Chasing malware down the rabbit hole to see where it goes.

Lets start this journey with the blog post by Pondurance  titled “777 RANSOMWARE COMBINES WITH TRICKBOT” located here.

There is not a whole lot here but it describes 2 layers of shellcode  and some indicator’s and the first is the URL “hxxps://fearlesslyhuman[.]org”.

This URL seemed familiar but upon looking it up I was having difficulty finding very much information on it. The first search led me to Hybrid Analysis where we find this calling out to a /boot URL.

HA-1

It is also only labeled as “no specific threat” .

If we scroll down we see there is a PowerShell script but it is split up in 2 areas of the strings section and no download is available for this script. So let’s just extract it from the strings section.

HA-3

Here is the extracted script. If we look close it is base64 encoded GZipped.

Lets extract that and see what we have.

HA-4

As with the original blog post that started this run we have base64 encoded data that is also Xor’d with decimal 35.

You could probably make up a CyberChef recipe to do all of the steps I’m going to do with my tools.

Base64 decode to byte –> Xor bytes by Decimal 35 to get Clean shellcode.

HA-5

One thing my tool does not extract is the latter part of the url highlighted by the red box. Also as seen in the hex editor.

HA-6

Let’s also take a look at what API’s are found in this Shellcode.

HA-7

So our full url that this is calling out to is fearlesslyhuman[.]org/FSkX .

Unfortunately this does not contain the next level of download. The hunt continues.

Our next stop is urlscan.io  Here to see what it can tell us.

URLScan-1

We see 8 hits and as of 10 days ago it appears to be down. It also appears to be the Same IP in the ones that connected.

Here on Virus Total it gives us a little more information but not a lot.

VT-1

Searching on https://app.any.run for our URL we see several hits.

AnyRun-1

If we go thru this list we are not finding anything special. Thanks to @James_inthe_box for locating this sample for me that is different than what we see in this list. Sample Here .

I’m not sure why it is not showing up in this list.

AnyRun-2

Looking at the traffic we can see there is more going on here than in the other sample in the list.

Lets download the PowerShell script and extract the shellcode from this.

AnyRun-3

As we can see here this script is the same as the last one we pulled apart so lets extract the shellcode and see what it tells us.

AnyRun-4

Here we see it is using a “/HLnZ” path instead. Where did we see that?

AnyRun-5

As we can see here is it tagged as binary so lets download that and see what we have.

AnyRun-6

And the Hash Information from Anyrun

Hashes
MD5     7E8AF84B1CB9E43F1A66D385A63C9EAB
SHA1     C7651DD95BA7D82D1B8593E5EB5F0454AFF8373A
SHA256     17CB1CCC53B52E0EE31514673F4962E673280E505324739873542D541200120C
SSDEEP     6144:5RAY+7omj6nn5QEj+8vnLDckHWgvgV8Cm:92oo6n5va8PMS9C8Cm

Here we find it On VirusTotal by the hash with no detections.

Lets Look at this binary data in a hex editor.

AnyRun-7

As we can see here it starts with an “FC” which it what Shellcode normally starts with.

Lets drop this into CyberChef and see what it tells us.

CCError

That is not good, it throws an error. Lets just try the first part of it then.

CC-2

Well that worked but still does not tell me much.

Next stop, fire up the VM and load this into SCDbg.

SCDBG-1

I’m a GUI Person so used that instead of the command line.

SCDBG-2

As in the blog post referenced in the beginning we can see many calls to API functions and SCDbg also drops 2 files for us.

SCDBG-3

SCDBG-4

We can see this is a decoded PE file from the Shellcode but it appears the parts of the PE header got stomped after it was loaded into memory.

SCDBG-5 

This version that was dropped still has the “MZ” in it.

SCDBG-6

Lets remove the decoding shellcode from the start and then we have a decoded version of the binary.

Note: this is designed to be loaded and run from the original PowerShell shellcode.

Looking at this shellcode and the resulting executable got me wondering how it gets decoded.

What can we use? Possibly a shellcode to exe utility and then load (and or) run it in IDA or or in X86Dbg .

After chatting with  @herrcore about loading shellcode to be able to view it in a debugger he pointed me to a tool called BlobRunner, Here There are prebuilt binaries and the source code so you can build it yourself.

There is also a video that goes with it Here but they are using IDA Pro (The hard way) to view the blob.

At first I had trouble figuring out how to use it, so used a smaller sample file to get a feel for it.

The steps to run it.

Copy the binary for blobrunner and the shellcode into a folder on your vm.

Open a command prompt from the folder (so you don’t have to use full paths)

Pass the parameter’s of the blobrunner and a space and the name of the shellcode file into cmd.

In this case it will be  blobrunner.exe  “HLnZ.bin” (I used double quotes incase a filename has a space)

After entering the command and hitting enter we see this.

BR-1

Next we Open X86 Dbg and attach to the blobrunner process.

BR-2

Next we go back to the command window and look for the Entry value.(or you can do it first)

br-3-b

Then back to X86Dbg and open the Memory Map section and look for that address.

BR-4

I double clicked on that address and went to the place in the CPU tab where it is.

BR-7

Here we are at the beginning of the shellcode. Set a break point here then go back to the cmd window and hit a key to start it running again.

Next hit run in the debugger and it will break at that break point. You can then start stepping thru from there to see what it is doing.

Note: If you hit run in the debugger first without setting the breakpoint first it will get away from you. (I’ve Done it)

Going thru this there are a couple of jumps to set things up, Notice the second “Call” at “B”

Now look what happens as we step thru and make some jumps.

BR-5

BR-6

Notice that the assembly changed after making the jumps, and the real odd part is if you scroll back up it returns back to normal and the same as what CyberChef shows.

BR-8

If we set a breakpoint at the pop ebp (ox33) and run it till there (after the loop is complete) it will self decode. You can then just select and copy all of the bytes here to a hex editor then clean out the beginning shellcode or you can use the follow in memory map option and then dump it to file from there.

BR-8A

That is how to do it that way.

But I’m still curious on how the algorithm works to decode.

I then stepped thru it enough times until I was sure I had it down on what it does.

Tool-1 

It is a little slow because it is dealing with a lot of data and also formatting the input string /hex from a text box. Large amounts of data in a text box is always slower than importing the data straight from a file and working with it that way.

And finally here is how this Works.

HowToDecode

That 34200 is a counter that gets reduced by 4 every round.

I am assuming that it is also a length value.

And 1 final thing. Does it run in Anyrun  Here ?

ExtracyedBinAnyrun

Nope.

That is it for this one I hope you learned as much as I did.

Links

Anyrun Links:
Link to Good run
Link to Extracted File

BlobRunner:
Link to Download
Link to Video

Hybrid Analysis:
Link to Report

UrlScan.IO:
Link to the report for URL

Virus Total:
Link to Data on Url
Link to shellcode

About pcsxcetrasupport3

My part time Business, I mainly do system building and system repair. Over the last several years I have been building system utility's in vb script , HTA applications and VB.Net to be able to better find the information I need to better understand the systems problems in order to get the systems repaired and back to my customers quicker.
This entry was posted in Malware, PowerShell, security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s