Hidden .Net Resources “Are Your Tools Finding Them” ?

This file was found thru Twitter https://twitter.com/0x7fff9/status/936301229612961792 and https://beta.virusbay.io/sample/browse/106366f1fe0f39232bc86be49ecbad4a

This sample appears to be a test piece of Ransomware written in dot Net with 2 binary resources that do not show up in normal tools. No obfuscation was used to “Hide” the resources. I was able to build my own test program that would respond the same way.

So really, they are not necessarily hidden, it’s just that some tools don’t see them.

I have run across this problem before but don’t see it very often when viewing the decompiled dot Net files.

If we look at the recourses in few different tools we don’t see this data.

Lets start with PEStudio , I had reported this problem a couple of times and have gotten no response about it.

Here we see PEStudio next to ILSpy

ResourcesNotShown

It can be found here https://www.winitor.com/binaries.html

Next we have MITEC  EXE Explorer

ExeExplorer

It can be found here http://www.mitec.cz/exe.html

Finally we have Resource Hacker

ResourceHacker

It can be found here. http://www.angusj.com/resourcehacker/ (I assume this is the same one everyone else uses)

The only thing I can think of is they are not enumerating every type of resource or because the data has no file extension associated with it is not being seen.

So lets save the resources data to a file. We end up with a file called “gray.resources”

Opening it up in a hex editor we  see this.

ResFile

This would not be easy to extract without more information, so after some trial and error I got a tool to extract the binary data to .bin files.

enumResc

This simple tool will enumerate all of the resources, list the names and type then extract just the data of  “Type Byte[]” to the folder with the name and a .bin extension.

As you can see this one only had 2 items. I have not tested it yet on other files.

Lets take a look at the first one.

ghf

And the Second

ghf-2

These look to be encrypted/encoded so lets go back to ILSpy and see how.

IlSpy-1

The highlighted area is where it tells us what to do with the extracted resources.

At the top we see the key used for decryption and test4 at the bottom is AES CBC mode.
It also has a hard coded Salt value.

Since I didn’t have a tool for this type yet I just borrowed the code from them and after fixing 1 bug that may have been introduced in the decompilation  I got it working.

AES-1

Notice anything in the out put ? 0x4D5A(MZ)

So we now have an extracted and decrypted binary.

Here is the second one.

AES-2

They just used the AES function to hide the registry “Run Path”.

What we end up with is the program that does the actual “Bad Stuff” including encrypting various files using a folder/ file extension list.

cryptor-b

As of Last night that Bitcoin value did not exist.

Towards the bottom we have a “Random” password generator. The problem is it does not appear to save it anywhere to use for decryption later that I have found so far.

PasswordGen

They are also nice enough to delete the shadow copies too.

Program

I also looked up the GUID and you can find it used in several places.

I have no Idea if this thing will even run and do what the code suggest it will do.

The point to this whole post was not to show the malware, but to highlight the problem of mainstream tools not being able to find or show these types of resources.

There could be more than meets the eye that is not being shown as it was here.

That is for this one. Go check your tools.

Advertisements

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair. Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.
This entry was posted in Malware, Programming, security and tagged , . Bookmark the permalink.

One Response to Hidden .Net Resources “Are Your Tools Finding Them” ?

  1. mike miksch says:

    You are trying to read .NET resources with tools that are meant to inspect PE resources. Those are two different things 😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s