Beginning of Malware Journey Day 1
This write-up is a follow-along from a course called Zero2Automated. The goal of this blog is to write out my ideas for myself only. This will be my explain my journey moving from exploit development on x32 towards malware analysis on x64. Decided it couldnt hurt to write some parts of my learning here to share with everyone else.
Analyzing .NET InfoStealer required use of Process Hacker, Process Monitor and Wireshark.
With Process Monitor it is useful to look for open register keys. Curious to know what open Register key is, I went straight to Microsoft docs. Unfortunately only insightful description was “Opens the specified registry key.” So it was time to dig more.
A registry key is a location in Windows where configuration settings are stored. In this sense, it seems that when seeing a malware sample using an operation like RegOpenKey
A good assumption would be it is trying to retrieve the config file for that path, in this case, DownloadManager. This is so it modifies its attack since not all systems are the same. With a RegOpenKey obtained, malware can bypass restrictions. An example can be malware adding a reference to itself to allow execution in the location HKEY_LOCAL_MACHINE\Software.
More Analysis is completed through procmon, with the goal of finding what the malware is looking for. In this case createFile browsers.txt. Although the name can be confusing since it is just opening this file to search for any installed browsers on the vulnerable system.
Searching through ProcessHacker for strings is also beneficial
An example could be looking for a command and control server
As the name implies, it sends commands to compromised systems.
Cracking in dnSpy
This is static analysis. Normal tools I am used to is windbg and ida. So this will be new for me.
To begin an analysis, its useful as always to start at the entry point, which in this case is GonnyCam.Main
Looking at the libraries, its interesting only one library is obfuscated.
From the Main function, it appears this malware has multiple options for the attacker to pick from. Going through all of these is a good idea.
An initial guess from looking at this function is that this malware is a type of keylogger. We know it is sending keystrokes to the command and control server found previously.
A look at the if statement tells us that is looking for the argument Keystrokes and if present a post request is sent. From looking at the block I am only guessing the post request is sending keys to the command and control server.
Other interesting enabled functions from this malware found through the tutorial video was, which seems to be trying to maybe read emails.
A simple look at the function FaadS appears to have a pointer to a private name R_List which equals to a function called ReadMail
Two interesting lines pop up, the first was a mail.txt file which I saw previously in ProcMon. Another interesting line was the obfuscated library seen previously in dnSpy
When looking at this function, I see it decrypts the 2 files in Resouces. The names of the files were RecoverBroswers and RecoverMail. It appears these files are then executed.
Since the 2 files looked at previously were obfuscated, de4dot is a great tool to go to next
The best reasoning so far to come up with on why using de4dot is to deobfuscate the files inspected before. An example can be the function named Óµ was obfuscated. It is now named GClass0.
Now its time to move towards running the program. With a breakpoint set at Mails.txt
After running the program is becomes clear there is an executable stored in array2
From this bin file I go to PEstudio to inspect the strings first
Interesting that this seems to come from a 3rd party
From the Decrypt function we create another .bin file
This is opened in PEStudio again and analyzed. Nirsoft again shows to be frequent.
