Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse engineering .NET malware.
The write-up outlines the importance of sandbox analysis in preparing for reverse engineering by highlighting what to expect and focus on, given that malware creators use various tactics to confuse analysts.
It also mentions that the walkthrough will cover modifying malware to simplify analysis.
The initial understanding gained from sandbox analysis allows analysts to prioritize areas for investigation during the deconstruction phase. This is particularly useful as malware often employs obfuscation techniques to impede analysis.
The preparation for reverse engineering Snake Keylogger, a.NET infostealer with anti-analysis techniques, where the author plans to use static and dynamic analysis with decompilers and debuggers in an isolated environment built with VirtualBox, Windows 11, Flare-VM, dnSpy, and.NET Reactor Slayer.
To ensure safety, the network adapters will be disabled, and resource sharing between the guest and host machine will be minimized.
Stages of the Malware Analysis:
The analysis identified “pago 4094.exe” as a .NET keylogger disguised as an airplane simulator. Static analysis revealed suspicious decryption code in the InitializeComponent function, and disabling the code confirmed its role in malicious activity.
Dynamic analysis showed the code fetching data from a resource named “Grab” and decrypting it, which contained a valid DOS header, DOS stub, and PE header, indicating it was a new executable payload.
The payload, loaded as an in-memory assembly using Assembly.Load, was identified as “Aads.dll” and determined to be stage 2 of the malware.
The analyst at ANY.RUN investigated “Aads.dll,” a.NET assembly DLL, using static and dynamic analysis, where static analysis in dnSpy revealed sorting/searching functions but no malicious code.
Dynamic analysis with breakpoints showed “Aads.dll” using image data from resource “ivmsL” containing a potentially steganographic image.
The image data was processed through sorting algorithms and examined in memory, revealing a DOS header (“MZ”) and PE header, indicating a packed executable, while the extracted executable, named “Tyrone.dll,” was identified as stage 3 of the malware.
“Tyrone.dll” was found as a.NET DLL with VB.NET code that had been hidden by.NET Reactor. Static analysis of the deobfuscated code showed functions related to a “pandemic simulation” that were deemed unnecessary, but the presence of GetObject() suggested a next step.
Dynamic analysis confirmed this suspicion by setting breakpoints and examining memory, while retrieved data from resource “wHzyWQnRZ” was identified as a new executable containing a DOS header, DOS stub, and PE header – stage 4 of the malware.
Analysts investigated “lfwhUWZlmFnGhDYPudAJ.exe,” a.NET assembly flagged as a keylogger, where the file had obfuscated code with non-descriptive names and after identifying it as a VB.NET compiled PE32 executable, they detonated it in a sandbox environment, confirming its keylogging functionality.
At last, the deobfuscation with renaming functions (e.g., “lena_”) improved code readability for further analysis.
The malware configuration, encrypted with a hardcoded key, reveals SMTP information for exfiltration and the code steals login data from browsers (Chrome, Edge, etc.) and applications (Discord) by accessing their SQLite databases or LevelDB files.
It exfiltrates data via FTP, SMTP, or Telegram, as the analyzed sample uses SMTP with hardcoded credentials and sends data as an email attachment.
It describes modifying the Snake Keylogger malware for easier analysis by disabling internet connection checking, self-deletion, and self-movement functionalities.
A Python script has been written to encrypt SMTP credentials with a key derived from an MD5 hash and store them in the malware configuration to bypass email encryption.
The malware was customized by changing the icon and adding functionalities to change the wallpaper and save stolen credentials to text files on the desktop. The effectiveness of the modifications was verified by running the modded malware in a sandbox environment.
The solution offers a threat intelligence (TI) feed and a lookup portal, providing access to a constantly updated database of malware information that leverages data from over 1.5 million investigations by community and in-house analysts, allowing you to
It offers threat intelligence in two formats:
TI Lookup examines a massive database of Indicators of Compromise (IOCs) and related events across numerous parameters. Wildcards allow wide or particular searches, and results, including linked research sessions, are supplied in seconds.
SIEM systems can use TI Feeds’ continuous threat data in STIX format and every two hours, IOCs and event details are added for threat analysis.
ANY.RUN is a cloud-based malware lab that does most of the work for security teams. 400,000 professionals use ANY.RUN platform every day to look into events and speed up threat research on Linux and Windows cloud VMs.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
Best DNS Management Tools play a crucial role in efficiently managing domain names and their…
Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…
Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…
SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…
In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…
The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…