Pandabanker: from the obfuscated JS to the unpacked PE file

Hi Everybody,

today I was looking at the amazing Yomi sandbox and a sample caught my attention:
https://yomi.yoroi.company/report/5c5008255bd174287f15cea3/5c500979c32b700be2d9b30e/overview

Unfortunatly, Yomi do not provide a sample download function but since because this sample was a script file, the JS code is printed into the static analysis page. 💔

Obfuscated JS.... challenge accepted! :)
First of all, a "beautify" is appreciated to have a more readable code:

This is a pretty easy script, because of this reason I'd like to prefere a very practical solution by using a web browser :)
Starting from the lgGke:


Before to play again with the browser's console, since (I know its a bad idea, but in this case) I wasn't working on a VM, I've unarmed the script by setting sP7yr = "";

and...."beautified" it looks great :)

 In a few steps the script, by doing a GET request, download the "connection.jpg" image (wich is not a jpg but a PE file), rename it as it should be (exe) in the %TEMP% directoy and execute it. Very easy.

"Unfortunatly" the server is unreachable and I wasn't able to download the exe, so I found the (probably) same exe by searching the server url on VirusTotal and HybridAnalysis for the same most recent sample.

https://www.hybrid-analysis.com/sample/3cde95dc3ac1b900ce67cb0cf9be308c0587bfd75faf47ba77bd37b8e91b1d50?environmentId=100

The downloaded malware looks like a BEAUTIFUL custom packed PE. And for some reason IDA fail the autoanalysis. 👀
 Interesting!! :)

To avoid the issue I've opened the PE again disabling the Autoanalysis feature on IDA, converted the entry point to a data by "D" key, and play the reanalyze feature. 😀

Not good, but far better then before, first impress was clear: It's a packed PE with a beautiful garbage obfuscated code. Love it! :D
The start function do nothing except slowly calling the 0040B82D address after some timer works :)
Following the code you can see the "obfuscated" strings comes out and other useful stuffs to perform a quick unpack.
By using x32dbg and a couple of BP on VirtualProtect and VirtualAlloc

after few seconds of runtime (because of the timers) and a couple of runs:

Something interesting comes out :)
Dump the memory section at 005B0000 (in my case) and the malware comes out. No need neither a rebase 😄

I had only a few minutes today and no time to look into it, but there are some interesting calls to a CryptoEncrypt API :)

The unpacked file is here, labeled as Panda, Pandabanker so....a Zeus variant:
https://www.hybrid-analysis.com/sample/75db065b70c6bce9117e46a6201d870e580d07b7c3ee6d2ddab34df0b5dff51f/5c5da8427ca3e13f02257306

Cheers,
RE Solver