Full Report
ScrubCrypt - Uncovering the rebranded Jlaive crypter
Analysis Summary
# Tool/Technique: ScrubCrypt
## Overview
ScrubCrypt is a new crypter being sold in underground forums, notably promoted on HackForums. It was observed being used in a phishing campaign to deliver the Xworm RAT. The analysis suggests ScrubCrypt is a rebranded version of the Jlaive crypter, maintained for marketing purposes.
## Technical Details
- Type: Tool (Crypter)
- Platform: Windows (implied by the deployment via a batch script leading to a RAT)
- Capabilities: Obfuscation/Encryption of malware payloads; utilizes AES encryption with CBC mode and PKCS7 padding; incorporates GZip decompression.
- First Seen: In the weeks prior to the article's publication, promoted on HackForums.
## MITRE ATT&CK Mapping
The primary mechanism observed is the execution chain designed to load and run the final payload, often involving bypassing security controls.
- **TA0002 - Execution**
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- *Involves execution of a malicious .bat file.*
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- *The batch script itself is heavily obfuscated with junk code; the payload is encrypted.*
- T1564.001 - Hidden Files and Directories
- *Implied, as the script attempts to self-extract and execute.*
## Functionality
### Core Capabilities
- **Payload Delivery:** Deployed via a multi-stage infection chain initiated by a batch file attachment in a phishing email.
- **Deobfuscation Logic (within the associated batch script):**
1. Removes junk code from the initial batch script.
2. Copies the PowerShell executable (`powershell.exe`) to the current directory with the same name as the batch file but with a `.exe` extension.
3. Executes the newly copied EXE using PowerShell in a hidden window (`powershell -w hidden -c ...`).
4. The PowerShell script employs string manipulation (removing '@' symbols) to reconstruct API function names (e.g., `Get-CurrentProcess`, `Load`).
5. It decrypts two distinct blobs of data using AES decryption (Key/IV derived from the script itself).
6. The decrypted blobs are decompressed via GZipStream.
7. The decompressed data (which contains the main malicious binary/dropper) is executed in memory using `[System.Reflection.Assembly]::Load()` and invoked via `Invoke`.
### Advanced Features
- **Encryption Scheme:** Uses AES encryption with Cipher Mode CBC and PKCS7 Padding.
- **Code Loading:** Loads the final decrypted payload directly into memory (`[System.Reflection.Assembly]::Load()`) to execute it without dropping the final binary directly, improving stealth.
- **Self-Extraction/Replication:** The batch script seems designed to copy itself to a new executable name and run via PowerShell.
## Indicators of Compromise
- File Hashes:
- `LEPRFQAV04,pdf.bat`: `04ce543c01a4bace549f6be2d77eb62567c7b65edbbaebc0d00d760425dcd578`
- `LEPRFQAV04,pdf.001` (Archive): `28d6b3140a1935cd939e8a07266c43c0482e1fea80c65b7a49cf54356dcb58bc`
- `scrubcrypt binary.bin`: `ad13c0c0dfa76575218c52bd2a378ed363a0f0d5ce5b14626ee496ce52248e7a`
- `xworm.bin` (Final Payload): `814187405811f7d0e9593ae1ddf0a43ccbd9e8a37bee7688178487eeef3860c6`
- File Names: `LEPRFQAV04,pdf.bat`
- Registry Keys: (Not specified in the provided context)
- Network Indicators: `hurricane[.]ydns[.]eu:2311` (C2 for Xworm RAT)
- Behavioral Indicators: Execution of obfuscated batch scripts leading to PowerShell execution with heavily encoded arguments; usage of native .NET reflection methods for in-memory code execution; apparent use of AMSI bypass techniques (implied by the presence of `amsi & etw.bin` sample).
## Associated Threat Actors
The direct threat actor leveraging ScrubCrypt is not named, but the payload delivered is the **Xworm RAT**. The tool itself (ScrubCrypt/Jlaive) is linked to the developer "Chash" on underground forums.
## Detection Methods
- Signature-based detection: Use provided hashes to detect known stages.
- Behavioral detection: Monitor for batch scripts executing PowerShell (`powershell.exe`) with obfuscated or encoded commands, especially calls involving file copying and hiding windows (`-w hidden`). Monitor for dynamic loading of assemblies in memory.
- YARA rules: (Not provided)
## Mitigation Strategies
- **Email Security:** Implement rigorous email filtering to block suspicious attachments like archives containing batch scripts.
- **Application Control:** Restrict execution of batch scripts or PowerShell from user-writable directories.
- **Endpoint Detection & Response (EDR):** Configure monitoring for sequences like a Word/PDF attachment leading to batch execution, followed by PowerShell spawning secondary processes or performing in-memory assembly loading.
- **PowerShell Logging:** Ensure robust PowerShell logging (Module Logging, Script Block Logging) is enabled to capture the deobfuscated commands executed in memory.
## Related Tools/Techniques
- **Base Tool:** Jlaive Crypter (ScrubCrypt is a rebranding of this).
- **Final Payload:** Xworm RAT (Windows Remote Access Trojan).
- **Deobfuscation/Bypass Techniques referenced:** AMSI Bypass POCs (e.g., RastaMouse), ETW hiding techniques.
- **Deobfuscation Tools:** De4Dot (suggested for analyzing the final payload).