Howdy fellow readers. My time is split between video games, code, and work. I have a number of interesting samples I’ve seen that I’ve decided to share with you all.
This is a 3+ stage malware. Each stage meaning its own executable (think inception, but with exes). This isn’t all that uncommon with malware. Typically the file you first download isn’t always the main exe. The “dropper” will determine your sys info and download the second stage, or the second stage will be hidden away encrypted to hide from AV’s and heuristics.
As you can see, de4dot identified the obfuscator and automatically changed everything back to normal. Nice eh? Now let’s look at the binary again in ilspy (Reflector is a piece of shit sometimes).
The sample has been deobfuscated, but is still a mess. What can we do? Enter MegaDumper. Russians make the best tools. So how does this work? Well, MegaDumper allows us to dump .net binaries straight from memory. All we have to do is run the exe, suspend its main thread, then dump away.
It’s easier to just record how its done here:
Now we have our decrypted content.
The ‘manptca.exe’ file is our original file. The other 2 files are loaded by the original binary. Let’s peek at each.
‘snoop.exe’ seems to be obfuscated, however a quick run through De4dot shows us what it is.
Opening the thing up with ilspy, we see a number of dynamically constructed strings.
This is one reason why being a coder helps with reversing – having the compiler by your side is a life saver.
Just reviewing the code, this looks to be a helper exe, in that it ‘helps’ the main exe maintain persistence (add exe to registry startup path). Not very interesting.
‘mydllclass’ is much more interesting.
The sample contains our process hollowing methods and injection criteria, some interesting decryption, and our final stage 3 product.
The following is some code I pulled from the mydllclass module. It should look familiar. For those who don’t know, its process hollowing code.
How is this used / implemented? Remember the bitmap from earlier in the resources section? This data file is decrypted in stage 2 and ran for stage 3 via process hollowing.
There’s a lot of code to this sample, but it’s fairly straight forward. The bitmap image is read from the resources directory, converted to a byte array, the stream is them decompressed, then decrypted.
While we *could* copy and paste this into a project of our own to decrypt the mystery bitmap image, its much easier to extract after the process hollowing operation is performed.
Other interesting tidbits include code that checks for the presence of Avast anti-virus:
This code doesn’t really work on my VMware instance though, making it worthless. Then again, who the hell checks for JUST Avast?
So how do we get at this new file? Easily. Remember the in the video how I killed ‘Regasm.exe’? That’s where the data is injected. A simple matter of dumping the exe while its running will reveal our final payload. To save time again, here’s another video.
So what is this weird pony icon exe?
Loading the sample up with IDA and looking at the strings is a good start.
Googling around for the strings ‘moni/panel/Pony.exe’ and ‘moni/panel/gate.php’ proved fruitful. The malware is called ‘pony’ (of course) so I wasn’t too far off in my assumptions. According to this the 3rd stage is a password stealer.
Continuing to look at strings confirms this. Who knew there were so many kinds of bitcoins?
And there you have it, all 3 stages of execution, the C&C, the injection method, and the target (passwords & bitcoins).
Join me again soon when I cover the basics of reversing exploits in PDF and Word documents.