Home Malicious Zip
Post
Cancel

Malicious Zip

Posted Sep 1, 2022 Updated Sep 1, 2022
By Abdullah Shahbaz
2 min read

Purpose : Analyzing The Malware Behaviour

Suspicious rar contains 3 files 2 are cleared  and 1 (file).lnk is malicious {Deduce after investigation }. lets start investigation .(58ec917b5d2e14846f5a7948b7d9cd19)

img_1

Upon clicking (file).lnk, execute code from this URL (hXXp://av.msdefender.xyz/f)
from the code below we can see a file is being fetched from URL and then saving it to “C:\ Users\ public\ a.exe” and then get executed.

img_2

Taking sha256 sum and putting in virustotal no result found

img_3

Putting in pe studio get some info first of all its 32 bit and .NET binary (yahoo i
can get code to read rather than assembly its just faster :) ) and timestamp is a nono
compiled in the future wow time travel is at work here XD

img_4

Doing floss on it immediately cert pop-ups some sort of encrypted communication is in place.

img_5

let’s dig deeper opening it in dnspsy c2 server string “news.services-ms.info” and “cmd.exe” is in base64 (just my habit of going for base64 first )

img_6

img_7

two variable defined 1 integer and one char array (spoiler alert its certificate )

img_8

To start the process variables are set up from the look of it cmd.exe is being spawned there is no visual of opening cmd.exe.  Program.CmdOutputDataHandler will be discussed later down and then programs sleep for  5000 seconds

img_9

Creating a string variable then resolving the domain name and putting it into a variable. Creating an encrypted connection to the given IP (46.30.188.175) and port (54289). The certificate which was provided in a char array

img_10

After the connection is established sleep for 1000 seconds.

img_11

Create a variable string that stores the received msg.

img_12

If receive string is “exit” kill itself. img_13

If receive string is “–SUICIDE”. It changes int “num” from zero to 100 then terminates. (i am really confused y making 2 things make do one thing )

img_14

If the string is “ACKNOWLEDGMENT” then the reverse shell is given to the author. The procedure is pretty simple stdin stdout and stderr of the “cmd.exe” process is buffer and then passed to the c2 server in encrypted form.

img_15

Not going over exception cases its logging errors (but not sending them to
c2 sever its odd ).
CMDOUTPUTDATAHAndler as the name suggests is taking cmd.exe output and
writing to a network stream.

img_16

Network connections to the above IP and port as found during the investigation.

img_17

IOC :

09cc7d0af801e5a3bebaa46a5b61bcc4eb133e2fe5159c65d47073c6a8163d80 ee2c4814e7f65fcf4c3f1f81bba41098d759def9073c88cc6d9927cfc312903e

Malware, zip, win
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents