Pegasus Source Code Analysis Notes

2 min readFeb 15, 2019

The leak and background: https://malware-research.org/carbanak-source-code-leaked/

The leak was originally attributed to the group Carbanak. But later found it was a wrong attribution. After, Minerva Labs [1] and Vitali Kremez [2] from flashpoint found evidences on the link between Pegasus and buhtrap.

I suggested to use windows environment to extract the archive. Since there are some encoding issue, I got wrong output from Mac OSX environment.

Use exploit to do privilege escalation

In InstallDispatcherDll/PrivEsc.cpp, two exploits were used, which are –
1. CVE-2015–0057, MS15–010, KBs: 3013455, 3023562
2. CVE-2015–1701, MS15–051, KBs: 3045171
We found timestamp around 2015–16 on the source codes, which means the exploit is not old at that time.

Two different versions of domain enumeration

In inc/DomainListMachinese.cpp, there are two different versions. First version, named dlmEnumV1, uses NetServerEnum. The second one, named dlmEnumV2, uses WNetOpenEnum, WNetEnumResource.

Use Вперёд Россия (Let’s go Russia/Go forward Russia) as default password

For lateral movement and propagate, it uses mimikatz and keylogger for havesting credentials. However, in inc/WorkDispatcher.cpp, it uses default password Dgth`l Hjccbz -> Вперёд Россия -> let’s go Russia/Go forward Russia.

Copy and modify Matt Graeber’s PIC_Bindshell for their own shellcode

Comparing the shellcode in Shellcode/shellcode.c with PIC_Bindshell, it is fair to say Pegasus’s shellcode is based on Matt’s. Also, the first line of the source code announced — “Code is extracted by foreign tool.”

DB use user root and password 12345

Web use denwer web development kit. In cfg/config.php, the credentials for database are –
- host: ‘localhost’, db: ‘pegasus’, user: ‘root’, password: ‘12345’
- key: ‘7393c9a643eb4a76’

Network traffic routes out only in usual local working clock

In shared/config.h, author suggests 10–60 mins delay for checking network for release mode. If PRESERVE_WORKHOURS_NETWORK_ACCESS is set to TRUE, remote network access will be issued only in usual working hours according to local clock (9–00(+lag) — 19–00)