Forensic at @World Wide Flags
Operator at @Cookie Han Hoan
Malware Analysis - Real Case 9 [Part 2]
Hi guys, as my promise before, today I will write part 2 for my report and this part will be kinda special because I will not use static method too much too analyse this sample. Want to know more? Letβs read this article, ok? Now we go!
First, you should read part 1 before reading this part. In the previous part I noticed that I extracted successfully .NET things inside donut shellcode and now I will analyse it!
First, open it in dnSpy:
I opened this function first since I found it after a long time searching and proving. In this part the easiest way is that you debug the code and watch the result. Ensure that you had virtual environment, and in this code I will set breakpoints to key and iv and let debugger run till the end:
Click Run and OK, you will see the debug screen which contains variables that appeared in the code and you could see the change inside each variable (of course you can try to debug and get these informations and then write an automatic script to decrypt by yourself):
You can see that you will get key and iv easily by just debugging the program, but it is not my expectation. The thing I want is the final result which will extract a gzip file and unzip it. From here I will choose Step Over to jump over each line that not dig deeper how each line works. After numerous stepping over, this is the final result:
You can see the final result will be passed to array2 variable and we can parse it easily by just following the memory. Right click to array2, choose Show in Memory Windows, choose memory area and you will see that the previous sample will drop another PE file:
Now just dump it and you will get the next payload:
It is a C# thing again and the funny thing is that when I check MegaDumper report, they extracted it for me before πππ. From here I stopped because when I tried to analyse it, it was kinda difficult because of super long code and too many functions. From here I will upload this sample to Virustotal and also for other samples since I donβt let this guy smile πππ. Before I looked to Virustotal result, I tried to run the sample again and this was the result:
The network connection is the easiest thing to watch:
The malware will try to connect to 45[.]32[.]126[.]61:56001 which is a C2 server. Did you still remember python script yesterday? It created a schedule task and each time user log in, this task will be run:
Next, I looked at File Activities report. I found that the sample tried to get data from User Data of browsers, that means they tried to steal sensitive datas of users. Moreover, when I compared the timeline of Network and File, I found that each time a file activity was executed, a network process would be executed also so the sample will steal the data and then send them through C2 server:
For Registry Activities because itβs kinda long, I will summarize. When I analysed it, I found that they tried to access some key related to computer information including: network IP, computer nameβ¦ From here the sample not only steal browser data but also computer information.
Return to Virustotal report, I found something interesting:
In the report of payload from donut shellcode, there are some GitHub links:
In my thinking, it could be the main account of attacker or maybe itβs just another account to store repositories.
OK so this is my last words, thank you for reading till this line. I hope that I could help something for you, not too much but I feel very happy when I wrote articles like this. I learnt from my experiment, your opinions, etcβ¦ As usual, this article cannot be perfect, so I will be grateful if you can give me some opinions to make this report better. See you in the next post, bye! πππ
Summary
- C2 server: 45[.]32[.]126[.]61:56001, 45[.]32[.]126[.]61:56002, 45[.]32[.]126[.]61:56003
- MITRE ATTACK: T1059.001, T1574.002, T1497, T1562.001, T1140, T1027, T1027.002, T1070.006, T1056, T1518.001, T1082, T1056, T1560, T1005, T1571
- URL:
- hxxps[://]github[.]com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver[.]dll
- hxxps[://]github[.]com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver[.]exe
- hxxps[://]github[.]com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver[.]exe
- Sample:
- 5e728114bcd05c0eec668512a28670e95f45506c261fd436e43c5aff4f5b6e82 (Fdgri.exe)
- aec49aba9900bc031b847a57af2e0c85b4b03c972f057570cfe6fb41749ff045 (Gzabxae.dll)
- 20569c7e9e722688a8f1d1dadcc56188fad71fc206b7ba4347e5d0b2dfc13a4e (SysWOW64.zip)