 Hello and welcome to malware analysis for Hedgehogs. Finally back from vacation and malware hunter team has pointed me to an interesting sample that I indeed think is worth making a video. Although it's another .NET unpacking tutorial, there are some new techniques involved which I didn't show my other videos yet. All right let's take a look at this sample first. There's a debug path in this sample and it's it's indeed a .NET file you can see this here and the debug path is interesting because Visual Studio will put this path there by default so if the developer doesn't change it it will expose the username for instance that's been used on the development computer and there's although also the name of the project that has been used in this case it's a standard name that's Windows application and the number so that's if you click on Visual Studio on the new project button this will be created with the number behind it so it's the fourth standard project that this developer did. To me it's an indication that the project wasn't very important to the developer because otherwise they would have given me the proper name and not that. All right checking the strings will also show the path again and there's this arm.exe which I think is worth to look at later and lots of lots of base 64 strings. Now I assume that Pe Studio has an upper limit for the size of the strings because that's actually just one string as you will see later okay let's check the code in a decompiler and here it is. Now as soon as obviously I clicked at the main because that's where code execution starts but as soon as you see a set of this my computer my project my settings and so on you may want to check the form one first that's a form application that means a lot of the code that's here has been generated by Visual Studio and that's nothing you're interested in so you look at the form first that's the user code the code of the developer and oh here's a lot of junk right there so the more interesting methods to look at are the form load and initialize component methods so I will still scroll a bit through you see that's nothing nothing interesting here and here's the form load and that's an interesting code. There is our arm.exe it's a file in the temp directory and what's written to is it is a base 64 string so there we have the base 64 string now we just need to find the string so we can decode it ourselves this case that's the easiest way okay of course you can also execute the file and then get the arm.exe and then you also have the dropped file then obviously it's a dropper it rides it to disk and so it's a dropper what did I want to do I wanted to check the resources these buttons are too many all right there here's a text file one resource and now we can save this with the button here save and here we have it open it with notepad and then you might want to remove the header of the resource we don't need it anymore and just decode the base 64 string save it to the file and then you might want to recheck what you got here okay again a .net file nice and it has the internal name and original file name server.exe that's a huge sign to me that this is a remote access trojan because they call the part that's on the victims computer server and the client is the part that's on the attacker's computer so all right a user's reflection and load load module so it's it seems it's loading something dynamically and we need to check that all right at this point you can see that this is obfuscated by Confuser and Confuser is one of the more difficult obfuscators but we will be able to tackle that nevertheless and here you can see the load module call which is interesting for us and also an invoke but at this point you should be able to um dump this array here and that's what we want to do it get something from the resources and then reads it and into this array and then loads it here um here's the array so the best way to get this is using dnspy and we will just do that you need to take the right version for debugging if it's a 64-bit application you need dnspy.exe otherwise you need the 86.exe run it as administrator and we okay we open up um the debugging there it is now you might ask why I do not uh de-obfuscate the Confuser right here because oh it's not necessary the important parts are readable right here so um that's what I will do okay I clicked on here that was the interesting part we want to dump this array I will set a breakpoint here and press continue and there we have our array let's see what's in there yeah nothing useful yet and we will step once and then yes please and here it's been decoded or decrypted or whatever I guess this function is decrypting the array and that's here the mz so we have probably a executable or well a part of executable at least so take a look in the memory window or read now you can right click and say save selection to the desktop that's our first dump and save that okay now need to check this here it is okay the first dump now that's interesting right here that's a net module and um it's interesting in so far as uh if you want to debug this dump you need to make it runnable first a net module is not runnable on its own um the smallest runnable thing in .NET executables is the assembly and the assembly has a manifest uh that is necessary to to make it run the net module does not have this manifest and it's only meant to be used in context of an assembly so but the inspire is able to create an assembly out of the net module so in case you want to to use debugging to unpack this um open up the inspire and that's our new thing that we do we learn right here um yeah so we open the dump where is it there now you can also see it's named net module and you can right click on it and you can say convert to assembly do that and then say save all and I would save it to like um modified that's the modified dump all right and um if you do not do that well let me just open up process explorer to check if that's all right now just that half um okay um that's the unmodified file and this shouldn't work here it's not a well-developed win32 application and I will show you soon the reason um I think the same should happen here the um this one still should not run and I'm just verifying this by looking at process explorer and again it does not run although we added or we made an assembly out of it so what's the problem now you need to open this with cff explorer that's also a viewer for pe um relevant related metadata but um you can also edit the meter data and there's one thing here that's wrong that's um this the file is a deal just uncheck this it's not a deal you want an executable and another dynamic link library and the other thing is if it's a forms application like like our first file we had you might want to uh change this um to to windows graphical user interface instead of this so but we don't need that um here for alpha yes save the changers yes that's okay and now we need to be a bit careful it's now able to run and infect our machine all right um so but let's take a look at it um again with the inspire now in this case that was the file yeah that's the old one but doesn't matter um you can already see if you click on the entry point that this is really a mess you don't want to analyze this code right um well if you if there's no possibility to de-opfuscate it that's when you can can use this to make it runnable run it and then use mega dumper to dump what's inside um but in this case it's not necessary we can de-opfuscate it with no fuser but it doesn't work every time so you might you might want you always uh have to keep a mind several ways of achieving what you want to achieve and um in this case I think it's it's quite good to check this and then I will just rename it to cleaned cleaned uh cleaned dump yes please change it oh we have it all here and we will open the cleaned dump the de-opfuscated one and that looks much better already um and now if you analyze the code now you can see that this um is opening a zip file an archive and this archive is loaded into memory so we want what's inside this archive and um oh let's check the method that's using it I think it's this one so it's oh it's doing some stuff here uh are here okay this method gets um the archive from the resource stream so again it's in the resources and that's where you will find the archive you can just save it from here the need uh to debug this code now just extract this okay that's not important here can check this nevertheless but now not important but this one is it's again called server.exe I would say it's dump two dump two yes and all right take a look at it so the entry point is ja main interesting and now uh it has some ugly method names so that's that's really not so nice if you don't want to hurt your eyes with ugly method names use default default has a list of several obfuscators it can de-opfuscate successfully but even if it doesn't know the obfuscator it will at least rename the method name so just try it if it looks ugly and here's our clean dump and now we may analyze this instead so okay yeah that's better we wow and we are at the end that's the actual maverfall and I just clicked you know I got into the method that was called from the main and I usually then click on the class to see the other method and methods in the in that class mostly to get an overview like and here we have what's the most interesting part usually if you have a remote access dungeon that's the configuration file and because there you can see what where it's connecting to which port and and so on and where it also saves the copies the executable to and into which locations and here's a version number that's the version number of njred and jred is our maverfall if you upload this to virus total you will probably get the mavername's bloodabindi that's the name for njred it's bad practice to use the name that it that the author intended to have so they named it bloodabindi and also other files that copied source code from njred might be detected by bloodabindi because detection might be based on that source piece that they have copied so nowadays yeah bloodabindi is basically a detection name for lots of wow remote access tools and yeah again you might now want to check the source what it can do there's some keyboard logging right here you see the get keyboard state and so on and k l probably also stands for keyboard logging there that's how it indicates the certain keys in the lock file and here are the keys so yeah that's quite interesting i will leave it to you to analyze this and unpack it yourself yeah um many thanks to maverhunter team because um they explained to me uh how to tackle this with the net module basically how to make the net module executable and um i yeah i learned i learned something new today and um i love to share this with you so thank maverhunter if you learned something here i will link maverhunter teams twitter profile also in the description below and thanks for watching see you next time