Malware Journey Day 22–23
Today is only Static analysis. I havent done enough of this. Goodbye x64dbg!
hash: 6095f96dd5eca96a3fb9338eec4ab574921c0febb36f6a6db60aae1aeb9ffcab
PEStudio
I most interested in the function LDR since its the only function exported
To run this DLL I will need to reference rundll32.exe. Though this is not needed currently.
IDA:
Doesnt seem I have loaded any symbols. All sub…
When checking the exports I see ldr.
From my understanding, this ldr allows malware developers to inject a malocious dll(DLL injection). I want to investigate this right after following a bit of flow from the program.
First function I see in flow is __security_cookie which is protection against buffer overflow(SKIP)
Heres the first block of ldr
APPDATA concerns me since it could be where this DLL is going to load the malicious DLL.
So far nothing else interesting from the above screenshot.
Im guessing the above could launch a process?
Two things from this screenshot
signal: “handle an interrupt signal from the operating system”
Is this to replace a current process??
GetComputerNameW and GetUserNameW
What Ive been seeing from other samples through google, is that once malware gets name of function, it goes to reading registery keys.
Reference -> Ragnar Locker ransomware — After GetComputerNameW ”Then the ransomware queries the registry to collect the machine GUID and Windows version.”
NetWkstaGetInfo
0x64 -> 100
Return information about the workstation environment
From DNSpionage which is another malware sample this function is being used in is used to avoid sandboxes for the most part.
The above tells me this dll previously used NetApiBufferAllocate
What I am guessing is this is used for C2 Server communication.
In the below code I see lots of references to “KJKLO”
Also the below has been quite reoccurring
What I am guessing is this is some sort of dynamic memory allocation. Whats odd though is it seems to be checking for a condition in which if successful leads to invalid_parameter_noinfo_noreturn.
The below screenshot caught my attention due to this loop of adding 4’s to several registers. Im unsure really what this is doing. Theres also more sections of my above screenshot which still seems to have something to do with what was entered in the commandline and part of an injection?
Time to go back and reanalyze one item that caught my attention
This also has several calls to sub_586A20. Stepping into this I clearly need to decompile it.
The below function is taking 3 args
Stepping into this func I see lots of structs I need to clear up.
Exitting this func and going back one. I see this
This function is clearing doing something with this string. This would be param1 in the FUN_00586a20. Since it is the 2nd param I know it is being referenced by “this”.
Below, I see another string of Data being passed to FUN_00586a20
So the current guess is the item circled above in red is the data while the yellow highlighted item is the key to decrypt the data.
