Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Interesting .NET malware disassembly
Message
<blockquote data-quote="struppigel" data-source="post: 896906" data-attributes="member: 86910"><p>Ah, I see why you are confused about the .NET file. It has a card playing game as a disguise.</p><p></p><p>There is one thing that I learned will save you a lot of work in malware analysis. Before you open any file in a debugger or decompiler, check the strings with Sysinternals strings.exe. If you find interesting ones, check the area around those strings in a hex editor. If the file is not too big, use the hex editor to scroll through the whole file at least once and skim interesting areas.</p><p></p><p>In this case, one string should immediately stand out:</p><p>[ATTACH=full]244825[/ATTACH]</p><p>You can already see that this is a .NET resource, because you can see the header of it right before the string starts. Now scroll down and you see that the string changes slightly:</p><p></p><p>[ATTACH=full]244824[/ATTACH]</p><p>This is very indicative of data being XOR'ed using the key "Quotes_on_Life". The parts of the data that are zero bytes show the key and this probably contains lots of zero bytes.</p><p></p><p>Now if you open up dnSpy, you can check the resources.</p><p>Here is another thing you might want to remember, so you can recognize it if you see it:</p><p>[ATTACH=full]244826[/ATTACH]</p><p>This is the typical look of an image that's actually code or encrypted data. It's anything but not an image and very typical for malware. This one is called <strong><span style="color: rgb(41, 105, 176)">cnJCh</span> </strong>and right below is a resource called<strong> <span style="color: rgb(41, 105, 176)">SAS</span> </strong>which is the big Quotes_on_Life string.</p><p></p><p>Now you just need to find the location where these resources are obtained and what is done to them. .NET uses resource managers. Look for the resource manager for WinFormsFirstOne.Properties.Resources.resources. Right-click on the get method --> analyse. You will arrive at more getters that retrieve SAS and cnJCh from the resources and return back the string or the bitmap. Again right-click analyse on the get method for SAS, check what is calling the getter and you arrive here:</p><p></p><p>[ATTACH=full]244827[/ATTACH]</p><p>Now you will realize that my assumption of using XOR is wrong. In this case it's a base64 string, where all 'A's have been replaced by "Quotes_on_Life".</p><p>You can use notepad++ to decode this. <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite110" alt=";)" title="Wink ;)" loading="lazy" data-shortname=";)" /></p><p></p><p>What also might have caught your eye in a strings listing is the reversed "Invoke" and the "GetMethod" string you see in the code. It's very indicative of a packed .NET that executes the payload dynamically and doesn't want those method names to appear in the .NET symbol table. So the second way you could have found this location is searching for those strings.</p><p></p><p>This is actually an excellent example for a video tutorial. With your permission I would like to use this sample for it. Not sure when I have the time, but I will make note of it.</p></blockquote><p></p>
[QUOTE="struppigel, post: 896906, member: 86910"] Ah, I see why you are confused about the .NET file. It has a card playing game as a disguise. There is one thing that I learned will save you a lot of work in malware analysis. Before you open any file in a debugger or decompiler, check the strings with Sysinternals strings.exe. If you find interesting ones, check the area around those strings in a hex editor. If the file is not too big, use the hex editor to scroll through the whole file at least once and skim interesting areas. In this case, one string should immediately stand out: [ATTACH type="full" alt="lifeonquotes.png"]244825[/ATTACH] You can already see that this is a .NET resource, because you can see the header of it right before the string starts. Now scroll down and you see that the string changes slightly: [ATTACH type="full" alt="lifeonquotes2.png"]244824[/ATTACH] This is very indicative of data being XOR'ed using the key "Quotes_on_Life". The parts of the data that are zero bytes show the key and this probably contains lots of zero bytes. Now if you open up dnSpy, you can check the resources. Here is another thing you might want to remember, so you can recognize it if you see it: [ATTACH type="full" alt="resource.png"]244826[/ATTACH] This is the typical look of an image that's actually code or encrypted data. It's anything but not an image and very typical for malware. This one is called [B][COLOR=rgb(41, 105, 176)]cnJCh[/COLOR] [/B]and right below is a resource called[B] [COLOR=rgb(41, 105, 176)]SAS[/COLOR] [/B]which is the big Quotes_on_Life string. Now you just need to find the location where these resources are obtained and what is done to them. .NET uses resource managers. Look for the resource manager for WinFormsFirstOne.Properties.Resources.resources. Right-click on the get method --> analyse. You will arrive at more getters that retrieve SAS and cnJCh from the resources and return back the string or the bitmap. Again right-click analyse on the get method for SAS, check what is calling the getter and you arrive here: [ATTACH type="full" alt="code.png"]244827[/ATTACH] Now you will realize that my assumption of using XOR is wrong. In this case it's a base64 string, where all 'A's have been replaced by "Quotes_on_Life". You can use notepad++ to decode this. ;) What also might have caught your eye in a strings listing is the reversed "Invoke" and the "GetMethod" string you see in the code. It's very indicative of a packed .NET that executes the payload dynamically and doesn't want those method names to appear in the .NET symbol table. So the second way you could have found this location is searching for those strings. This is actually an excellent example for a video tutorial. With your permission I would like to use this sample for it. Not sure when I have the time, but I will make note of it. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
