martedì 12 febbraio 2019

When a malware hide code into images and uses an open source project to run himself

Hello Everybody,


Nowdays, from WhatsApp to the malwares, hiding code in images is very trendy. 😂



 
Something similar has happened to me today with this sample:
https://www.hybrid-analysis.com/sample/f2eb9c854497a9befe9da6592fd405a97b0745a250bd0858a1ab89ebbe37b6b2?environmentId=120

AV Detection: 31%
That was intriguing, so I decided to take a look at it:



 
The resource is a bmp image and it hides a dll named "stub.dll". The malware is using is a "Reflective DLL Injection" tecnique, implementing the exact Nick Landers's github project "sRDI - Shellcode Reflective DLL Injection" https://github.com/monoxgas/sRDI/

"hitlerdidnothingwrong" (If you say so....) is the "decryption key" of the first bitmap resource (wich actually is just a xor obfuscation!).
Once the dll is loaded, the "Stub.dll"'s main function is called:


Once again, a second resouce is being to be deobfuscated.
This new dll is now converted to shellcode causing the debugging being trivial.
Before being manipulate to become a shellcode, the easiest thing to do was to intercept the deobfuscated resource and analyze the x86 DLL with IDA pro or x32dbg.

By having a quick statical analysis another PE is contained into the dll at 0x2618



Well, once brutally cutted, the data contained in the dll appeared to be a valid PE😀


 





https://www.hybrid-analysis.com/sample/f39cf1b0817e4d7227fe30b11dccb0b7c0a91f3d1d6086d9bc307a6ad23a3fe6/5c62e6697ca3e112067b5ecb

AV Detection: 84%

No more dubts.😉
 
Cheers,
RE Solver




Nessun commento:

Posta un commento