CyaX DotNet Packer Analysis

 

AgentTesla (Packed) : 2ec6a2667d685b821c35b26f5558ad4b
SoftwareUpdates2 Loader DLL : a6f6ac4c5f44b258918f4a777b8708cb
CyaX-Sharp Packer : 6c9ce8c3df51483f1323cc8a35a2e94e
CyaX Injector DLL : 32979cd95ba4b39ba1083f2f198455b9
AgentTesla : d35e8d3d72e277e03baac3c606092d53

 

The CyaX-Sharp .Net packer has been around since last year. What is different from other packers is that it has a variety of features, such as anti-VM, anti-sandbox, and disabling Windows Defender, as well as obfuscated appearance to prevent anti-virus diagnosis.

 

1.AgentTesla (Packed)

This sample is packed by a packer containing a PE encoded as follows: For reference, the CyaX-Sharp packer is also a packer, so this malware is packed twice.

1

Among the resources, “SU2” is the SoftwareUpdates2 Loader DLL, which is encoded, and the “ث0ڤئ3ۆگڵە4گ71ڵژگگ32پ3وئثگ78گ83پ0ە1ێثئڵڕڤ4پوۆ4357547وەە43ڵژ35ۆپڵچ3408ڕوڕ6ڵێێ2پپڕ1ثپڤێ41وپ6ڵ022ژگ3ڤ4وپئ61ڤڤث5ث” is the encoded CyaX-Sharp Packer.

This packer first decodes the encoded Loader DLL and then invokes it.

2

 

2. SoftwareUpdates2 Loader DLL

The function of the Loader DLL is simply to decode the CyaX-Sharp Packer from the original PE’s resources and invoke it.

3

 

3. CyaX-Sharp Packer

The CyaX-Sharp packer is not obfuscated, so you can easily grasp the structure. All of the features mentioned earlier are here. For reference, various functions can be activated and deactivated depending on the setting.

4

The settings are stored as follows. You can see that the encoded PE is encoded in the resource using a password in DotuPD.

5

 

3.1. AntiVirus Check

After sleep(), the function X.DetectGawadaka() is called. This function uses WMI to check the antivirus products “eset” and “nod”. The “displayName” is checked by querying “SELECT * FROM AntivirusProduct” for the WMI Namespace “root\SecurityCenter2”.

6

 

3.2. Windows Defender Disable

Next is the WinDefender.Disable() function, which disables Windows Defender. This function modifies the following registry keys:

“SOFTWARE\\Microsoft\\Windows Defender\\Features”, “TamperProtection”, “0”
“SOFTWARE\\Policies\\Microsoft\\Windows Defender”, “DisableAntiSpyware”, “1”
“SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection”, “DisableBehaviorMonitoring”, “1”
“SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection”, “DisableOnAccessProtection”, “1”
“SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection”, “DisableScanOnRealtimeEnable”, “1”

7

The WinDefender.CheckDefender() function gives the argument “Get-MpPreference -verbose” and runs PowerShell to check the Windows Defender’s configuration. According to this result, additional deactivation is performed by executing PowerShell with the following factors.

“Set-MpPreference -DisableRealtimeMonitoring $true”
“Set-MpPreference -DisableBehaviorMonitoring $true
“Set-MpPreference -DisableBlockAtFirstSeen $true”
“Set-MpPreference -DisableIOAVProtection $true”
“Set-MpPreference -DisablePrivacyMode $true”
“Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true”
“Set-MpPreference -DisableArchiveScanning $true”
“Set-MpPreference -DisableIntrusionPreventionSystem $true”
“Set-MpPreference -DisableScriptScanning $true”
“Set-MpPreference -SubmitSamplesConsent 2”
“Set-MpPreference -MAPSReporting 0”
“Set-MpPreference -HighThreatDefaultAction 6 -Force”
“Set-MpPreference -ModerateThreatDefaultAction 6”
“Set-MpPreference -LowThreatDefaultAction 6”
“Set-MpPreference -SevereThreatDefaultAction 6”

8

 

3.3. Anti VM

There are various VM inspection functions in Antis.AntiVM() function.

3.3.1. Checking Registry

“HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0”, “Identifier” -> “VBOX”
“HARDWARE\\Description\\System”, “SystemBiosVersion” -> “VBOX”
“HARDWARE\\Description\\System”, “VideoBiosVersion” -> “VIRTUALBOX”
“SOFTWARE\\Oracle\\VirtualBox Guest Additions”, “” -> “noValueButYesKey”
“HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0”, “Identifier” -> “VMWARE”
“SOFTWARE\\VMware, Inc.\\VMware Tools”, “” -> “noValueButYesKey”
“HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0”, “Identifier” -> “VMWARE”
“HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0”, “Identifier” -> “VMWARE”
“SYSTEM\\ControlSet001\\Services\\Disk\\Enum”, “0” -> “vmware”.ToUpper
“SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000”, “DriverDesc” -> “VMWARE”
“SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\Settings”, “Device Description” -> “VMWARE”
“SOFTWARE\\VMware, Inc.\\VMware Tools”, “InstallPath” -> “C:\\PROGRAM FILES\\VMWARE\\VMWARE TOOLS\\”
“HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0”, “Identifier” -> “QEMU”
“HARDWARE\\Description\\System”, “SystemBiosVersion” -> “QEMU”

9

3.3.2. WINE

The CyaX-Sharp packer checks the success of GetProcAddress() call of the wine_get_unix_file_name () function in kernel32.dll to check it’s in WINE emulator.

3.3.3. WMI Query

It checks “Description” of Video Controler by querying “SELECT * FROM Win32_VideoController” for the WMI Namespace “\\\\.\\ROOT\\cimv2”. The target string is as follows.

“S3 Trio32/64”
“VirtualBox Graphics Adapter”
“VMware SVGA II”
“VMWARE”
“”

 

3.4. Anti Sandbox

3.4.1. Checking Loaded Module

It checks if the DLL “SbieDll.dll” is loaded by using the GetModuleHandle() API function. This is to check the Sandboxie sandbox.

3.4.2. Checking User Name

If the user name is as follows, the current environment is recognized as a sandbox.

USER
SANDBOX
VIRUS
MALWARE
SCHMIDTI
CURRENTUSER

3.4.3. Checking Path

It checks whether the path of the current executable file contains the following.

\\VIRUS
SANDBOX
SAMPLE
C:\\file.exe

3.4.4. Checking Window

It checks the window “Afx:400000:0” using the FindWindow() API. This is to check the “Winjail Sandbox”.

10

 

3.5. Downloader

Depending on the configuration, it can act as a downloader.

1112

 

3.6. Persistence Mechanism

If flag is setted, it copies current file to the “\AppData\Roaming” path and disable permissions such as write and delete.

1314

After that, it registers itself with task scheduler using XML file existing in resource.

15

 

3.7. Reflection

CyaX-Sharp Packer can use Reflection or Injection to execute actual malware. This malware uses the Injection method, but you can simply execute the x.reflection() function by modifying the flag value.

X.PayLoad is the result of password-decoding the resource “DotuPD”. It is also the actual AgentTesla malware. This function simply performs the reflection using Load() and Invoke().

16

 

3.8. Injection

Finally, the injection routine.

17

Inside the X.GetInjectionPath() function, you can specify the normal process to inject depending on the setting. There are three injection target processes: “MSBuild.exe”, “vbc.exe”, and “RegSvcs.exe”.

18

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s