martedì 12 febbraio 2019

When a malware hide code into images and uses an open source project to run himself

Hello Everybody,

Nowdays, from WhatsApp to the malwares, hiding code in images is very trendy. 😂

Something similar has happened to me today with this sample:

AV Detection: 31%
That was intriguing, so I decided to take a look at it:

The resource is a bmp image and it hides a dll named "stub.dll". The malware is using is a "Reflective DLL Injection" tecnique, implementing the exact Nick Landers's github project "sRDI - Shellcode Reflective DLL Injection"

"hitlerdidnothingwrong" (If you say so....) is the "decryption key" of the first bitmap resource (wich actually is just a xor obfuscation!).
Once the dll is loaded, the "Stub.dll"'s main function is called:

Once again, a second resouce is being to be deobfuscated.
This new dll is now converted to shellcode causing the debugging being trivial.
Before being manipulate to become a shellcode, the easiest thing to do was to intercept the deobfuscated resource and analyze the x86 DLL with IDA pro or x32dbg.

By having a quick statical analysis another PE is contained into the dll at 0x2618

Well, once brutally cutted, the data contained in the dll appeared to be a valid PE😀

AV Detection: 84%

No more dubts.😉
RE Solver

Nessun commento:

Posta un commento