Stay updated with the latest cybersecurity news.

Multistage malware breakdown – Part 2

By Reason Cybersecurity

on Sun May 17 2020

In the last part, we started analyzing an HTA file, which revealed a Powershell script that downloads another executable file called “Com100Chats.exe ”. In Part Two, we will analyze it to see what it does.

Analyzing the “Com100Chats.exe”: After fetching the file, the first thing I wanted to validate was the file type, so I used the good old PEiD tool to see exactly what it was:

It turns out it’s a .NET file, which means that we can actually view the code as a readable format, so we can open the file with a .NET disassembler and go to the entry point:

Here we can see an old-fashioned technique that is still used today., We can also see that the malware is trying to fetch some information from a resource section called “WindowsFormsApp1881.data”. More than that, we can see a byte array that is going to be generated and some keys inside “MuKıta.Bamsı”. Going to the resource that is about to get decrypted will be a waste of time; we will have to run this byte array and set a breakpoint in the disassembler so we can extract the decrypted byte code:

As we can see from above, we put a breakpoint in the line that is responsible for the decryption. We can see the first 2 bytes, which are unknown as file headers. We will understand once we  see the real MZ header, that we decrypted it successfully:

After running the function, we get the 0x5A,0x4A, which means that this bytecode is ready to run since it’s the MZ header. We must now extract it as a bytecode so we can continue the analysis.

Analyzing the extracted bytecode

Here we take the extracted bytecode and test it with PEiD again to see what the file type is:

Since we see it’s a .NET, we can continue with a disassembler and view the code. When viewing the code entry point, it is easy to see again how the malware is using the resource section in order to hide things:

Going again to the resource section to look at the “String1” resource, we can see that script:

As we can see this is VBScript, which contains a Powershell execution inside of it. From the code above, we can easily understand that the “String1” resource will be written to the “Com100Chats.vbs” file. The next step is to find out what is behind the encoding so we will decode the base64, which gives us some null bytes:

Here we are removing all of those null bytes so we can extract some information:

What we are seeing here is just a Powershell WebClient function that uses a download string in order to pull a file called “ads.jpg”. In the next part, we will examine the “ads.jpg” in order to find out what it does so stay tuned until next time.