[Mal Series #21] BazarLoader
Here is the bazarloader DLL sample extracted from a MFC parent file.
The bazarloader DLL is heavily obfuscated (seems like llvm obfuscator) and the deobfuscation algorithm has been complicated in a intended way to make analysis ‘harder’.
ZwRaiseHardError , you can see those additional mathematical operation is meaningless actually 🤔
hash = hash & (hash ^ 0xff000000)
The algorithm for the API hash calculation has been made complicated 🤔
and many more 😐
To make life easier, provided IDA script to decrypt to Windows API function 😃 and c2 IP -> here.
Decrypted Windows API function text -> here
Interesting way to force self spawn its process
ZwRaiseHardError of the newly created process (suspended mode, 0x4) ->
WriteProcessMemory ->and replace the first 3 bytes into
After that, the parent process will quit and the child process will continue the process at another branch as it fulfills the
hash == 0xc3c033 condition.
Checking existence of antivirus product
Dr_Web -> HKCU\SOFTWARE\Dr_WEB
Avast -> aswhook.dll / HKCU\SOFTWARE\AVAST Software
Sleep period (the number is random each time)
Decrpyt C2 IP
After decryption, send victim’s information via
HttpSendRequest to one of the c2 IP and receive reply from the corresponding c2 IP. It will loop to the next one if the current one fails.
Decrypt bazar domain
After decryption, try to connect to the bazar domain and receive something from those domain.
Decrypted function found:
So far I’m analysis just until the c2 connection, I didn’t spend much time to look for what happen next (e.g. after successful c2 connection)
Date: <dayname>, dd mm yyyy hh:mm::ss <zone>
Cookie: <random>=<base64 form of bcrypt signed data which hashed by SHA384(<dayname>, dd mm yyyy hh:mm::ss <zone>)>
Flow on how those data generated:
RSA3 key blob decryption routine
BCryptGetProperty (KeyLength ObjectLength HashDigestLength)
BCryptFinishHash -> Get SHA384 Hash Blob
BCryptSignHash -> Get encrypted blob for base64 later
CryptBinaryToStringA -> base64 blob into base64 format
C++ (Cpp) BCryptFinishHash Examples
C++ (Cpp) BCryptFinishHash - 21 examples found. These are the top rated real world C++ (Cpp) examples of…