Thursday, February 16, 2023

Redline Malware Malware Analysis Feb 16 2023

Started with this redline malware sample 

https://www.joesandbox.com/analysis/808971/0/html

Which the sandbox says dumps a bunch of child-processes and eventually drops these 2 payloads

AV killer

https://www.virustotal.com/gui/file/850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

Healer.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0

SHA-1 421a7167da01c8da4dc4d5234ca3dd84e319e762



Infostealer

https://www.virustotal.com/gui/file/dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3 

The Infostealer looks a lot like this blog ( https://securityscorecard.com/research/detailed-analysis-redline-stealer/ )

Franchise.exe

MD5 dd0c9e110c68ce1fa5308979ef718f7b

SHA-1 473deb8069f0841d47b74b7f414dacc6f96eca78


C2: 193.233.20.13:4136


It is stored in a self extracting .CAB file (microsoft cabinet)

It unpacks itself 4 times actually before we finally see the payload.

Each time the child .CAB file is stored in a Resource named "CABINET"

Each time there is 2 .exes inside the .CAB .

Each of the repeated dumps the "RUNPROGRAM" resource launches another child .CAB extractor.







Eventually though on the last extract it's 2 .NET executables instead of X86 and .CAB extrator.



The first .NET executable is an AV killer that turns off defender, windows updates, etc.



The 2nd .nET executable is the infostealer that grabs wallets, vpn , discord, and much more








                                            
There are some Russian characters and nearby region country names



There is also code for the c2 command and control traffic that is Xor'd with a key "Sigma" and base64 encoded. 193.233.20.13:4136











Posted by at 3 comments:
Labels: , , , , , , , , , , ,

CAB files FDICreate FDICopy

 call ds:__imp__FDICreate (creates context for extracting Microsoft .CAB Cabinet files)

...

push offset pszCabPath 

call ds:__imp__FDICopy


You should see memory for the Cabinet (or CAB archive-file format) recognized by their first four bytes (also called their magic number) MSCF

After the FDICopy you'll see extracted files (possibly .exe malware) in the file path that was in pszCabPath

Posted by at 3 comments:
Labels: , , , , ,

FindResourceA 0xa

 v0 = FindResourceA(0, "UPROMPT", (LPCSTR)0xA);


or


push 0xA ; lpType

push edi ; lpName

push 0 ; hModule

call ds:__imp__FindresourceA@12


This is grabbing a handle to a resource string from RCData with the name "UPROMPT" (you can see this in resource hacker)  ... please note it'll follow by using "LoadResourceA" to actually get the string value and put it into EAX

0xA = 10 = RT_RCDATA = Application-defined resource (raw data)

0 for hModule = use this current executable's resources

pointer to the resulting string is put into eax


Posted by at 2 comments:
Labels: , , ,

Wednesday, February 15, 2023

Packer Process Injection - CreateProcessInternalW CREATE_SUSPENDED

CreateProcessInternalW

CreationFlags: CREATE_SUSPENDED 0x00000004


Malware creating a process in a suspended state


typically from a packer and process injection

it has unpacked code and is injecting it into a user process


will be followed with calls like 


NtGetContextThread

ReadProcessMemory

memcpy

WriteProcessMemory ('MZ')

NetSetContextThread

NtResumeThread


to edit memory of suspended process and inject the malicious code

Posted by at 2 comments:
Labels: , , ,

VirtualProtectEx PAGE_EXECUTE_READWRITE

 VirtualProtectEx

Protection: PAGE_EXECUTE_READWRITE 0x40


in malware that almost always means "injected code"


Posted by at No comments:
Labels: , , ,

Tuesday, February 14, 2023

IDA Pro - The graph is too big (more than 1000 nodes)

 IDA Pro error

The graph is too big (more than 1000 nodes)


two options as to why the graph is "too big"

1) either it's obfuscated somehow

2) or it's packed



Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)