The malicious sample in this story is a TeamViewer installer file which embedded with javascript and vbs. The sample has multiple stager to unload its real payload. Let’s begin the analysis!
Infection activity in brief
Drop & execute .vbs and .js file -> Powershell, the 1st stager connect to pastebin site that host the 2nd payload (dotnet file) -> The 2nd payload then create a process that execute the 3rd payload -> 3rd payload then create a process (notepad.exe) and inject the miner’s code in it and execute.
1st stager — powershell
2nd stager — dotnet exe
3rd stager — c++ Windows exe
Below are the commands that triggers the malicious activities:
C:\Windows\System32\WScript.exe C:\Users\Slayer\AppData\Local\Temp\dllm.vbs — download the 1st powershell stager
C:\Windows\System32\WScript.exe C:\Users\Slayer\AppData\Local\Temp\setup.js —create a schedule task to keep it persistantC:\Users\Slayer\AppData\Local\Temp\setup.exe — run the original installer
Execute command
It uses Powershell as 1st stager to download 2nd stager.
2nd payload stager
file_2020–03–02_074138.jpg — A Powershell code with another .exe file inside of it. Convert these into hex editor and you will get the 3rd payload.
Extract payload from dotnet file
These are the bytes of 3rd payload, as you can see these payload printed as decimal. Let’s try to convert first few decimals to Hex and see what we got. After the convertion, the “MZ” magic header is found. This indicates that the dotnet file will execute another PE files that need to be investigate further. Another stager again 😑. Before that, we need to extract the payload from it. In this case, using hex editor and search for similar MZ magic header bytes in the hex dump. Then, crop out 1565696 bytes that starts from M to insert into a new file. Save it afterwards. ✌3rd stager Obtained ✌
Next, it’s time for debugging!!!
Debugging
Get Machine Guid
Get Machine GUID via regkey /SOFTWARE/MICROSOFT/CRYPTOGRAPHY as username
Window API involved:
NtOpenKey
ZwQueryValueKey
ZwClose
Create Config File
It create a config file by appending multiple parameters in json format and then encode it with base64 algo.
Window API involved:
ZwCreateFile
ZwWriteFile
ZwClose
Evasive Technique
Get current process list -> Loop thru process -> find taskmgr.exe -> If yes, process sleep / If no, create process notepad.exe
Create new process (inject the payload into it)
After it passed the evasive check, a new process will be spawn in suspended state. What does the -c means? 🤔
Looks like there is a trampoline there that will insert the payload into the notepad.exe and execute it. Carve out the payload from the memory and fix the PE header for further analysis.
Below are the parameter of the miner extracted from notepad.exe:
Based on the parameter, it is believed that the miner is XMRig (Open soruce miner) and usage of -c parameter was found!
IOC lists
Dropped Files
From the Installer
%TEMP%setup.exe (The real setup)
%TEMP%dllm.vbs
%TEMP%setup.js
From last payload
cfg
cfgi
<First 10 char of Mutex>_3.0.0
Create Schedule Task (Persistant Technique)C:\Windows\System32\schtasks.exe /create /sc minute /mo 30 /tn anydesk /tr “C:\Users\Slayer\AppData\Local\Temp\setup.js
Create startup item in registry (Persistant Technique)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-Item -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Value C:\Users\Slayer\AppData\Local\Temp\dllm.vbs
Mutex
083626eddd15ac3f8a72
URL
185[.]81[.]157[.]188:8080
pool[.]minexmr[.]com:4444 (from nicehash pool)
http://www[.]4up4[.]com/uploads/reemfa/file_2020-03-02_074138.jpg
Pastebin site w/ config settings
https://pastbin[.]com/raw/Yv5TP6HF
PasteBin site w/ 2nd payload
https://pastbin[.]com/raw/gC5dfjh9
Config file used by the notepad.exe
XMR wallet address
434PuVPN5tQ6xQA7pdB7NsNTJHWvUD5tL7rmsX7uzJgNdCAx7wo4yESiy51aqCcr13ZoYb3TFq3zw11BFQJiF1tnHibZ6EA
Sha256
95fee5658b71f8d1a5304dd07d5a036ddc69bd06a19834f4a6c04918a939dd5d
