Analyzing a .Net Sample: ziraat_limpi.exe

Intro:

Hi all! Today, I will be analyzing a .NET malware sample. To analyze this sample we can use a .NET debugger and assembly editor called DNSSPY. We will be trying to find the capabilities of the malware and additional information we can glaze from it such as IOC’s and dropped files.

You can find it here: https://github.com/dnSpy/dnSpy or install FLAREVM https://github.com/mandiant/flare-vm, for your local virtual machine.

Analysis Pt 1:

First lets do some basic dynamic analysis on the malware by running it. We can monitor its execution via tools such as ProcMon and Process Hacker.

In ProcMon - Filter the process name of the malware to monitor what the malware does when it is executed. Make sure you are not connected to the internet when running the malware.

Some interesting findings:

Analysis Pt 2:

Let’s try to analyze further statically via DNSSPY!

When analyzing the entry point of the malware ‘GonnyCam.main’ we can first see the malware starts multiple threads such as GetCurrentWindow, RecordKeys, Screen Logging, Password Recovery to name a few. This may suggest that the malware may also enact features of a keylogger.

The malware contains multiple libraries being used such as:

Analyzing ‘GetCurrentWindow’ and ‘RecordKeys’ functions we can see the malware tries to get window title, machine time and keystrokes typed and logs it.

‘SendLog’ seems to compare strings to text such as link, logtype, windowtitle, keystrokestyped, application, host, username, password, clipboard and uploads the contents to a webfile for a possible C2 server. The malware also doesn’t call anything with screenshot but compares a notification if false, so my guess it is disabled for this malware due to lack of time creating it.

We can see in the Record Keys Function figure that it tries to send the logs to ‘GonnyCam.P_Link’.

We can find P_Link to be a C2 server for the attacker to send and receive data as seen in the below picture:

The malware collects and searches for passwords for the following browsers, mail clients and software.

If its a mail client it will get email, passwords, server and application and writes it to C:\ProgramData\mails.txt. It will be similar for browsers and will write collected browser data and credentials to a file C:\ProgramData\browsers.txt as seen in our basic dynamic analysis.

In Encryption library, we can see the malware may use some form of symmetric AES encryption due to a Key and an IV to create a decryptor for some data. AES is also known as Rijndael.

There are two dropped resources that we can find in the malware. If we set some breakpoints and keep stepping over we can find that our first MZ executable is stored in Array 2 with the value [0x00018400].

We can see this by selecting Show Memory Window in array02 (Which will display MZ, This program cannot be run in DOS Mode → A common pattern to discover EXE/DLL Files) and save it as a .bin file via save selection. This is our first dropped executable.

We can set another breakpoint and continue to step over and run:

Step over and keep running and we can find another MZ executable in Array 2 with value [0x00055000]. Repeat and save it as another .bin file.

The first executable is used to steal/recover email passwords from a system. If we analyze it in IDA or PESTUDIO we can see some strings to gather what it collects.

The Second executable is used to steal credentials, data and passwords in web browsers.

Conclusion:

This .net malware sample acts as a keylogger and tries to steal/recover passwords from multiple emails, browsers and software in the system when infected. Thanks for reading!

--

--

--

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

hacker101 Micro-CMS v1 writeup

Armor 2021 Year in Review

Adware and Spyware

Basic Pentesting — TryHackMe

{UPDATE} El Ahorcado en español Hack Free Resources Generator

The Top Reason to Choose Managed WordPress Hosting is for Security

Joint statement on contact tracing for Norway

Kafka SSL Encryption & Authentication (Part one)— Certification Authority, Keystore, and Truststore

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ben Lee

Ben Lee

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.

More from Medium

Static Libraries in C

Setup New Unity Input System

Stemming Vs Lemmatization performance

X509 Certificate for SSL authentication using Dot Net Core