This file was found thru Twitter https://twitter.com/0x7fff9/status/936301229612961792 and https://beta.virusbay.io/sample/browse/106366f1fe0f39232bc86be49ecbad4a
This sample appears to be a test piece of Ransomware written in dot Net with 2 binary resources that do not show up in normal tools. No obfuscation was used to “Hide” the resources. I was able to build my own test program that would respond the same way.
So really, they are not necessarily hidden, it’s just that some tools don’t see them.
I have run across this problem before but don’t see it very often when viewing the decompiled dot Net files.
If we look at the recourses in few different tools we don’t see this data.
Lets start with PEStudio , I had reported this problem a couple of times and have gotten no response about it.
Here we see PEStudio next to ILSpy
It can be found here https://www.winitor.com/binaries.html
Next we have MITEC EXE Explorer
It can be found here http://www.mitec.cz/exe.html
Finally we have Resource Hacker
It can be found here. http://www.angusj.com/resourcehacker/ (I assume this is the same one everyone else uses)
The only thing I can think of is they are not enumerating every type of resource or because the data has no file extension associated with it is not being seen.
So lets save the resources data to a file. We end up with a file called “gray.resources”
Opening it up in a hex editor we see this.
This would not be easy to extract without more information, so after some trial and error I got a tool to extract the binary data to .bin files.
This simple tool will enumerate all of the resources, list the names and type then extract just the data of “Type Byte” to the folder with the name and a .bin extension.
As you can see this one only had 2 items. I have not tested it yet on other files.
Lets take a look at the first one.
And the Second
These look to be encrypted/encoded so lets go back to ILSpy and see how.
The highlighted area is where it tells us what to do with the extracted resources.
At the top we see the key used for decryption and test4 at the bottom is AES CBC mode.
It also has a hard coded Salt value.
Since I didn’t have a tool for this type yet I just borrowed the code from them and after fixing 1 bug that may have been introduced in the decompilation I got it working.
Notice anything in the out put ? 0x4D5A(MZ)
So we now have an extracted and decrypted binary.
Here is the second one.
They just used the AES function to hide the registry “Run Path”.
What we end up with is the program that does the actual “Bad Stuff” including encrypting various files using a folder/ file extension list.
As of Last night that Bitcoin value did not exist.
Towards the bottom we have a “Random” password generator. The problem is it does not appear to save it anywhere to use for decryption later that I have found so far.
They are also nice enough to delete the shadow copies too.
I also looked up the GUID and you can find it used in several places.
I have no Idea if this thing will even run and do what the code suggest it will do.
The point to this whole post was not to show the malware, but to highlight the problem of mainstream tools not being able to find or show these types of resources.
There could be more than meets the eye that is not being shown as it was here.
That is for this one. Go check your tools.