If you haven’t read my first post about this malware, please do check it out.
So today I got bored and decided to browse through my files, and was suddenly reminded of the sample I was analyzing earlier. It is barely obfuscated, and many original function names are still available. At least most custom functions are obfuscated. Another sad thing about this malware, is that the encryption key is stored in plain text, and in plain sight. Some obfuscation/encryption would have been nicer.
So in this case, the stub simply drops the encrypted stub into the Temp Dir, and then decrypt it through reading the file. vmqjobbhqfbf is simply an obfuscated version of _Crypt_DecryptData, and 26128 stands for AES256 encryption. It was too easy to create a small snippet to decrypt the stub. The decrypted stub is 305 kb in size. However, this is the part where the malware execution goes wrong. As you can see in the screenshot, the variable $hcwywahhpctofanxhtdimbanbldxbax set to “%NATIVE%”. Closer inspection shows that Native is to indicate whether the original stub is in .NET or is it without dependencies. However, the author of the crypter made a mistake, since in the variable it is “%NATIVE%”, but in the actual injection function it is 1,2,3 or 4. Another sad mistake was that the original stub was coded in .NET, and therefore is not native at all. So even if the crypter is working properly, the built stub won’t since it will be injecting into the wrong process.
The startup uses the name “Microsoft Cooperation ZGIJJTiKhPcKTTZX”, which is located under either Run or RunOnce of HKCU. An interesting thing about the startup is that if it senses apvui.exe (Which is Kaspersky Antivirus’s process), it will choose not to modify the registry, and instead using the Startup Directory to install itself. This is probably done since KAV’s HIP detection is pretty accurate.
The original stub is coded in .NET, and have some decent features based on the Malwr analysis: https://malwr.com/analysis/NmJhNzYzZGVlZWI5NDM2MWFhYjc2ZDNmMGNlODAzOTU/
It is fairly well detected and was easily decompiled with de4dot, however, I was not able to deobfuscate it since I am currently only a beginner at .NET (Surprised that I admitted this?). Based on what I saw, the real deal is stored inside a resource called Testing.Resources.rsx which is decrypted on the go. Because of the hooking, I suspect this might not be a RAT/Botnet and might be just a keylogger from HF(Some that uses .NET are Volt and HawkEye, but correct me if I am wrong).
So that is it for this malware analysis. If have any questions, feel free to comment down below and I will answer them. Send your malware my ways if you have any.