sunwukong: fa16b64ae95d — MSVC x64 masquerade with semantic export obfuscation and PEB-walking API resolution

Executive Summary

A 1.4 MiB x64 PE executable (sunwukongs.exe) compiled with MSVC 14.50 in May 2026. Carries an elaborate masquerade — Authenticode-signed with a "Erdman Group" certificate, version info claiming to be "1080p protocol Business Suite", and a 503-entry export table populated with machine-generated ML/networking jargon (e.g., BackoffExtrapolate, CorruptTurbulence, TokenizeDrag). Has zero standard IAT imports; instead resolves APIs at runtime via PEB module walking and hash lookup, then performs process-enumeration checks at entry. No CAPE detonation data; all characterization is static.

What It Is

How It Works

The binary uses a classical "no-imports" stub pattern. On entry ^[r2:entry0], it first initializes a small XOR-based PRNG (FUN_140001000, 0x12345678-based shuffle) ^[ghidra:FUN_140001000], then calls a checker routine (FUN_14002d060) ^[ghidra:FUN_14002d060].

FUN_14002d060 performs two steps:

1. PEB module walk — FUN_14002cc30 reads gs:[0x60] (PEB64 on Windows x64) and walks the InMemoryOrderModuleList to locate ntdll.dll / kernel32.dll ^[ghidra:FUN_14002cc30].
2. API resolution by hash — Two hardcoded 32-bit hashes (0xd011d5fc, 0x97f7a6ce) are looked up against exported function names in the located modules via FUN_14002ccf0. Based on the subsequent call signatures (single call returning a handle/int, then second call with that int, a code 0x5a/0x59, a buffer ptr, and size 4), these resolve to an Nt* information-query API and its Win32 wrapper — likely NtQuerySystemInformation / NtQueryInformationProcess and CheckRemoteDebuggerPresent or NtSetInformationThread.
3. Process / debugger enumeration — The resolved APIs are called twice with handle values 0x5a (90) and 0x59 (89). Returned buffer bytes are hashed (FUN_14002cda0) and checked against four hardcoded constants: 0xbd98a9e5, 0x42b21a5a, 0x262b0ca7, 0x73baf0f5. Additionally, PID values 0x419 (1049) and 0x423 (1059) are accepted as sentinel parents. If any match, the function returns 1, allowing entry to proceed.

This is a parent-process / debugger / sandbox gate. The constants are likely hashes of known analysis-tool process names.

The export table is unusual: 503 names thematically mixing machine-learning terminology (Perplexity, CrossEntropy, Softmax, Gradient, Backprop), networking jargon (PacketLoss, Bandwidth, TTL, Latency, DSCP), and UI/game-engine terms (Rigidbody, Navmesh, Collider, Kinematic, Animation, Viewport). All names point to only ~21 tiny thunk stubs (16–32 bytes each). This appears designed to frustrate signature-based detection and manual analysis by creating a veneer of a large, plausible software project.

C2 Infrastructure

No hardcoded C2 infrastructure observed statically. No URLs, IPs, mutexes, named pipes, or registry keys in strings, .data, or .rsrc sections. C2 is likely runtime-decoded or absent until second-stage payload retrieval.

Interesting Tidbits

• Fake company identity: "Erdman Group" (GB, Cambridgeshire) with email admin@erdmangroup.global and a purported government CA ("Erdman Group Government CA"). The root chain ultimately ties to DigiCert Assured ID Root CA via cross-signed intermediates. The cert's TimeDateStamp is 0xFFFFFFFF (2106-02-07), which is invalid — likely tampered or a signer error. ^[pefile.txt:327] ^[binwalk.txt:10-14]
• Version info as lure: "1080p protocol Business Suite" with OriginalFilename 1080pprotocol_1695.exe — masquerades as a video/screen-capture utility. ^[exiftool.json:36-44]
• High-entropy .data section: Section .data entropy = 7.98 (near maximum of 8.0), indicating encrypted or compressed payload material. ^[pefile.txt:131]
• No Go / Python / .NET runtime artifacts: Not a Go binary (no runtime.go, build IDs, or module paths). Not PyInstaller. Pure C/MSVC compiled code. ^[strings.txt]
• PEB-walking without PEB in strings: The string "PEB" does not appear anywhere; the technique is implicit in the code (gs:[0x60]). ^[strings.txt]
• Capa: Failed to run because signatures were not installed; no capability coverage from this tool. ^[capa.txt]

How To Mess With It (Homelab Replication)

Toolchain: Visual Studio 2022 (MSVC 14.50), x64 Release, /SUBSYSTEM:WINDOWS. Link options: /ENTRY:mainCRTStartup, omit standard C library references to keep IAT empty. Obfuscation layer: Write a small Python script to generate 500+ export names by combining random terms from ML, networking, and game-dev vocabularies. Assign all names to a handful of ret stubs. Compile as DLL/EXE with exports. API resolution: Implement PEB64 walk (gs:[0x60]), hash exports with DJB2 or ROR13, and resolve Nt* and Win32 APIs at runtime. Checker: Call NtQuerySystemInformation / CheckRemoteDebuggerPresent, hash the first 4 bytes of the returned buffer, and compare to hardcoded values for specific process names.

Deployable Signatures

YARA Rule

rule sunwukong_semantic_export_obfuscation {
    meta:
        description = "Sunwukong-style semantic export obfuscation and masquerade"
        author = "PacketPursuit SOC"
        date = "2026-05-30"
        hash = "fa16b64ae95d6492be2074e65a0d6eae3ddb8adb9706f41f1fb0ad71c50aa7ce"
    strings:
        $ver1 = "1080p protocol Business Suite" ascii wide
        $ver2 = "Erdman Group" ascii wide
        $ver3 = "1080pprotocol_1695.exe" ascii wide
        $exp1 = "BackoffExtrapolate" ascii
        $exp2 = "PerplexityCancel" ascii
        $exp3 = "CorruptTurbulence" ascii
        $exp4 = "TokenizeDrag" ascii
        $exp5 = "CrossEntropyRevokePinch" ascii
    condition:
        uint16(0) == 0x5A4D and
        pe.is_pe and
        pe.machine == pe.MACHINE_AMD64 and
        (
            (2 of ($ver*)) or
            (3 of ($exp*))
        ) and
        pe.number_of_exports > 400
}

Sigma Rule

title: SunWukong Masquerade Process Creation
status: experimental
description: Detects process creation of SunWukong masquerading binary based on version-info anomalies
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Product: '1080p protocol'
        - Company: 'Erdman Group'
        - OriginalFileName: '1080pprotocol_1695.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

IOC List

Behavioral Fingerprint

On launch, this binary does not import any Win32 APIs via the static IAT. Instead, it walks the PEB module list to locate ntdll.dll and kernel32.dll, hashes exported function names to locate system-information and debugger-detection APIs, and performs a parent-process / sandbox / debugger gate using hardcoded hash constants. Only if the check passes does the real payload begin. The version info masquerades as "1080p protocol Business Suite" by "Erdman Group". The export table contains >500 semantically-obfuscated names (e.g., BackoffExtrapolate, PerplexityCancel, CrossEntropyRevokePinch) pointing to <25 tiny stubs.

Detection Signatures

• capa: Failed — signature directory missing ^[capa.txt]
• YARA (generic): PE_File_Generic only; no family-specific hit ^[yara.txt]

References

• sunwukong — family entity page
• semantic-jargon-export-obfuscation — technique page for the export-name obfuscation pattern
• peb-walking-api-resolution — shared technique for runtime API resolution
• menomoushop — separate family sharing the sunwukong OpenCTI tag

Provenance

Analysis based on:

• Static triage artifacts (file.txt, exiftool.json, pefile.txt, strings.txt, rabin2-info.txt, binwalk.txt, capa.txt, metadata.json, triage.json).
• Ghidra decompilation (FUN_140001000, FUN_14002d060, FUN_14002cc30) via pyghidra MCP.
• radare2 surface analysis (entry0, strings, imports, exports) via r2mcp.
• CAPE sandbox skipped — no Windows guest available (dynamic-analysis.md).