Encrypt, Hide and Sleep

Badgers are asynchronous in nature, which connect back to the Ratel server at a user provided interval. The sleep command provides a sleep and jitter (percentage) functionality which can totally randomize the checkin time utilized by the badger. If you provide a jitter value (percentage), then the sleep command sleeps randomly between the given sleep time and plus/minus a random value between sleep and sleep’s jitter percentage. For example, if you enter sleep 30 40, then the sleep time would be 30s +/- random value between 30 and (30 % 40).

The Badger uses a lot of anti-detection sleeping techniques, such as not using the usual Sleep API, encrypting the RX region, converting it to RW and using Wait timers and ROP gadgets. A more detailed explanation on Sleep Encryption was posted in the v0.7 release. When a badger is sleeping, all it’s tasks are paused, including pivot connections.

The ‘obfsleep’ command can be used to switch between three unique sleep masking techniques on the fly post the v1.1 release. The below video provides a quick demonstration of the hiding the RX region and spoofing thread stack and start address in memory.

The ‘start_address’ command can be used to specify the spoofed start address for APC based sleep masking. The below figure should show the stack difference between badger and legitimate windows process which are none.