Kazy Malware Analysis
In this article I will summarize an attack scenario and I will focus on the malware part used to compromise the victim’s machine.
In this attack scenario, the victim visited a malicious website that requires running a java applet. The applet is malicious; it will download an executable and then will execute it on the system. The executable is a .Net executable that acts as a launcher/loader to an embedded executable.
- File size: 241 KB
- MD5 : b1b7854b73f06e7a18093e221373b8ba
- Type: Win32 EXE
- Publisher: Igor Pavlov
- File Version: 9.20
- VirusTotal Detection Ratio: 35 / 46
To analyze this malware I used Reflector decompiler to convert the .Net assembly; Microsoft Intermediate language (MSIL) into C# code; and used it as a plug-in for Visual Studio 2010 in order to debug the .Net code.
This malware is highly obfuscated to hinder understanding the code after decompilation. The malware is multithread and each thread is responsible for a certain feature in the malware for example there is a thread responsible copying the malware into USB thumb drives attached to the system.
.NET Original Malware
The malware will load a resource embedded within itself into memory. The loaded resource is a DLL; also .Net. As shown in figure (1). The malware will call a function called Load from cd16d48d9739242e0c6315b0fb2fb86b3 class. As you can see the malware used obfuscator to make the analysis harder which made the name of the classes and variables very long and also embeds branches that will not be executed to make code reviewing harder.
The malware will use AppDomain.Load(Byte) .net function to load it as a DLL in the context of the running malware. The malware calls into the newly loaded module through calling InvokeMember function which will call a certain function inside the module and I will refer to it as “MainThread”.
The main thread is responsible for initializing the other threads, create a copy of itself in the ApplicationData directory in the system and will create a registry key that will ensure it will start after rebooting the system.
The main Thread calls a function called A!A.A.AddToStartup(string RegistryKey, string RegistryName, string TempFileName, string TempFileContent, string Extension).
This function as implied from its name will create a registry key named “Upadate” in this path of the registry “HKCU\ Software\Microsoft\Windows\CurrentVersion\Run” to initialize the malware after rebooting the system using Win32.RegistryKey.SetValue function.
But before the call to AddToStartup ,The function will call string.Concate function to generate a path, The first string is the absolute path of ApplicationData, the second string is the word “\Adobe”, and the third string is a randomly generated number between(9,999) and the final string “.exe” and then the malware will call System.IO.File.Copy to copy the malware to the newly generated path and set its attributes to be hidden.
The malware then starts to create the other threads; it starts with instantiating a Thread object, then calling Thread.start function.
I will discuss now the function of each thread created by the main thread.
First the Loader Thread, This thread is responsible for injecting a malicious code (another malware) and run it on the victim’s machine. It first reads the original malware as string, and then it will decode certain part of it and then decrypt it the resulting data is a hidden malware. I uploaded the resulting malware to VirusTotal and some of the AVs identified the resulting malware as “Andromeda” Backdoor. I analyzed this peace of malware and I could give some information about it in another article.
The Loader thread will read the malware file as a string using System.IO.File.ReadAllText (string malwarePath) .Then a call to split string is made using a specific delimiter, the ascii representation of the delimiter is “VfBOBnPkjMHYKOnOZT”. The output of the split was 14 elements array. One of these elements will be used as key in the decryption process of another element in the same array. It turns out that this is another malware that will be injected in another running process.
I will present you with the most important elements. The second element was the key used in the decryption process and here is the ascii representation of it “ksGhCgFWiXUOgdzjuBwIZavw”, The 6th element “Process” string which is the name of the process that malware will launch in suspended state and then inject the malicious code into it. 13th element is the content of the malware in the encrypted form. Figure (2) shows the malware in hex editor to highlight the delimiter.
Then the program will then decode the 13th element of the array using Base64 function and then it will decrypt it with the second element in the array “ksGhCgFWiXUOgdzjuBwIZavw” using a function called PolyDecrypt. As shown in figure (3).
The result of PolyDecrypt function is a byte  which is actually the backdoor payload that this malware is trying to execute on the victim’s machine. The malware will call a function called inject (byte  PolyDecryptOutput, string virusName).
The malware is using a systematic technique used by malware authors. It is called process replacement, first it starts a process in suspended state; in our case it will start a copy of vbc.exe which is the visual basic compiler which is part of the .Net framework; and then using UnMapViewOfSection to remove any data in the original process starting from the image base and then using VirtualAllocEx and WriteProcessMemory it writes its code instead and finally use SetThread Context to ResumeThread to continue the execution in the malware code written. So the backdoor is now executed on the system.
The second thread is the Block thread which is simply used to check if the malware is executing in a certain sandbox environment or not. It first gets all running processes in the system using Process.GetProcesses function and then compares the name of the processes to “sandboxierpcss”. And if found it will exit.
The Third thread is USB thread which is used to copy the malware into all attached USB drives in the system.
The thread will call System.IO.Directory.GetLogicalDrives() to get all currently available disk drives and will create a path of “Drive:\rundll32.exe” to copy the malware with this name into the drive and then will create another file “autorun.ini” and using FilePut function to write “[autorun]rnshellexecute=rundll32.exe” so when any user connects its usb flash into his computer the malware will automatically execute and infect his system as well. It worth mentioning that both files are created and then using SetFileAttribute function to make the files hidden.
The final thread is the Persistence thread which is used to ensure that there is a registry key in the RUN to make sure that the malware will start after each reboot. The malware checks first, if the registry key already exists or not by calling A!A.A.CheckKey() function to check if the key is already existing and if not it will call the early mentioned function A!A.A.AddToStartup in the main thread to add a registry key in the “HKCU\ Software\Microsoft\Windows\CurrentVersion\Run”.