Malware Analysis Trojan.Win32.Generic.pak!cobra - Malware Reverse

[JM Safe]

Hi all,

today I made a simple malware reverse analysis of this sample of Trojan.

Sample type: Trojan.Win32.Generic.pak!cobra

MD5: 50567a1ed4779ffc2596c341fe38fd4e

SHA1: 4292df38e122dd6beb02230210575e80a6ed71ed

SHA256: 0cd8d196f66e2bec6636976fbceae5298cc2acf8e7c8c700f717034eadb854f2

Library used by the sample:

mscoree.dll:

0x402000 _CorExeMain

While reversing the malware I found these strings particuarly interesting, because some of them are obfuscated:

IconData
height
Vnao^T
0/U'KE
$sIb+
?!RIGM
*++su]G
glll,:
={vA]]]a~~
,XPRUU
mhh83m
t:FGGC
|eFaaaB
ow644t
UPP #Q
@tvZEEENd
=?Tiohh(
$.Hkhh8
|r+`!^
]w]iaaa
{lauuu
<yrNUU
iZIIINIII
vk%%%nPKF
w+,,ty
a52iH\l, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
hSystem.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPADw

One interesting thing is that this application, that appereantly would change the icon of .exe files, it runs malicious code to infect the machine only by using a library, but most of the code is "[DebuggerHidden]" (see for example the fourth screenshot); and this is an important thing to remember.
The sample must be run under Win32.

These are the screenshots of my malware reverse analysis (The most important source code).

File Sections:

Name -  Virtual address - Virtual size - Raw size - Entropy - MD5
.text  8192 1247300 1247744 6.16 c301800889b42018ac6305f6232a23f4
.sdata  1261568 142 512 2.06 bcfb9ab6f13950c8e0cdcdc18ceac0cd
.rsrc  1269760 172944 173056 1.98 3a06f005d96dbf93b7645294976a1ee0
.reloc  1449984 12 512 0.10 3271c072aa0b1850cfc845bef54e4a26

For this malware analysis I used a Windows 7 VM inside VirtualBox (latest version).

This is the VirusTotal Report:

Spoiler: VirusTotal

Antivirus scan for 0cd8d196f66e2bec6636976fbceae5298cc2acf8e7c8c700f717034eadb854f2 at 2016-07-14 12:42:56 UTC - VirusTotal

Detection Ratio: 4/53

Software used: ILSpy

Thank you all for reading

 

[frogboy]

A very nice analyse my friend thanks for this. One day i hope to understand all this.

 

[JM Safe]

A very nice analyse my friend thanks for this. One day i hope to understand all this.

Thanks for your words!

 

[DardiM]

Thanks for this very detailed malware reverse analysis

 

[Der.Reisende]

A very nice analyse my friend thanks for this. One day i hope to understand all this.

+1
However, good job @JM Security, thank you for sharing Very interesting

 

[LabZero]

Thanks for the analysis!
I use also RDG Packer Detector to detect any packer but, if you open the code with IlSpy and it shows no errors, then probably the code is just obfuscated.