Cassandra: a cryptor who likes to keep a low profile

No attacker wants his tools to be discovered and uncovered ahead of time. Therefore, as a rule, no one distributes malicious programs in their pure form. For example, a user received a phishing email on behalf of a well-known transport company and asked to check the documents in the attachment. Such letters are quite often the beginning of an attack, and so it was this time. Inside the archive was an executable file Cassandra Crypter – a popular cryptor whose payload can be various families of malicious software. Alexey Chekhov, analyst at CERT-GIB, tells how Cassandra infiltrates the victim’s computer and brings other intruders with him.

Cassandra’s work can be roughly divided into two stages. In the first stage, a helper library is loaded, which extracts the main part of the cryptor from the source file. On the second, the cryptor reveals its full potential.

First stage

Cassandra masquerades as a legitimate application. The entry point contains the standard launch function for Windows Forms applications.

The form constructor also looks standard, no different from a legitimate application.

Detailed analysis detected a function call aaa()that contains malicious functionality. Calling it leads to decryption and loading of an auxiliary dll

The AES algorithm is used for decryption.

After loading the auxiliary dll one of its functions will be called, as a result of which the second stage of the cryptor will be received and launched.

The second stage is contained in the image, encrypted, in the original assembly.

The XOR operation is used for decryption, the decryption key is the first 16 bytes of the original image.

In the first stage, attackers practically do not use anti-analysis tools, debugging, and so on, with the exception of obfuscating an additional library.

Second stage

The second stage is the .Net Framework executable file.

Config file

The key used in the first stage of the payload decryption


The field containing the decrypted payload

The field containing the raw (unparsed) config

“0 || 0 || 0 || 0 || 0 |||||| 0 || 0 || 0 || 0 |||||||||||||| 0 || 0 || 0 || 0 || 0 || 0 || 0 || 0 || v2 || 0 || 3046 || 0 || 0 |||||| 0 || 0 || 0 |||| “

The field containing the prepared config

Field containing the flag of the injection type


The field containing the flag of the post in the system


The field containing the name of the file after being pinned to the system


The field containing the name of the mutex


Unused field


Field containing information about the use of the bootloader


Field containing information about the path to the uploaded file


The field containing the link to the payload


Field containing information about the use of the Anti-VM / Sandbox function that searches


Field containing information about using the Anti-VM / Sandbox function that searches for strings in the file path


Unused field


Unused field


Field containing information about using Fake MessageBox


Fake MessageBox header text


Fake MessageBox text


Fake MessageBox Button Info


Fake MessageBox Icon Information


The number of seconds that the application will be inactive


Function that parses the configuration file


The payload is encrypted in the cryptor. Decryption takes place in two stages:

1. In the loop, the byte XOR of the cipher code is performed, the key and value of the XOR operation from the last element of the byte of the cipher code and 112. The resulting values ​​are stored in the created array. The key for the first stage is contained in the configuration file.

2. Decryption is carried out, similar to what happened at the first stage: the XOR operation is used, the first 16 bytes of the array obtained at the first stage are used as the key.

Pinning in the system

Fixing in the system is carried out through the creation of a deferred task. The file is copied to the directory AppData//{имя файла, заданное в конфиге}+”.exe”… After that, the original file is deleted and a task for execution is created.


The function searches for virtual video adapters and specific registry keys specific to virtual machines.


Three functions of countering the sandbox have been implemented:

  • Isolated environment detection. The function checks the path to the executable file and looks for specific strings in it, such as \ VIRUS, SAMPLE, SANDBOX, etc. It also searches for a window specific to WindowsJail and the SbieDll.dll library loaded into the process.

  • An attempt was made to bypass the sandbox by timeout. Implemented using the standard Sleep procedure.

  • An attempt was made to traverse the sandbox by user activity. Implemented by showing Fake MessageBox.

Restart protection

Implemented by creating a named mutex on the system.



The function of loading payload from the network has been implemented.

Payload launch

Contains two options for launching a payload:

1. Loading into memory using .Net Framework functions.

2. Injection of the payload into the running process. There are several processes to choose from.

At the moment, Cassandra is a fairly common type of cryptor. As a rule, cybercriminals use it in mass mailings in order to invisibly launch malware on a user’s machine. Cassandra allows you to run even well-studied malware families.

Similar Posts

Leave a Reply