Multistage malware breakdown – Part 3

The Ads.jpg analysis

So after extracting the information from the VBScript, we saw a download string function that tried to extract a file called “ads.jpg”.

Browsing to the URL: http://lordbabayev[.]xyz/temur/ads[.]jpg, we get this:

What we see here is a bytecode array of a payload. In this type of situation, all we need to do is to make it an executable so we can analyze it. I copied all the bytecode array to a new file and will have to use Python in order to make it a binary file.

First, we will have to open the file with Python in read mode:

Next, we need to split the elements inside:

After we did the split for the elements, we had to convert it from strings to integers. We can use a quick ‘for’ loop to achieve this:

Now, all we have to do is  convert this array to a byte array and  write a new binary file that we can analyze:

After creating the file “ByteCodePayload.bin”, we will have to find what type of file it is so the CFFExplorer tool can help us with it:

Here again, we can see the usage of .Net, which means that we can view the source code with a disassembler.

By opening the “ByteCodePayload.bin” and going to the entry point, we can see a function called “Run”. This function probably holds more informative code that could help us analyze the purpose of this malware.

Inside of the “Run” function, the first function I saw was a function called “TcpReceive”. This function uses a config file that holds information about a host and port address, which could be our C&C.

Once we open the config file to view it’s content, it’s easy to see that we have all the information we need to tag this malware:

We can see a DNS address, port and mutex. This information is great for us to create Yara rules in order to detect malware.

Hope you found this report interesting and informative, until next time;)