Malware Analysis IRC BackDoor Static Analysis

L

LabZero

Thread author
File Name: PIC05042502016-JPG.com

MD5: 6b5f23f5c4a62a039132e694e8bc4f1b
SHA1: 06e80ab43e18dbf564144440251fd6b85fde72c5
SHA256: 558f1ad6c022b31d2217ad730c57b5364c671788c8975ba1684880936da9437d

The malware is a .NET file, the linker version is 8.0; the file has 3 sections: .text, .rsrc, .reloc.

0.png


1.png


With a disassembler inspection you can see the malware uses NOP operation, which is an assembly instruction, it allows the pipeline execution unit of slack for N clock cycles according to the processor used, as noted in name so it does nothing.
In this case it seems the malware uses NOP to perform buffer overflow attacks, if the attackers don't have perfect control of the exploitation and probably this prevents also the malfunction of the malicious code.
There are also XOR, INC and PUSH operations, and it is clear that the malware performs byte mathematical functions and operates on byte buffers.

2.png


A really interesting point of this analysis is the strings of the malware because it detects if it was launched in a sandboxed environment; for this purpose it uses a function called isSandBoxie, in addition it also tries to detect WireShark in the same way with a function "isWireShark" this because this code probably tries to connect to a IRC server.

3.png


The malware is packed, with an analysis of the malicious code by using .NET Reflector 9.0 you can see that the malware is obfuscated and the function "isSandBoxie" and "isWireShark" are probably referred to the click event of the button1 variable, but unfortunatey studying the code we can't establish where that functions are used.

5.png


6.png


9.png


Imports (mscoree.dll):

4.png


Finally, also the resources are encrypted.

7.png
 

Attachments

  • 8.png
    8.png
    59.7 KB · Views: 361
L

LabZero

Thread author
What class of malware is this ? or what class does it fall under.
Thanks that was very informative.
According to Malwr report it's a botnet backdoor and my analysis confirms this with caution because the code is packed.
Interesting it would analyze it dynamically, it contains functions to detect Sandboxie and Wireshark to avoid traffic inspection by malware analyzer.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top