forked from bitbrain/jekyll-dash
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create 2025-01-12-malware-analysis-real-case-9-part-2.md
- Loading branch information
1 parent
19aecca
commit 20ad014
Showing
1 changed file
with
103 additions
and
0 deletions.
There are no files selected for viewing
103 changes: 103 additions & 0 deletions
103
_posts/2025-01-12-malware-analysis-real-case-9-part-2.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| --- | ||
| layout: post | ||
| title: Malware Analysis - Real Case 9 [Part 2] | ||
| description: Another DLL was loaded by previous sample and dynamic analysis method | ||
| tags: [Real Case, Reverse Engineering, Command and Control, Virustotal, Malware, Blue Team, dnSpy, FlareVM] | ||
| --- | ||
|
|
||
| Hi guys, as my promise before, today I will write part 2 for my report and this part will be kinda special because I will not use static method too much too analyse | ||
| this sample. Want to know more? Let's read this article, ok? Now we go! | ||
|
|
||
| First, you should read part 1 before reading this part. In the previous part I noticed that I extracted successfully .NET things inside **donut** shellcode and now I will | ||
| analyse it! | ||
|
|
||
| First, open it in **dnSpy**: | ||
|
|
||
|  | ||
|
|
||
| I opened this function first since I found it after a long time searching and proving. In this part the easiest way is that you debug the code and watch the result. Ensure | ||
| that you had virtual environment, and in this code I will set breakpoints to **key** and **iv** and let debugger run till the end: | ||
|
|
||
|  | ||
|
|
||
| Click **Run** and **OK**, you will see the debug screen which contains variables that appeared in the code and you could see the change inside each variable (of course | ||
| you can try to debug and get these informations and then write an automatic script to decrypt by yourself): | ||
|
|
||
|  | ||
|
|
||
| You can see that you will get **key** and **iv** easily by just debugging the program, but it is not my expectation. The thing I want is the final result which will extract a | ||
| gzip file and unzip it. From here I will choose **Step Over** to jump over each line that not dig deeper how each line works. After numerous stepping over, this is the | ||
| final result: | ||
|
|
||
|  | ||
|
|
||
| You can see the final result will be passed to **array2** variable and we can parse it easily by just following the memory. Right click to **array2**, choose **Show in Memory Windows**, | ||
| choose memory area and you will see that the previous sample will drop another PE file: | ||
|
|
||
|  | ||
|
|
||
|  | ||
|
|
||
| Now just dump it and you will get the next payload: | ||
|
|
||
|  | ||
|
|
||
|  | ||
|
|
||
| It is a C# thing again and the funny thing is that when I check **MegaDumper** report, they extracted it for me before 😂😂😂. From here I stopped because when I tried | ||
| to analyse it, it was kinda difficult because of super long code and too many functions. From here I will upload this sample to **Virustotal** and also for other samples | ||
| since I don't let this guy smile 😂😂😂. Before I looked to Virustotal result, I tried to run the sample again and this was the result: | ||
|
|
||
|  | ||
|
|
||
| The **network connection** is the easiest thing to watch: | ||
|
|
||
|  | ||
|
|
||
| The malware will try to connect to **45[.]32[.]126[.]61:56001** which is a C2 server. Did you still remember python script yesterday? It created a schedule task | ||
| and each time user log in, this task will be run: | ||
|
|
||
|  | ||
|
|
||
| Next, I looked at **File Activities** report. I found that the sample tried to get data from **User Data** of browsers, that means they tried to steal sensitive datas | ||
| of users. Moreover, when I compared the timeline of Network and File, I found that each time a file activity was executed, a network process would be executed also so | ||
| the sample will steal the data and then send them through C2 server: | ||
|
|
||
|  | ||
|
|
||
|  | ||
|
|
||
| For **Registry Activities** because it's kinda long, I will summarize. When I analysed it, I found that they tried to access some key related to computer information | ||
| including: network IP, computer name... From here the sample not only steal browser data but also computer information. | ||
|
|
||
| Return to Virustotal report, I found something interesting: | ||
|
|
||
|  | ||
|
|
||
| In the report of payload from **donut** shellcode, there are some GitHub links: | ||
|
|
||
|  | ||
|
|
||
| In my thinking, it could be the main account of attacker or maybe it's just another account to store repositories. | ||
|
|
||
| OK so this is my last words, thank you for reading till this line. I hope that I could help something for you, not too much but I feel very happy when I wrote articles | ||
| like this. I learnt from my experiment, your opinions, etc... As usual, this article cannot be perfect, so I will be grateful if you can give me some opinions to make this | ||
| report better. See you in the next post, bye! 💙💙💙 | ||
|
|
||
| ### Summary | ||
| - C2 server: 45[.]32[.]126[.]61:56001, 45[.]32[.]126[.]61:56002, 45[.]32[.]126[.]61:56003 | ||
| - MITRE ATTACK: T1059.001, T1574.002, T1497, T1562.001, T1140, T1027, T1027.002, T1070.006, T1056, T1518.001, T1082, T1056, T1560, T1005, T1571 | ||
| - URL: | ||
| + hxxps[://]github[.]com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver[.]dll | ||
| + hxxps[://]github[.]com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver[.]exe | ||
| + hxxps[://]github[.]com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver[.]exe | ||
| - Sample: | ||
| + 5e728114bcd05c0eec668512a28670e95f45506c261fd436e43c5aff4f5b6e82 (Fdgri.exe) | ||
| + aec49aba9900bc031b847a57af2e0c85b4b03c972f057570cfe6fb41749ff045 (Gzabxae.dll) | ||
| + 20569c7e9e722688a8f1d1dadcc56188fad71fc206b7ba4347e5d0b2dfc13a4e (SysWOW64.zip) | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|