Malware Journey Day 30

Back to Malware Analysis

.NET Malware file

When first analysing it, I find the .rsrc section is pretty big

To me I am guessing there is some type of shellcode in this section.

When throwing this in x32dbg I find that this hits VirtualProtect right away. To me this wont be any use since it never all

Above is the sample I was referring to. When looking at the args of the address it was protecting, I see the size is far too small for any type of shellcode. Time to continue until I either see VirtualAlloc or another WINAPI function.

I next hit other entry points and hit this

“Gdi32DllInitialize”

From my best guess according to a quick google, it is for gui. I guess this makes sense because my binary is based off .NET. Just a guess though.

Finally I hit my first VirtualAlloc function

What caught me is the first param is NULL. A typical developer would want to set the address of VirtualAlloc for their shellcode.

When looking further into the args, it seems worthwhile to go through step by step since the size is large enough.

I dumped this value being moved to EAX

Im unsure if Im just overanalyzing or if this is looking for debuggers? Though Kinda unsure because I am in the function call VirtualAlloc which doesnt break on debuggers, I think….

Unfortunately after stepping through there was nothing interesting.

The next virtualAlloc is interesting since the address it is allocating at was the return from the previous NtAllocateVirtualMemory

This repeats a lot. Though nothing is useful. I do also hit my first IsDebuggerPresent. Then this repeated a lot

Hitting CreateProcessInternalW allows me to set a breakpoint at NtResumeThread. From my previous debugging session if this is hit, a second process will need to be attached for further debugging. I will also set a bp at writeprocessmemory since this injects a shellcode into createprocess. Overal What CreateProcessInternalW does is allow malware developers to import shellcode. Hence why I set a bp at WriteProcessMemory.

Appears to be another process to attach

Its expected to hit wow64dll. though I remeber this is nothing to worry. All it allows for is allowing 32bit programs to run on x64 processors.

I think after dumping the 2nd process into dump I have the executable

I saw above the MZ header, the PE header, the dos string, I see several section headers.

But..

This is just a dll. Following in memory map gets me this.

It appears after continuing on the 2nd attachment I hit an expectation

My first attached process now crashed unfortunately. So I am only using the 2nd attached process. Really what I am looking for is

Since this is where shellcode will begin.

It appears this is writing to itself due to the FFFFFFFFF. I do want to dump the address.

Dumping this Dword leads to nothing. Again Iam dumping the 3rd arg. Which is lpBuffer.

I continued through WriteProcessMemory hoping to find a PEHeader. Unfortunately not

Running into CreateProcessInternalW again I see 2 args in the stack. To me this could be installer a script to communicate to a remote server. Since I have all networking turned off, there isnt much point to loading up wireshark.

Other breakpoints I tried where

What I was looking for is in LoadLibraryA what functions were being used. Nothing really interesting.

I was seeing a lot of cryptencrypt and cryptdecrypt. Though looking into this wasnt much.