Malware Journey Day 33
Switching back to malware analysis currently. Time to unpack a file in dnspy
I choose Dnspy since the payload I am unpacking is a .NET binary
Since this is the entrypoint, it is a good place to start
From the Main function I jump into AboutBox1
Looks like nabexx is just XX
Time to look at what monoFlat_b is
To me, it looks like it leads into AppDomain.CurrentDomain.Load ….
When following it I see this
SO this tells me what it is encrypting, which is the shellcode. This is in the .rsrc section header. This is encrypted with AES. So Im curious to when this function gets hit. Time to set some bps.
Interesting enough I see the double “X”
As perdiected I continue and hit the below function
Time to jump to monoFlatxB()
It is my guess from here that it is passing XX to this function
It appears I was wrong
After restepping through it, I missed cruicial bp’s. This makes sense now though I am unsure what this array of bytes still does.
When continuing I am seeing it is trying to find the language of the host. Im guessing??
When continuing further I had to skip a lot of more information gathering functions.
I did find the below interesting
Im guessing the data is already encrypted but we also have the key to unencrypt it.
Also over here I see this is pretty much looping until true
From my previous understanding nabexx[0] should just be X
Looks like from above I finally get true when name and FullName is X. This is due to the nabexx being statically set to XX. When finishing the above function i get the below.
I see an MZ header here. Since this is a .NET binary, Its probably loading
When continuing on I see I eventually hit the below function
Seems to be a pattern with X. Anyways, whats being passed into X is actually XX.
When stepping further I see the function X has the two values seen before
When looking further I can tell that from the below image xAZADF will possibly launch a process
The function leads me to this which should bring me to a new dll
This looks interesting after stepping into invoke.
So far it seems best to follow this invoke since the rest of the functions I need after stepping into the previous function are mostly security checks.
Anyways
It appears im passing all null to this function
funny enough, it looks like I wouldve thought this would be a dead end. Though stepping into this function leads me to find it was expecting a null
Since the below screenshot currently has no arguments, nothing will happen. I want to eventually execute the part highlighted in red
When stepping into the red highlighted call,
I look into the args and see another MZ header
When dumping and placing it to pestudio i see this
I was kind of expecting the signature to be .NET
Well, looking into string it makes it pretty obvious what Im seeing
Remcos.
