Unpacking GhostCrypter, a not really stealthy crypter.

So today I will be unpacking GhostCrypter. This crypter is currently sold on  HackForums for $12 per month, and seems to be pretty popular. Please note that I was given this file, and I have no idea if this is actually GhostCrypter. So let’s get started.

GhostCrypter is coded in AutoIt, so MyAutToExe should be able to decompile it fairly easily. It is not packed with UPX, so there is no need to unpack anything. There are quite a few files packed inside it, which explains the 1.6mb file size. Dropping is not really stealthy after all.

ab9a02d0d7a8fe69a95e993b00dc50dcd2c359cf4c23d8a47602880278804ebc

The decompiled au3 file contains #endregion at the top, which is a common method to stop Exe2Aut.  It is all capitalised and the first 2 functions seemed to belong to Crypt.au3 and had all of the variables changed.`

The decompiled code can be found here: http://pastebin.com/nQtuDZx1 After decrypting and deobfuscating all of the variables and removing the flow obfuscation, the resulting code is fairly short. It was only 6 lines and was fairly disappointing to look at. And instead of running like that, why don’t you use ShellExecute?

c2dc037a7184375a93088718e44776ef

OK so let’s now look at the files that were dropped. The file that was dropped as a .CMD file appears to be Microsoft Visual C++ v.10. When we look into the file that is used as an option, turns out it is an AutoIt source file. The .cmd file turned out to be the AutoIt base, as it was signed by AutoIt Consulting LTD.It is obfuscated with Flow Obfuscation, using Call() to stop strippers from working, and all of the good stuffs. The whole process of manual deobfuscation took quite long and was kinda boring (to describe) to be honest, so I will just talk about Before and After deobfuscation here.

So before deobfuscation, this is what the file looked like:

70b0f93a1a4fe4d2c423aebf76798abc

One of the very funny thing about the script is that it uses _Crypt_DecryptData to decrypt strings, however next to the line, there are comments which tell us what the encrypted strings are. However it could be meant for deception, so I will just create an automated tool to decrypt the data and removing the flow obfuscation that was applied.

So after deobfuscation, the script is 232 lines in length and is fairly plain. It looks like the variable $encrypted declares the path to the encrypted file, which is decrypted, and then injected using a shellcode. Simply using FileWrite and _Crypt_DecryptData with the same parameter extracted the original file. The original file is an MZ Executable file, if you don’t know what that is, Google it.

529a496ca7e905ce96d39f32c054d717

One of the runtime techniques used by GhostCrypter is dynamic Startup. Normally, GhostCrypter uses the RunOnce startup key to hide from MSConfig, but this often prompts for confirmation on AVs such as Kaspersky, 360 Security,… So when processes such as mbam, avpui GhostCrypter creates a .lnk file inside the startup directory instead. The anti analysis is also fairly bad, it only detects 3 processes, 1 for VMWare, 1 for VirtualBox and 1 for SandBoxie. Furthermore, it stores the file in a variable, not use it at all, and use the _Crypt_DecryptData function with the first parameter of FileRead(@AppDataDir & “\QHWXHYbdLYDG”) instead of the $encrypted variable which shows the path to the file. And after being used, the variables are not set to Null to free up memory. Bad coding practices here.
That is my take on GhostCrypter. If you have any other malware samples, feel free to send them to me and I will take a look at them.