Malware Analysis: Jonap

MD5 hash: E7832020692E8914F53804FE1A0569DC
Virus Total Link: https://www.virustotal.com/gui/file/dc030c478d783044dfbf68de54ca6f36e154f60f65dc92f2c6d724078402e738/detection

Intro:

Analysis:

The function we are analysing, which as seen above, tries to get Windows Directory and SystemDirectory. It then tries to call to a function giving %s\\%s for input.

%s\\%s basically replaces 1st % with 2nd argument, 2nd % with 3rd argument and save the return in the 1st argument.

We can see the malware tries searching for scardprv.dll, wcssvc.dll, mssscardprv.ax. It opens the Service Control Manager and if it couldn’t find these services, drop the malware from its resources and create extra services to execute and maintain persistence.

We can see that the malware queries service status below.

Analysing further, we can see the malware drops an executable called 101 and creates scardprv.dll in sys32 directory with write permissions. If the file exists beforehand delete it first, otherwise save the resource file into it.

We also see the malware do the same for another executable 104 creating wcssvc.dll.

The malware then tries to create a fake malicious service masking itself as legitimate inside svchost.exe process.

The svchost.exe process requires the malware to save its information into ServiceDLL Path for both scardprv and wcssvc.

Conclusion:

Using Resource Hacker, we can find the two files scardprv.dll and wcssvc.dll dropped by the malware. We can also find their MD5 hashes via PEStudio. You can check if they are malicious via VirusTotal. We can also see they are PE executable files as it displays ‘ MZ This program cannot be run in DOS mode.’

MD5 Hashes for the 2 resources extracted from the malware:
101: fd59af723b7a4044ab41f1b2a33350d6
104: 9a981085a87647b5e99517506ea83a9b

I focus on Malware, RE, DFIR. This blog is used to improve my understanding of these concepts and show my progress.