Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Trojan MSIL/Injector - static
Message
<blockquote data-quote="LabZero" data-source="post: 529973"><p><em><strong>MD5:</strong></em> 08aebd590a43b2906ba678860c2b7f4c</p><p><em><strong>SHA1:</strong></em> 16e216d541165313bd2ddf5e77a2079bd94588e3</p><p><em><strong>SHA256:</strong></em> e9ca3f54aa5ccc3d97503435da2cc5dfb26f4c68623c3970a20fa9e86cd8d4f1</p><p></p><p>Firstly I used PEiD for identify the malware, it is a .NET file, and the linker version is 8.0.</p><p></p><p>[ATTACH=full]110826[/ATTACH]</p><p></p><p>File sections:</p><p></p><p>[ATTACH=full]110827[/ATTACH]</p><p></p><p>The entropy is clearly packed, as you can see in the screenshot below, that it shows also that the fast check give "packed".</p><p></p><p>[ATTACH=full]110828[/ATTACH] </p><p></p><p></p><p>With PEiD you can see the strings inside the portable executable, in this screenshot there are the strings, that I flagged as malicious; in particular "kernel32.dll", infact in one of the functions of the code there is a -dll import- of this .dll file.</p><p>This is suspicious because with the use of kernel32.dll there could be a low level and deep infection on the OS.</p><p>Another suspicious string that I found while the analysis was "Marhsal", and this was present also in the code, used by some functions. Marshaling is the act of taking data from the environment you are in and exporting it to another environment. In the context of .NET, marhsaling refers to moving data outside of the app-domain you are in, somewhere else.</p><p>In the malware there are also strings referred to bytes operations, like "WriteByte" and "ReadByte", these operations can be intrusive and dangerous, especially because this PE works on low level (for kernel import).</p><p></p><p>[ATTACH=full]110829[/ATTACH]</p><p></p><p>The malware uses mscoree.dll and there are in addition some strings clearly encrypted/obfuscated, as you can see in this screenshot:</p><p></p><p>[ATTACH=full]110830[/ATTACH]</p><p></p><p>Here below are the PE details:</p><p></p><p>[ATTACH=full]110831[/ATTACH]</p><p></p><p></p><p>...but the most interesting part of this analysis is this<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite115" alt=":p" title="Stick out tongue :p" loading="lazy" data-shortname=":p" />:</p><p></p><p>[ATTACH=full]110833[/ATTACH]</p><p></p><p>The malware uses this function, which the name is obfuscated, to marshaling bytes read from another function; this operation is done in a loop, and it means that the malware operates on all bytes got from the function called before the loop.</p><p>A repeated code line in the source is "object.Equals(null,null);", this command is for verify the equality of two objects, but in this case the objects passed as parametres are null.</p><p></p><p>Marhsal is used also on a function, which is called in the code line below.</p><p></p><p>[ATTACH=full]110835[/ATTACH]</p><p></p><p>In this screenshot you can see the [DllImport] of kernel32.dll</p><p>And it is initialized a variable called VirtualProtect, which is static and external, and it is used also in another function, look that it returns an output of type uint (unsigned integer)</p><p></p><p>[ATTACH=full]110838[/ATTACH]</p><p></p><p>Below is the usage of the variable called "VirtualProtect".</p><p></p><p>[ATTACH=full]110842[/ATTACH]</p><p></p><p>Look especially at the return function and that the VirtualProtect output; so the output of VirtualProtect is returned by this function.</p><p></p><p>Here below is another function, that uses another time Marshal feature; in particular the function "AllocHGlobal", which takes as parameter the length of an attribute variable.</p><p></p><p>[ATTACH=full]110843[/ATTACH]</p><p></p><p>The malware initializes also some byte arrays, this is one of them:</p><p></p><p>[ATTACH=full]110844[/ATTACH]</p><p></p><p>The other arrays contains lots of elements(bytes), used for write/read bytes operations.</p><p></p><p>Malware references:</p><p></p><p>[ATTACH=full]110845[/ATTACH]</p></blockquote><p></p>
[QUOTE="LabZero, post: 529973"] [I][B]MD5:[/B][/I] 08aebd590a43b2906ba678860c2b7f4c [I][B]SHA1:[/B][/I] 16e216d541165313bd2ddf5e77a2079bd94588e3 [I][B]SHA256:[/B][/I] e9ca3f54aa5ccc3d97503435da2cc5dfb26f4c68623c3970a20fa9e86cd8d4f1 Firstly I used PEiD for identify the malware, it is a .NET file, and the linker version is 8.0. [ATTACH=full]110826[/ATTACH] File sections: [ATTACH=full]110827[/ATTACH] The entropy is clearly packed, as you can see in the screenshot below, that it shows also that the fast check give "packed". [ATTACH=full]110828[/ATTACH] With PEiD you can see the strings inside the portable executable, in this screenshot there are the strings, that I flagged as malicious; in particular "kernel32.dll", infact in one of the functions of the code there is a -dll import- of this .dll file. This is suspicious because with the use of kernel32.dll there could be a low level and deep infection on the OS. Another suspicious string that I found while the analysis was "Marhsal", and this was present also in the code, used by some functions. Marshaling is the act of taking data from the environment you are in and exporting it to another environment. In the context of .NET, marhsaling refers to moving data outside of the app-domain you are in, somewhere else. In the malware there are also strings referred to bytes operations, like "WriteByte" and "ReadByte", these operations can be intrusive and dangerous, especially because this PE works on low level (for kernel import). [ATTACH=full]110829[/ATTACH] The malware uses mscoree.dll and there are in addition some strings clearly encrypted/obfuscated, as you can see in this screenshot: [ATTACH=full]110830[/ATTACH] Here below are the PE details: [ATTACH=full]110831[/ATTACH] ...but the most interesting part of this analysis is this:p: [ATTACH=full]110833[/ATTACH] The malware uses this function, which the name is obfuscated, to marshaling bytes read from another function; this operation is done in a loop, and it means that the malware operates on all bytes got from the function called before the loop. A repeated code line in the source is "object.Equals(null,null);", this command is for verify the equality of two objects, but in this case the objects passed as parametres are null. Marhsal is used also on a function, which is called in the code line below. [ATTACH=full]110835[/ATTACH] In this screenshot you can see the [DllImport] of kernel32.dll And it is initialized a variable called VirtualProtect, which is static and external, and it is used also in another function, look that it returns an output of type uint (unsigned integer) [ATTACH=full]110838[/ATTACH] Below is the usage of the variable called "VirtualProtect". [ATTACH=full]110842[/ATTACH] Look especially at the return function and that the VirtualProtect output; so the output of VirtualProtect is returned by this function. Here below is another function, that uses another time Marshal feature; in particular the function "AllocHGlobal", which takes as parameter the length of an attribute variable. [ATTACH=full]110843[/ATTACH] The malware initializes also some byte arrays, this is one of them: [ATTACH=full]110844[/ATTACH] The other arrays contains lots of elements(bytes), used for write/read bytes operations. Malware references: [ATTACH=full]110845[/ATTACH] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
