venerdì 8 febbraio 2019

Pandabanker: from the obfuscated JS to the unpacked PE file

Hi Everybody,

today I was looking at the amazing Yomi sandbox and a sample caught my attention:

Unfortunatly, Yomi do not provide a sample download function but since because this sample was a script file, the JS code is printed into the static analysis page. 💔

Obfuscated JS.... challenge accepted! :)
First of all, a "beautify" is appreciated to have a more readable code:
This is a pretty easy script, because of this reason I'd like to prefere a very practical solution by using a web browser :)
Starting from the lgGke:

Before to play again with the browser's console, since (I know its a bad idea, but in this case) I wasn't working on a VM, I've unarmed the script by setting sP7yr = "";

and...."beautified" it looks great :)

 In a few steps the script, by doing a GET request, download the "connection.jpg" image (wich is not a jpg but a PE file), rename it as it should be (exe) in the %TEMP% directoy and execute it. Very easy.

"Unfortunatly" the server is unreachable and I wasn't able to download the exe, so I found the (probably) same exe by searching the server url on VirusTotal and HybridAnalysis for the same most recent sample.

The downloaded malware looks like a BEAUTIFUL custom packed PE. And for some reason IDA fail the autoanalysis. 👀
 Interesting!! :)

To avoid the issue I've opened the PE again disabling the Autoanalysis feature on IDA, converted the entry point to a data by "D" key, and play the reanalyze feature. 😀

Not good, but far better then before, first impress was clear: It's a packed PE with a beautiful garbage obfuscated code. Love it! :D
The start function do nothing except slowly calling the 0040B82D address after some timer works :)
Following the code you can see the "obfuscated" strings comes out and other useful stuffs to perform a quick unpack.
By using x32dbg and a couple of BP on VirtualProtect and VirtualAlloc
after few seconds of runtime (because of the timers) and a couple of runs:
Something interesting comes out :)
Dump the memory section at 005B0000 (in my case) and the malware comes out. No need neither a rebase 😄

I had only a few minutes today and no time to look into it, but there are some interesting calls to a CryptoEncrypt API :)

The unpacked file is here, labeled as Panda, Pandabanker so....a Zeus variant:

RE Solver

Nessun commento:

Posta un commento