Nowdays, from WhatsApp to the malwares, hiding code in images is very trendy. 😂
https://www.hybrid-analysis.com/sample/f2eb9c854497a9befe9da6592fd405a97b0745a250bd0858a1ab89ebbe37b6b2?environmentId=120
AV Detection: 31%
That was intriguing, so I decided to take a look at it:
The resource is a bmp image and it hides a dll named "stub.dll". The malware is using is a "Reflective DLL Injection" tecnique, implementing the exact Nick Landers's github project "sRDI - Shellcode Reflective DLL Injection" https://github.com/monoxgas/sRDI/
"hitlerdidnothingwrong" (If you say so....) is the "decryption key" of the first bitmap resource (wich actually is just a xor obfuscation!).
Once the dll is loaded, the "Stub.dll"'s main function is called:
Once again, a second resouce is being to be deobfuscated.
This new dll is now converted to shellcode causing the debugging being trivial.
Before being manipulate to become a shellcode, the easiest thing to do was to intercept the deobfuscated resource and analyze the x86 DLL with IDA pro or x32dbg.
By having a quick statical analysis another PE is contained into the dll at 0x2618
Well, once brutally cutted, the data contained in the dll appeared to be a valid PE😀
https://www.hybrid-analysis.com/sample/f39cf1b0817e4d7227fe30b11dccb0b7c0a91f3d1d6086d9bc307a6ad23a3fe6/5c62e6697ca3e112067b5ecb
AV Detection: 84%
No more dubts.😉
Cheers,
RE Solver
Nessun commento:
Posta un commento