Analyzing a .Net Sample: ziraat_limpi.exe

Intro:

Hi all! Today, I will be analyzing a .NET malware sample. To analyze this sample we can use a .NET debugger and assembly editor called DNSSPY. We will be trying to find the capabilities of the malware and additional information we can glaze from it such as IOC’s and dropped files.

You can find it here: https://github.com/dnSpy/dnSpy or install FLAREVM https://github.com/mandiant/flare-vm, for your local virtual machine.

Analysis Pt 1:

First lets do some basic dynamic analysis on the malware by running it. We can monitor its execution via tools such as ProcMon and Process Hacker.

In ProcMon - Filter the process name of the malware to monitor what the malware does when it is executed. Make sure you are not connected to the internet when running the malware.

Filter the malware in ProcMon

Some interesting findings:

Querying Chrome and Opera User Data and saving it to Browsers.txt example
Newly Created Files when the malware is run

Analysis Pt 2:

Let’s try to analyze further statically via DNSSPY!

When analyzing the entry point of the malware ‘GonnyCam.main’ we can first see the malware starts multiple threads such as GetCurrentWindow, RecordKeys, Screen Logging, Password Recovery to name a few. This may suggest that the malware may also enact features of a keylogger.

Threads Being created when malware is run

The malware contains multiple libraries being used such as:

Analyzing ‘GetCurrentWindow’ and ‘RecordKeys’ functions we can see the malware tries to get window title, machine time and keystrokes typed and logs it.

Record Keys function

‘SendLog’ seems to compare strings to text such as link, logtype, windowtitle, keystrokestyped, application, host, username, password, clipboard and uploads the contents to a webfile for a possible C2 server. The malware also doesn’t call anything with screenshot but compares a notification if false, so my guess it is disabled for this malware due to lack of time creating it.

Snippet of SendLog Function

We can see in the Record Keys Function figure that it tries to send the logs to ‘GonnyCam.P_Link’.

We can find P_Link to be a C2 server for the attacker to send and receive data as seen in the below picture:

C2 Server/Domain

The malware collects and searches for passwords for the following browsers, mail clients and software.

Malware collects and searches for passwords for following software and browsers

If its a mail client it will get email, passwords, server and application and writes it to C:\ProgramData\mails.txt. It will be similar for browsers and will write collected browser data and credentials to a file C:\ProgramData\browsers.txt as seen in our basic dynamic analysis.

In Encryption library, we can see the malware may use some form of symmetric AES encryption due to a Key and an IV to create a decryptor for some data. AES is also known as Rijndael.

Snippet of Encryption Function

There are two dropped resources that we can find in the malware. If we set some breakpoints and keep stepping over we can find that our first MZ executable is stored in Array 2 with the value [0x00018400].

We can see this by selecting Show Memory Window in array02 (Which will display MZ, This program cannot be run in DOS Mode → A common pattern to discover EXE/DLL Files) and save it as a .bin file via save selection. This is our first dropped executable.

Go to Array02 → Show Memory Window → Save selection

We can set another breakpoint and continue to step over and run:

Step over and keep running and we can find another MZ executable in Array 2 with value [0x00055000]. Repeat and save it as another .bin file.

The first executable is used to steal/recover email passwords from a system. If we analyze it in IDA or PESTUDIO we can see some strings to gather what it collects.

Snippet of strings in First Executable in IDA

The Second executable is used to steal credentials, data and passwords in web browsers.

Snippet of strings in Second Executable in PESTUDIO

Conclusion:

This .net malware sample acts as a keylogger and tries to steal/recover passwords from multiple emails, browsers and software in the system when infected. Thanks for reading!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Lee

Ben Lee

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.