Jai Minton

Jai Minton

Information and Cyber Security Professional. All thoughts and opinions expressed here are my own, and may not be representative of my employer, or any other entity unless I am specifically quoting someone. Content is licensed under the Creative Commons Attribution 4.0 International License.

Xworm Loader - Malware Analysis Lab

18 minute read

Technical Analysis of an Xworm Loader

Overview (AI generated from video):

Summary

Reverse engineering of an XWorm loader that uses steganography. It explores a scriptโ€™s behavior, differences, decoding, and the malwareโ€™s download and execution process.

Timestamps

0:05 ๐Ÿ” The script is a Visual Basic malware uploaded to Virus Total and slowly getting AV signatures.
1:12 ๐Ÿ“ The script masquerades as the legitimate winrm VBS script, with minimal differences.
2:35 ๐Ÿ”„ The script contains encoded characters that are converted to ASCII characters.
4:18 ๐Ÿ’ป The malware is a downloader and launcher of malicious code, using the lenara string to send a get request.
7:40 ๐Ÿ“ฅ The malware fetches an image file that contains steganography, hiding additional data.
9:52 ๐Ÿ”’ The steganography data is base64 encoded and decrypted to reveal a PE file.
11:23 ๐Ÿ•ต๏ธ The PE file injects code into a legitimate regasm.exe process, likely connecting to a C2 server.

Key Insights

๐Ÿ•ต๏ธ The malware uses steganography to hide data in an image file, making it harder to detect.
๐Ÿ”„ The script disguises itself as a legitimate script to avoid suspicion.
๐Ÿ“ฅ The malware employs a downloader and launcher technique to fetch and execute malicious code.
๐Ÿ’ป The malware uses encoded characters and functions to obfuscate its purpose and behavior.
๐Ÿ”’ The decrypted data reveals a PE file that injects code into a legitimate process for persistence.
๐Ÿ“ The scriptโ€™s behavior and differences help in understanding its purpose and potential impact.
๐Ÿ•ต๏ธ Analyzing the malwareโ€™s behavior and connections provides insights into its capabilities and potential threat level.

Transcript (AI generated from video):

00:00:00	this Visual Basic script was uploaded to virus total just a couple of days ago and since then it's begun to slowly get AV signatures and vendors have begun detecting on it at the moment it's still quite low it's only sitting at about 11 out of 60 vendors but that doesn't mean to say all of these vendors are not going to detect this malware now the reason is because this is got behavior that a lot of these vendors are going to detect on that being said this has gone to a lot of lengths to try to remain
00:00:29	undetected on points and try to remain hidden but let's dive into it a bit further and see what we can unravel so first off if I open this up with notepad++ you'll notice that it is masquerading as the winrm VBS script now this is a legitimate script that's present on Windows let's see if we can Spot the Difference though I'm just going to quickly skim through and you tell me if you notice the difference is there a difference let's take a bit more of a Peak at this first off what I want to do is I want to find
00:01:04	the legitimate winrm script so if I type winrm at the search bar I'm going to get the winrm CMD executable under this I will find the legitimate winrm VBS script so let's open this up in notepad++ now that I've got both side by side there's very minimal differences that you can spot with the naked eye now there's a few different tools that we can use to diff these two files such as the diff tool in this case I'm going to use the compare plugin for notepad++ so if I compare these two files even though
00:01:38	the encodings slightly different what I'm going to see is the differences between the two and besides some of these msxml version 3 and version 6 differences you'll notice that there's not a lot on the right hand side we have the comparisons and that seems to be different here with the difference only being the encoding used for the apost down here there seems to be some version six being changed here once again the same type of stuff and then down the bottom there is actually this W script shell getting environment strings so
00:02:12	system 32 and csw 64 which is a bit interesting however the key thing that we actually want is right at the top here in this second section you'll notice that there's all of these characters and random strings that don't make sense and that's because all of these numbers are actually going to be converted so what that means is if we look a bit closer right down the bottom here there is this Melo Melo however you pronounce it there is this method or this function what you do is you pass a value to it and then from
00:02:50	that what that actually equates to is the Char value of that asy character what it's doing is converting to asy characters despite this what what we actually want is this lenara string down here cuz it seems like a method escuro is going to be used to essentially send a get request to whatever is created by these variables and then execute that with this execute Global command here and then it's going to quit W script cuz it's launched its next process and that's it that's all this is used for so
00:03:22	this is a downloader and a launcher of particular malicious code the easiest way for me to actually get this information is to run the malware now I don't want to run the malware and have it communicate back and invoke something in memory I just want to know what it's getting so what I can actually do is see where it's going to be fetching this from and it's going to be fetching this from this El hanura string so what I can do is change this and do a wscript docho for this L hanara now we've effectively Ned the noww so it's
00:04:01	not going to go off get that and then invoke it cuz it's not going to be able to but it will go off and it will print back to me what it is formulating so now if I go ahead and run this malware you'll notice that I get this Windows script host and it's got this particular URL where it's F fetching that next stage from now the problem is during analysis this had already been taken down however there is actually some analysis that's been done on the virus total side of things that help helps us find out what was contained here based
00:04:33	on what it's going to execute so if we look at the behavior of this on virus total we can actually see the process tree of essentially what happens after it goes out and it creates that process and executes it there is this particular script that's going to be run now I want to take this script and do some analysis on it so let's just inspect this element here and what I'm going to do is I'm just going to band out this to make sure that I have the entirety of the script and I'm just going to copy what's
00:05:07	contained within here and I'm going to throw that into cyers shf so now we have kind of the next stage of what's going to be invoked but this still doesn't help us we have to do some analysis on it so let's use Rex and let's get B 64 because that's what we're looking at here is a base 64 encoded string and we can tell that from this from base 64 function now what I'm going to do is I'm just going to take the alphabet mentioned here and I'm going to make that into the Rex then I'm going to say I want anything that's maybe 30 and
00:05:38	wider that matches this these kind of characters because that's going to extract the base 64 string now in this case I'm going to disable this and just make sure that it matches and it does and so I'm going to go list matches now if I do this and I go from base 64 it still doesn't make a lot of sense it looks wrong and that's because it is we actually have to step back a step we can go back to highlight matches and look at what else it's doing so it's then going to replace all of the DG tray entries
00:06:11	with the letter A so that's easy enough let's take this and we'll just recreate that operation so we are going to take this we going to find anything that has that and we're going to replace it with the letter A now we're going to do the list matches again and then we're going to do from base 64 now you'll actually begin to notice besides the null byes in there which we can get rid of let's get rid of these bites we're just going to use remove null bites now we can actually see that next stage and this is
00:06:39	exactly as if we had have just looked on virus total what the next stage of the malware is going to be executing now this is where things get a little bit more interesting so you'll notice that this actually goes out and fetches an image file or is it a image file it's pretending to be an image file and it actually is so if you run a scan on this you will come back with this beautiful image the author here is a fan of Death Note and probably the letter L the character L that's the Alias of the detective who is an antagonist and is
00:07:14	trying to have his real identity hidden throughout the series I guess this person trying to remain undetected maybe a little bit of a subtle hint with that picture but what we actually have is steganography so we can actually look at what else is going on in this Powershell script to see what's happening here so there is that image but at the end of the image there seems to be this B 64 star and B 64 end delimiters that's a little bit interesting if we look at the response so this is the raw heximal
00:07:46	value of that PNG file we can actually run a search for B 64 and right down the bottom there is this b64 start so this looks like a large string so I'm just going to take this b64 for string we are going to clear this and this will make the next stage of what we're analyzing now I'm going to make sure that I have the whole string I don't think I did NOP I did not definitely did not so let's try to grab everything and this looks more likely to be everything yep so we got Bas 64n there which is a good sign that we've
00:08:18	got everything between the two delimiters so let's go ahead and remove this and now let's change this you'll notice from base 64 if we use that operation using the standard encoding scheme or alphabet I should say this will actually make a PE file so you will notice the MZ header and it has been detected as a portable executable file now we do need to understand a little bit more of what's going on once it gets that base 64 encoded string it's going to decompress that reflectively load those bytes so the PE file and it's
00:08:54	going to be getting a particular type now from that type it's going to be getting getting a particular method called VI VII and then invoking that so there's a good chance that this is going to be a net binary and it's going to be invoking that particular method it's also going to be passing it some parameters so in this particular case it looks like it is a reversed string here so maybe this is meant to be https and then this URL let's see whether that comes up anywhere and let's take this portable executable and do a
00:09:28	bit more analysis it so I've gone ahead and got the next stage downloaded from cyberchef and named it malware dobin now I do have PE Studio open so I'm just going to drag and drop this in there to get a bit of an idea at a glance and you'll see that it did have the name system. management. automation. dll under the debug string there is this Crypts and tools which is a bit interesting as well as the me mention of system. management. automation here as well kind of funny that they have the debugs string still left in their
00:10:00	project and it does look like this is created with net and while PE studio is coming up with more information about what this binary is we are going to just try and open it up in DN spy so we've got uh DN spy open and I'm just going to drag this in and you'll see that it looks to be added under the system. management. Automation and so if we expand this out this might actually be a legitimate dll that has had data appended to it so system management. automation maybe it's copied some particular information from other
00:10:35	binaries we don't really know but if we look at it it seems like some of this is just going to be benign code so once again trying to remain hidden but there is this project to Auto MAAC that looks to be what we had referenced in the Powershell script that was occurring so let's just go back and double check what we saw so after it gets the type project that. v. home it's going to get the method V VA we've got this we've got home and if we decompile that it's going to be getting the method Dov here so
00:11:08	this is actually what we've got it looks like it's going to be specifying a particular executable name that's been passed to this method exe and maybe this is being injected into maybe this is where the code is being injected into cuz if we look we can see stuff like read process memory ZW unmap view of section virtual alloc X and WR process memory which is all likely indications that code is going to be injected into this particular process taking a look in what we had here it does look like it's
00:11:40	going to be past the name regasm.exe so it's likely going to inject into a legitimate version of regasm.exe and if we go up we can actually see that there is a process created for regasm.exe now reg ASM is the legitimate binary used for register in assemblies on Windows or the with a Net Framework and so what this means is that there should always be passed an assembly in the command line but in this case there is nothing passed to it in the command line so once again something a bit interesting so
00:12:16	this is going to go through and those bytes are going to be written into this process memory particularly it seems that the bites that are going to be used are based on what's passed from this URL so we can actually see it here where it does the string reverse so that gives them the URL and then it is downloading that string and it seems that based on what it downloads is coming back into a charte array that's then going to be put into the process memory of regasm.exe so we could actually find out what this is
00:12:48	so I've once again scanned that particular URL and what we actually have is a another b64 encoded string this looks like it has been reversed as well so what we're going to do is we are just going to paste this in we are going to reverse this using cyberchef and then we're going to once again do from Bas 64 now this looks like another PE file so let's download this and see what we've got so using detected easy we can see that this is a net binary as well also 32bit so let's throw this in and see
00:13:21	what we have so this has now got this name marks R W1 w990 and if we expand we can actually see my and stub there's not really a lot of obfuscation here in fact there's probably none so if we take a look at what's in here there are specific configuration details there seems to be this main method there is the settings for this malware so it does look like you've got host Port key SPL USB number and install directory and these are coming from these particular b64 encoded strings that seems to have a key value
00:13:57	here so we could actually probably go ahead and cryp these strings as well and see where they wind up being and so if I go back to the main method of this malware it does look like it's going to be performing a sleep function first for the thread and then after that it looks like it's performing some sort of decryption on the configuration details outlined within the settings class so these strings seem to be B 64 encoded and after that have some sort of encryption going on so that they're not there sitting in plain text there also
00:14:31	seems to be this mutex which is likely going to be used to ensure that multiple instances of this aren't run on a system if we dive deeper it it actually does look like this is used in the decryption function as well so the decryption function itself seems to be getting the rigin Dale managed class of net and this is an older more redundant class that's being used here and it's Computing an md5 hash now that md5 hash in itself is then being used as the key so it's being copied to this array twice so it's the
00:15:04	md5 sum twice that's then being used on as a decryptor in the following functions and it's using a mode of ECB for the encryption but this isn't really standard AES encryption that's going on here because AES encryption nowadays is going to be using padding and it's going to be deriving Keys as opposed to just getting the md5 hash of a static string so using tools like cyberchef we may actually experience some issues trying to create a recipe that's going to decrypt these configuration details so
00:15:38	what I've done is I've just opened it up in DN spy the 64-bit because this is a 64-bit executable now and I'm just going to run the program except I'm going to create break points so that I can skip over a lot of the stuff that I don't need I know that this is going to I'm in at the main method so what I'm going to do is I'm going to create a break point before it hits this this sleeping method and then I'm going to step over and begin to uncover these configuration details so if I just run the malware
00:16:07	straight away it breaks as soon as we run it I'm going to hit continue and now we hit that break point there sorry I'm going to set the next statement as the first settings unveiling first decryption of the settings host configuration details and now I'm going to hit step over and we can begin to see that it uncovers so we do have this marks rw1 new 99. ddns so this is using some sort of Dynamic DNS service in order to resolve a particular IP address which is going to be the C2 in this particular case now we can step over
00:16:44	looks to be on 990 step over the key it's using is 1 2 3 4 5 6 7 8 9 and that's going to be used probably in the command and control traffic and we step over so it does look like there is this name xorm mm so this is a bit interesting maybe we've got uh more of an idea that this malware that is being deployed is xorm we step over that the install directory name is going to be usb. exe all interesting things we can actually step over that and now we can see it's going to start resolve the environment varibles so it's going to be
00:17:22	creating the malware and setting up likely persistence within this app data roaming directory and it does look like this is going to be using the startup folder directory based on this string here and specifying a link file so the link file is going to be the persistence in this case that it allows to run it boot so this does look like it is more than likely the xorm that is being deployed by the end of this connecting back to that command and control infrastructure and if we look at some of these other classes I think that we will
00:17:54	uncover that yes this is and so a quick look into the client socket class also gives us information about when it makes that initial connection back to the C2 server if we scroll down there is this runtime object that is specified the the value that is being retrieved of xorm version 3.1 so now we have really good confidence that this is xorm that is being deployed at the end of that malicious script so that's it that's all I wanted to show you I wanted to show you the script I wanted to show you how
00:18:28	we could compare difference how we were able to go about understanding what steganography is involved and how that's being loaded into the reg ASM process at the end of the day so the red JSM process will be injected with xorm here let me know your thoughts feelings comments anything else in the comment section below and I will see you next [Music] time

You may also enjoy