MD5 hash: DC4200AC514006F084EAD7F83B84C928
Virus Total Link: https://www.virustotal.com/gui/file/a850de0705c0f6095910aa1d5ed0e73a49581aa7427fcfaf2ff5144e93b047c1/community
Intro:
Hi all! Today, I will be analyzing a .NET malware sample. To analyze this sample we can use a .NET debugger and assembly editor called DNSSPY. We will be trying to find the capabilities of the malware and additional information we can glaze from it such as IOC’s and dropped files.
You can find it here: https://github.com/dnSpy/dnSpy or install FLAREVM https://github.com/mandiant/flare-vm, for your local virtual machine.
Analysis Pt 1:
First lets do some basic dynamic analysis on the malware by running it. We can monitor its execution via tools such as ProcMon and Process Hacker.
In ProcMon - Filter the process name of the malware to monitor what the malware does when it is executed. Make sure you are not connected to the internet when running the malware.
Some interesting findings:
1. It doesn't seem to create any new processes when looking at Process Hacker2. It tries to open and query registry keys such as: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe, HKCU\Software\Google\Google Desktop\Mailboxes, HKCU\Software\Microsoft\Office\Outlook\OMI, HKCU\Software\DownloadManager\Passwords to name a few.We can hence derive that the malware may try to find passwords and other credentials on the system for multiple software and browsers such as chrome, paltalk, MSNMessenger, Yahoo, Mozilla Thunderbird and others.3. Tries to load and query multiple DLL's such as kernel32.dll, advapi32.dll for registry editing, wininet.dll for HTTP functionality and much more4. It may store information on passwords and other collected credentials in two files created in C:\ProgramData called 'Browsers.txt' and 'Mails.txt'
Analysis Pt 2:
Let’s try to analyze further statically via DNSSPY!
When analyzing the entry point of the malware ‘GonnyCam.main’ we can first see the malware starts multiple threads such as GetCurrentWindow, RecordKeys, Screen Logging, Password Recovery to name a few. This may suggest that the malware may also enact features of a keylogger.
The malware contains multiple libraries being used such as:
Dynamic, Encryption, FileZilla, GetActiveWindow, GonnyCam, IMVU, InternetDownloadManager,
JDownloader, KeyHook (Keylogging functions), Paltalk, RecoverBrowsers, RecoverMail, Send (Send logs to C2C), Óµ (This library is used for decrypting strings/text)
Analyzing ‘GetCurrentWindow’ and ‘RecordKeys’ functions we can see the malware tries to get window title, machine time and keystrokes typed and logs it.
‘SendLog’ seems to compare strings to text such as link, logtype, windowtitle, keystrokestyped, application, host, username, password, clipboard and uploads the contents to a webfile for a possible C2 server. The malware also doesn’t call anything with screenshot but compares a notification if false, so my guess it is disabled for this malware due to lack of time creating it.
We can see in the Record Keys Function figure that it tries to send the logs to ‘GonnyCam.P_Link’.
We can find P_Link to be a C2 server for the attacker to send and receive data as seen in the below picture:
The malware collects and searches for passwords for the following browsers, mail clients and software.
If its a mail client it will get email, passwords, server and application and writes it to C:\ProgramData\mails.txt. It will be similar for browsers and will write collected browser data and credentials to a file C:\ProgramData\browsers.txt as seen in our basic dynamic analysis.
In Encryption library, we can see the malware may use some form of symmetric AES encryption due to a Key and an IV to create a decryptor for some data. AES is also known as Rijndael.
There are two dropped resources that we can find in the malware. If we set some breakpoints and keep stepping over we can find that our first MZ executable is stored in Array 2 with the value [0x00018400].
1. Óµ.ØØØØ(executablePath, cmd, Encryption.RSMDecrypt(ƈƖƻƨÔ, bytes), false); RecoverMail Line 65
2. Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(ƄƏƵÉ, new byte[8], 1); RSMDecrypt Line 5
We can see this by selecting Show Memory Window in array02 (Which will display MZ, This program cannot be run in DOS Mode → A common pattern to discover EXE/DLL Files) and save it as a .bin file via save selection. This is our first dropped executable.
We can set another breakpoint and continue to step over and run:
string text = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData) + "\\Mails.txt"; RecoverMail Line 53
Step over and keep running and we can find another MZ executable in Array 2 with value [0x00055000]. Repeat and save it as another .bin file.
The first executable is used to steal/recover email passwords from a system. If we analyze it in IDA or PESTUDIO we can see some strings to gather what it collects.
The Second executable is used to steal credentials, data and passwords in web browsers.
Conclusion:
This .net malware sample acts as a keylogger and tries to steal/recover passwords from multiple emails, browsers and software in the system when infected. Thanks for reading!
IOCS EXTRACTED(MD5):
1. DC4200AC514006F084EAD7F83B84C928
2. 05468F42AEA663F756E4CDDC42491913
3. DC4CA15BD566DEF0259EDF6D0F692EB0Capabilities: Keylogging, Password stealing for emails and browsers
Encryption: AES
C2: http://ziraat-helpdesk.com/components/com_content/limpopapa/