Daily Archives

One Article

NtCrypt and 1DayCrypt and their similarities

Posted on

For reasons I will not be able to provide the specific samples discussed, which I hope will be understandable. So I guess you will have to take my word for the validity of the sample. But I am Mr. Krabs so of course you will take my word for the validity of it.

Some preliminary notes: NtCrypt is a “high end” crypter that was previously analyzed ish by malwarebytes. They never publicly ID-ed the crypter/packer but based on my analysis (and the authors’ own admission) it was NtCrypt. The author is also quite hated by some competitors (or ex-competitors I suppose)

Now that we know some basic information about NtCrypt, there is a new crypter which recently emerged on the script kiddy website Hackforums.

Very fascinating, aside from the imperfect English. A sample obtained was able to allow the confirmation that 1Day crypt is in fact a NtCrypt clone.

Similarity #1: Wrapper

Both NtCrypt and 1Day Crypt relies on stolen projects from Github or other sites as the “vehicle” through which their shellcode is executed. These projects are then used for

Similarity #2: Shellcode delivery

The shellcode resides in the .data section and are encrypted in both cases. They are then decrypted using a xor based algorithm. This differs slightly between the two: the decryption algorithm for 1Day is slightly modified and is obfuscated with jmps over junk bytes (as an anti-disassembly technique). The shellcode is then executed by being passed as a callback to Enum* functions, which in the case of NtCrypt was EnumDesktopsA and 1Day was EnumWindows.

1Day Crypt
NtCrypt

These changes are very much understandable, as NtCrypt was released some months ago whereas 1Day Crypt is a very new service. An interesting and unique thing is that in both cases the entrypoint of the shellcode is NOT it’s starting address: EnumFunc is at the offset 5880 in 1Day and 3B40 in NtCrypt. After this, we get to

Similarity #3: Hashing

Both uses a hashing algorithm that looks something like this:

int __cdecl custom_hash_str(unsigned __int8* a1)
{
  int v2;             // [esp+0h] [ebp-8h]
  unsigned __int8 v3; // [esp+7h] [ebp-1h]

  v2 = 0x1505;
  if (!a1)
    return 0;
  while (1) {
    v3 = *a1++;
    if (!v3)
      break;
    v2 = v3 + 33 * v2;
  }
  return v2;
}

This is then used for

Similarity #4: API resolving

1Day Crypt
NtCrypt. I did not apply the struct so looks a bit different but it is in essence 100% similar

This function resolves API belonging to user32 and gdi dll, and is used for the

Similarity #5: Bitdefender bypass

Both crypters’ entrypoint are practically 100% the same.

NtCrypt
1Day Crypt

They both detect Bitdefender’s API through the hash and passes the current executing address to a bitdefender bypass function. The function creates an invisible window called “Tricked” which bypasses a Bitdefender detection where windowless EXEs are sometimes flagged.

The bypass, partially cleaned up

This is why the entrypoint required an E8 00 00 00 00 (which those familiar with shellcode and exploit development will recognize as call $+5) for the purpose of obtaining the EIP and address of the shellcode. This is then used to calculate the offset of a callback function, which is then created using the CreateThread API.

Similarity #6: Storage

One very very unique thing about both crypter is that they are heavily invested in heuristics bypass, which results in them both using some rather innovative techniques that were not seen before. NtCrypt previously stored data in a section called “.arch” which is set to be the Architecture Directory in the PE header.

1Day Crypt on the other hand sets it to the debug directory, with a not-so-nice name.

As expected, the debug directory would be corrupted. However as normal execution does not rely on this directory, the file would not have any problem executing.

Conclusions and some remarks

I’ll avoid going into details about code execution as their injection method is already covered by MalwareBytes (although with some minor mistakes) and anyone can figure out how a PE Loader works by reading MSDN documentation and looking at ReactOS or other resources. It is very fascinating to observe the tendency of monopolization of capitalism happen even on illegal marketplaces for crypters like this, with a crypter developer selling his software under multiple brands to obtain more customers. As not much has changed, reverse engineers who are reasonably experienced will be able to easily tell that the crypter is developed by the same person.

Update

As it turns out, the new 1Day Crypt was some person buying NtCrypt and reselling without permission at a price lower than the original. This is quite strange, however it would mean that their “private stubs” are not really “private” at all, and that they are scamming their customers through this scheme.