of a widely used RAT, when it never really gets updated or changed. Crypters get updated and modified so it is more reliable to use their settings to avoid detections.
    • A way to prevent some Runtime Detections is also to use Anti Memory Scan, which will basically deny access to the memory space your server is running on.
    • Safe places to test your Runtime Results:

Detections

  • Scantime
    • User Caused
      • Generic Detections – Often caused by Size, Icon, Assembly Info selected by user.
      • Example of common Generic Detections:
        • Kazy (this could also be coders fault in some occasions)
        • Bary
        • Zusy
        • Gen:*
          • These detections are easily removed by:
          • Changing Icon – avoid low resolution/size icons.
          • Changing Assembly Info – avoid overused Assemblies, but find something trusted enough.
          • Pump the file slightly.
          • If all else fails, try removing Version Info resource. (Using ResHacker. Some crypters offer this option)
    • Crypter/Coder Caused
      • Heuristic Detections and some Generic Detections.
      • Instruction or set of instructions that trigger detections. Nothing the user can do.
      • PE Structure.
      • Example of Coder Caused Detections:
        • Injector.* (i.e. Common NOD32 detection)
        • Heur:*
        • MSIL:*
  • Runtime
    • User Caused
      • Selecting every single possible option (on the RAT) WILL most likely cause runtime detections. You will also successfully annoy support and the owner.
      • Selecting very common injection Processes.
      • Here’s how you can solve some of them:
        • Avoid injecting into overused processes such as svchost.exe, may cause detections.
        • Add Delay (30+ secs) will bypass some AVs Runtime.
        • Decent Icon and Assembly Info.
    • Crypter/Coder Caused
      • Overused RunPE with no modifications.
      • Copy & Pasta of code.
      • Long time without checking for Runtime Detections.

How Not to Corrupt your Server

  • Things to Avoid:
    • Double Crypting – Why on earth would you do this?
    • Ticking every single option on both crypter and RAT.
  • Important Things to Keep in Mind
    • Is your file Native or .Net/Managed?
      • Native RATs – Coded in a language without dependencies (i.e. C, C++, VB6, Delphi)
        • DarkComet – FREE
        • Cybergate – FREE
        • Prototype
        • Netwire
        • Babylon – FREE
      • Managed RATs – Coded in a language with dependencies (i.e. VB.net, C#, Java)
        • Nanocore
        • LuminosityLink
        • Imminent Monitor 3
        • njRAT – FREE
        • PiRat
        • Quasar RAT – FREE
    • Is your file .NET?
      • It’s RECOMMENDED to inject into ‘Itself’, choosing something else may corrupt your file’s settings.
    • Is your file Native?
      • It’s RECOMMENDED NOT TO inject into ‘Itself’, choose something else.
  • If you’re injecting into anything other than ‘Itself’, it’s recommended to no select any options on the RAT/Server as it might corrupt some, especially startup – unless your crypter has PEB patching of course, and most don’t.

Why is My File Not FUD Anymore?

  • Very important factors in how fast it gets detected:
    • The usage/spread of malware by the customer base.
    • Where the file is uploaded to.
    • How big the customer base is for the crypter in use.
    • Which malware was crypted.
  • Many coders can easily use the same “method” to achieve a result. If it gets detected for one of them, it will most likely get detected for the other.
  • AVs Update very regularly, usually more than once a day!
  • That’s just how crypters work, they get detected. And when they do, it’s not the end of the world – reFUDing most times takes less than 1 hour!

How Not to Ruin your FUD Time

  • Things to Avoid:
    • Scanning on Sites that distribute your files to Anti Virus companies. Forbidden sites are:
      • VirusTotal
      • Anubis
      • Jotti
    • Uploading your file on Sites that will distribute files.
      Forbidden sites are:

      • Dropbox
      • MediaFire
      • GoogleDrive
    • DO NOT SEND YOUR FILE OVER SKYPE!
      6vXGzxw
  • Things to Do:
    • Every AV will share samples from your PC, make sure to disable any such service on your AV’s Settings.

How Not to Annoy the Crypter Owner

  • Things to Avoid:
    • SPAMMING.
    • Posting Infected Results on the Sales Thread, ESPECIALLY when detections are YOUR fault. (Refer to Detections section on this post)
    • Posting any problems on the thread, when you’ve not tried to contact support. ALWAYS CONTACT SUPPORT FIRST.
  • Things to Do:
    • If you PM for support because a file is not working, always PM ALL THE SETTINGS you are using.
    • Be patient.
    • Keep the rules.
    • Don’t be stupid
    • Read all the tutorials/watch videos of settings BEFORE contacting support for problems.

Crypter Features & Description

  • Startup/Installation
    • Module of the stub that adds your crypted to the list of programs to run with Windows at start!
    • Many different types. Using Registry, Tasks, Copying file to Startup Folder, etc.
  • Startup Persistence
    • Module that will constantly checks if the your file has been removed from the startup list.
  • Process/Injection Persistence
    • Module that will constantly checks if your server has been killed, if it has start it or inject the payload again.
    • Again many different ways of achieving this i.e. Watchdog, DLL Injection and the list continues.
  • Anti Memory Scan
    • Module that will deny access to anything that tries to read the payload you injected.
    • Extremely helpful against Runtime Detections.
  • Elevate Process/Privileges
    • Attempts to gain Admin Rights for your file.
  • Critical Process
    • Changes certain attributes of your running file that will cause a BSOD (Blue Screen of Death) if the process is terminated.
  • Mutex
    • A very useful feature to make sure your file is not running more than once at the same time. Most RATs have this feature so not essential on crypters.
  • Melt File
    • Removes/Deletes your file after it is successfully ran.
  • Extension Spoofer
    • Simple trick with a Unicode Characted called LeftToRight. Doesn’t change the actual extension but will make it look like something else.
    • If you’re trying to make it look like a picture, did you know you can rename the extension from .exe to .scr (Screen Saver)?
  • File Pumper
    • Add a set number of bytes (with value 0) to the end of your file, increasing it’s size but without disrupting the any procedures on runtime.
  • Compress
    • Decreases the output size.
  • Icon or Assembly Cloner
    • Copies the Assembly Information or the Icon of a chosen file. (Good to bypass some Generic detections)
  • Encryption Algorithm
    • Function used to transform the bytes of your RAT/Server into something completely different.
    • Will essentially make little to no difference on detection which algorithm you use.
  • Delay Execution
    • Used to “stop” or pause your file, while running, for a certain period of time.
    • Adding 30+ seconds will in some cases help bypass runtime detections, believe it or not.
  • Binder
    • Add another file to the stub, now your stub will run the RAT/Server but also the file you binded one after the other! (Means you can run a legit program and your RAT at the same time, win win win!)
  • Downloader
    • Well that’s obvious, downloads and runs a file from a given URL.
  • USG – Unique Stub Generator
    • Will make sure your stub is as different as possible from previous crypts.
    • Cheap versions on USG will only rename variables and methods – making not much difference at all.
  • Fake Message Box
    • A Message Box will Pop Up when the file is executed. You can choose for it to display whatever message. I’ll let you figure out why this is useful when spreading.
  • Hide File
    • Sets the option of your file to be Hidden so the infected person cannot see your file in the folder.
    • Slaves can still see the files if the “Show Hidden File and Folders” option on their computer is on.
  • Antis
    • Stop your file from running if certain programs are running in the background.
    • Most common Antis are:
      • Anti Virtual Machine (VMWare, VirtualBox and VirtualPC)
      • Anti Sandboxie
      • Anti Wireshark
      • Anti Fiddler
      • Anti Debugger
      • Anti Anubis
  • Botkill
    • Searches for any existing files or processes that might be malware and attempts to kill/remove them from the system.
  • Remove/Change ZoneID
    • ZoneID information recorded on the file, to let Windows know where it came from. (In most cases causing the Smart Screen, or the “Are you sure you want to run this file?” box)
    • This module will remove the ZoneID the file was given.
    • The different values are:
      • 0 – Local Machine
      • 1 – Intranet
      • 2 – Trusted
      • 3 – Internet
      • 4 – Untrusted
  • Spreaders
    • Attempts to copy your file to places where it might infect other users.
    • Most spreaders don’t work, so don’t be fooled.
    • Common spreaders:
      • USB – Will copy your file to any USB connected to the PC. Back in the day they would also set up an autorun.ini file to make the server execute as soon as the USB is connected to another PC. Autorun no longer works on Windows.
      • Rar/Zip – add your file to the files inside the compressed folder.
      • Chat/IM (Skype, Facebook, Omegle, Twitter) – Messages other people with an infected link or attempts to send them an infected file.
      • Lan – Doesn’t work, so no bother.
  • Junk Code
    • Adds useless, unnecessary lines of code/instructions in an attempt to bypass some less specific Scantime Detections.
    • Somewhat efficient but also increases the stub size.
  • Remove Version Info
    • Deletes a resource called Version Info, which contains all the assembly information.
    • Helps get rid of Kazy generic detection when all you have tried has failed.
  • Require Admin
    • Prompts an UAC window asking the slave to run the file as Admin.
  • Certifcate Clone/Forger
    • Adds a Certificate to your file copied from other signed Applications, the certificate will be invalid but makes your file look a bit more legit.

Credits

  • Asterea
  • Raymond
Author: KillαMuvz
Source: www.reFUD.me