 Welcome to another analysis for hedgehogs. Let's check this gauzy ursnive sample today that I tweeted about a few days ago. So it's pretty interesting from an static analysis perspective how to unpack everything and like find out the infection chain. Now that's the tweet and here we have our gauzy sample. What you need mostly for this is notepad++. So let's check it in notepad++. If you don't have a JS extension you may want to set the language to JavaScript it's JScript actually and you can see immediately if you see just one line turn on the word wrap. Let's see if I find it here. You might only see this so turn that on and you get this and then you realize there's a lot of very big string in there and at some point more at the end there is a second string it's kind of different here. The first one is all small case letters and this is all hex. So let's see and here we have a let's say the main part of that like previously these these strings are just stored into variables and this is now actual code that does something and I recommend to put that into a beautifier like this one. Let's put it to an empty state here. In this you copy paste that do not copy and paste the big strings before that. The reason is that this will probably not work when I tried the website it didn't work anymore it's just too big. But the part that like does something with those strings that you can copy here and it will automatically create a beautified version of it so just copy and paste that and then it's a little bit better readable. We have seen there are two different strings that are that big right. So let's just check the names first because we need to know that that's one right. So find it here it's here that is the first first embedded string place all so that just said we know what this does and we can immediately see there is something going on with the registry so they are using the HKCU software and then something else that is as it seems the username of that system so we have here a registry key let's name it registry key where something is done so replace that one and that contains at this point the username also that is the embedded string place that all now we know okay so it seems like this is reading the embedded string taking a substring of that taking a substring of that and then puts it in here that is the actual registry data that's put into the registry value so that's the read data and this part is the registry key with the username and then this part is the registry value the name with that contains this data so what is that name this is just a counter it's a counter and it's incremented by one so we will name it well you counter so and we can see that the string this embedded string is kind of spliced up into substrings of 40 of 4000 bytes and then it's put into HKCU software username and counter and then we will expect to see that the malware hides and registry this way and down below it's doing something else it is now in adding another string to the username one so we have username and then appended one and then it does the same with the second embedded which is this one the second embedded string in there okay so we now already keep that in mind note that down okay to kind of encoded string saved and registry in those in that area here and here is a that's PowerShell right PowerShell binary or path so and they now execute PowerShell with this base 64 encoded script so that's the next thing we want to look at now notepad++ can just decode base 64 you may have to install a plugin I'm sure so now that's a different encoding we can just remove the zero then the zero bytes using regular expression slash zero replace all it looks better but we still need to kind of beautify that now a search for a beautifier for that it then it was too complicated I just actually done first of let's do the correct language it's PowerShell just manually beautified a bit we can replace those most of those characters with new line so the only one swear it doesn't make that much sense as the loop in here so and the next thing is we can replace add a new line to that okay and then yeah I do some indentation so we should immediately recognize that again this kind of accesses the registry registry value that we have the registry key that we've seen before and that's again HKC software plus username which is taken from the environmental variables and then it appends one so in this case this deals with the appended one that's the second embedded string so the second embedded string keeps that in mind and where is this use actually it does some conversion from string to byte which matches what we've seen that this is a check that it's like this one kind of looks like hex string so let's just copy paste that part now if you try to do the conversion from hex to ask it would tell you the format is not conformed so we need to do something else before that works and we see that here a replacement is done like these characters are in the string you can see that here probably to defeat some automated decoding systems and it replaces them with this the content of KO so what's the content of KO you might think oh that looks complicated it's doing some math stuff with square roots but actually it's quite easy if you realize that you can ignore this part here that's a you know it's a loop that will only break if this condition is true so as soon as it leaves the loop KO equals 1000 so we know it's 1000 has to be no matter what's happening here at some point it has to be 1000 and it seems that yeah this does see the conversion and then loads this as an assembly so we would as expect 80.net assembly if we decode this file now let's do the replacement here if find that I'm going to replace that with 1000 and now we try the conversion again plugins converter hex to ASCII and that works so we just save that as dump 1 but it's a second embedded file so let's say second and not as a text file just some file right and let's close that here's our dump we can now open it in the inspire because you know we expected to see a.net executable so let's try and here it is it's a DLL so we need to know what's called now this is a small DLL so there's not much to look for but oftentimes you would have to check what's actually called and here it calls mode setup so mode setup that's our entry point to this and what does it do it again it reads the sufferer and then username that this key we are already very familiar with reads that and that's some replacements here and then it also sets a persistence and run once by putting this power shell script into the run once key so this is the persistence mechanism right here what does it do it also with so it seems this reads the registry the the first embedded file from the registry loads it here loads it and invokes the method diagnostics time on that and then it puts this power shell script into the auto run run once so that's how we get to the second file now this second string here a second the first it's actually the first this is quite big and because it's so big we may not be able to do that in no pet plus plus all of that I try replacing this and no pet pass pass and adjust couldn't handle it ran out of memory so we will just save this as a text file and use Python okay that's the embedded first string that's a text file so we can save it like as a text file so let's do some Python magic right here we just open command window and open up Python and now we have to read the file embedded first so and the content is F read lines 0 because like we just it's just the first line of all that and now we can verify that we got the right content by showing the first hundred characters and what we want to do now is do the replacements like this let's replace the uppercase replace with lower case replace so paste that in it's not right let's try again now that should do it and that looks about right and we can now convert that to byte array because we do not want the hex string but we want to write it as well bytes to a file eventually so this would look like that and let's just save it but obviously we should save the whole file now it's having trouble it's because it says there's a non hex of dates no number at some position I'm not sure if we missed something there's a new line in that how did that happen okay yeah that's interesting so let's just remove the new line I don't think that has any and now we can do that again save that as a byte array now it works and we open a file for writing that's dumped 3 2 I'm not sure we write this as a binary file so say write byte array close it so let's check on it now that's the content that was written to the registry and loaded by loaded by this so we can see that this is also a dot net the R because it's using dot net specific ways to run it dynamically if you put that in here we immediately see lots of detections on it okay let's just open it in the inspire there it is that's another deal all and we see the entry point of that is diagnostics time right so let's open that up and again again there's there's a view if if the inspire at this point has some troubles loading or something use the newest version like older versions did not cut the string so they also had troubles with very weak strings and memory so run out of memory yeah you can see that let's check the whole so again we have to decode this and what we can see here is it it does again this replacement for the hash characters with num2 what is num2 that's the same trick we have seen before it's doing some math stuff but this loop can only break if this condition is not true so once num2 is 1000 it will break out of the loop so that means it's that the very same thing we did before we just need to get this string out of the binary that's actually not that difficult we have this internal strings and we know that's one very big string right so just do something like thousand characters as a threshold for the file and it was done three I guess does it work yes break it and we put that to a file this will be dumped for right what does it do to that file we see it calls this diagnostics PE something something method on it and this is a process injection for well run PE VR on PE into this legit to met executable for Windows so it's Windows for the few are executable and then calls like write process memory if you see these get threat contacts read process memory write process memory and then resume threat you should immediately know okay that's that's process injection right here so check out the process injection graphic that I made so you can recognize us very quick yeah so same here we dumped that and again we have to replace this with 1000 and this time we may convert this to ask it says again hex format is not formed in this case I think it's just one zero too much still again yeah place or white space choose regular expression that's white space replace or white space and again try that maybe that was yeah now it works okay so it was the white space it had trouble with we just save it and we have another file let's put that in PE studio take a lot to load that's the actual payload in that's injected and if you also put that into in taser and into we seem virus total you will see that this has some detections actually just one I think for Kronos bot and in taser which is a good site to to find out the mother family it also finds Kronos genes in it's most most of them seem to be from Kronos so that's our payload right here and there's not much to see to see the the files packed so that is like still not the end of it but I think it's enough for this session today now the one of the most interesting parts of this cozy sample is the quite complex infection chain it's a virus malware so it is able to hide payload entirely in the registry and once the infection happened there is no file on this anymore necessary for the matter to load yeah also run the mother and check out how it looks like in the registry maybe I would just do it right here it's quite interesting to watch what happens so just open process explorer yes and process monitor yes I recommend for the filter to add process names that contain script and PowerShell.exe so let's do that and watch what happens here now we run it we see the process was created for this for the J script and yeah here it's creating our registry values which contain the loader DLR as well as the payload that's loaded by that assembly so if you not check the registry check it here jump to yeah jump to open up the registry in the right location the registry editor and here see the encoded payload in it that's a payload and in max one is the encoded the encoded DLR that does the injection okay now one last thing I want to add is the infection of this sample is not complete it has a bug or let's say it's this is actually not cozy as it appears in the wild because I was contacted after my tweet I was contacted by a security researcher who said he created this as a standalone version of cozy so it can infect the system independently from any availability of the internet if I pointed you to an actual wild sample of cozy wouldn't work anymore very soon yeah and that's already it for today so thanks for watching and see you next