Dark Tortilla Crypter - Malware Analysis Lab

27 minute read

Technical Analysis of Dark Tortilla

Overview (AI generated from video):

Summary

The video script discusses the analysis of a malware file named β€œpdf.exe” obtained from Malware Bazaar. The script outlines the steps taken to analyze the file and uncover its malicious activities.

Timestamps

0:22 πŸ•‘ The file β€œpdf.exe” obtained from Malware Bazaar is analyzed.
1:35 πŸ•‘ The file is opened in DN spy for further examination.
3:02 πŸ•‘ Breakpoints are set to identify when the file is loaded into memory.
5:12 πŸ•‘ The file is found to be using reflection, indicating possible injection techniques.
7:18 πŸ•‘ The file’s resource β€œfotpalm” is identified as the second stage.
9:45 πŸ•‘ The file is observed to perform anti-VM checks.
12:56 πŸ•‘ The file attempts to establish persistence by modifying startup registry keys.

Key Insights

πŸ’‘ The file exhibits characteristics of a multi-stage malware that uses reflection and injection techniques for malicious activities.
πŸ’‘ The resource β€œfotpalm” serves as the second stage of the malware, but its contents are obfuscated.
πŸ’‘ Anti-VM checks are performed to detect virtual machine environments and evade analysis.
πŸ’‘ The malware attempts to establish persistence by modifying startup registry keys, ensuring it runs at boot.
πŸ’‘ The analysis uncovers a potential connection to the Dark Tortilla crypter, as reported by SecureWorks.
πŸ’‘ The malware is identified as Agent Tesla, a remote access Trojan and information stealer.
πŸ’‘ The script highlights the importance of thorough analysis and understanding of malware behavior to detect and mitigate potential threats.

Transcript (AI generated from video):

00:00:00	I got this file from malwe bizar and it's got the name pdf. exe and it's far from a PDF it has an icon that makes it look like it is a Skype installer but it's also far from a Skype installer so from maare Bazaar this has been tagged up as dark tortilla and I'm not 100% sure on what that m is but let's see if we can get to the bottom of what this is because if we look at it on something like virus total a lot of other signatures come up such as agent Tesla and just kind of generic malicious and I
00:00:30	really want to get a better idea of what this Mal is doing so the good thing is it is created in net so I've opened it up in DN spy here now it's got the assembly description of Skype setup as well as Skype Technologies sa but once again this assembly trademark of a gibra string probably helps us highlight that hey this ain't right the other thing is that this uses reflection which gives us a pretty good idea that this is going to be performing some sort of injection likely reflectively loading into its own
00:00:59	process so let's take a look at this the first thing I want to do is go to the entry point because this is an executable and this is what's going to be running when the program starts you see that this actually has a resource that it is likely pulling called fot palm and if I go up and I look in the resources section there is this F pm here now usually I would dump [Music] this and this would be the second stage however you might actually notice that something happens with the bite array that it gets here and if we look into
00:01:32	that further it looks like there are these exort operations using a particular key as well as these modulus operations so by dumping it we're not going to have anything that's legible so what I actually want to do is create breake points but rather than hardcoding the breakpoint I want to show you something kind of cool DN spy has this method of doing module break points and so what we could actually do is break whenever something is trying to be loaded into memory and that's going to stop at the perfect moment to actually
00:02:03	pick up on what's Happening here so let's go ahead and start the process there are these toggles here on load in memory and dynamic and there's these filters of what modules we're breaking on as well as what process it's going to be tied to I'm going to tie it to the pdf. exe process that we have here and this toggle box with a full color means that it could be true or false this means false and this means true the main thing is that we want it sure either either yes or no to it being loaded but
00:02:33	we definitely want it to be when it is being run from memory so let's start this process off immediately going to break on the create process so now that that's broken let's continue and just see where we break and you can see that we broke at runtime assembly load image and so we have this bite array here now as well under the roar assembly and you might actually notice that this is going to be the MZ header so if we go ahead and save this we could actually name this stage two and now we open this up
00:03:03	in hxd you will see that this has a valid P file header and it is a valid dll so we could actually open this up but because this is going to be using classes within that and methods within that I'm going to just continue on and see what it's doing so that I can actually ensure that it runs properly so let's step into this we can see that it is being loaded let's step into that now I want to do a combination of want to step into it but because it's going to be getting all these types and taking a
00:03:34	bit of time I actually just want to step out and now I can repeat that process of Step In so now we're doing get methods and step out so now we're up to here if I step in now we're hitting uh the first or default and we can step out of that so we're up to here and the thing that we want to get to is invoke so let's step in and now we have invoke and we can actually see what's going to be running in this dll because otherwise we're going to know what method is going to be running but we can see that this
00:04:03	is Method zero that's sitting within the class pre start one so let's actually just go into this one now because this is going to break us into our new dll so let's collapse this collapse some of these and step into it as well uh yep so we have to go through this so I'll step over step over step over until we get to where it actually performs the invoking which is is this unsafe invoke internal and you'll notice that at that point I've gone too far now it's killed itself and that's because this actually has some anti-vm checks in
00:04:40	it as well so let's run again and repeat the process so I'm going to run I'm going to hit continue we've got this sure step into it step into it step in step out step in step out step in step out step in we're up to this in Boke so we could actually step into this step out of this and it's going to be running I'm going to break it cuz we've gone too far otherwise but we know that we are in the next part of the code so let's step over step over step over actually let's step out of this let's step out of this pause let's
00:05:27	step out of this and now we're in this get filled prop and we're back into kind of the own methods here we want to get out of this and we want to get to this return aore 0 and you can see once we break into this area we have now broken into this new dll and the dll is called internal start profile and it's got this module name of a random string and you might actually notice that there's this 198 protector V4 so this has likely been obfuscated with something that being said there are a lot of interesting
00:05:59	class names here so path install startup method persist decrypt it Etc and there is this anti VMS so really I want to make sure that I can get past this anti-vm checks because this is likely going to be one of the first things that happen so what I'm going to do is I'm going to look at this anti-vm and I'm going to analyze it and I'm going to see what it's used by and it's used in this Max Prime array length so it looks like this is the actual check that takes place so I'm going to add a break point
00:06:28	here now I'm going to continue running it and see if we hit that break point and we do we've just hit that break point so let's step into this and we can see that now it's running all these anti-vm checks now the fact of the matter is that all of this is part of an anti-vm check and then we get to this fake method now we're probably going to fail at this anti-vm check that's fine because all of this is literally just we we can go in and look and the key component is that if it fails any of these particular checks it's likely
00:07:00	going to exit so the process is just going to terminate here and we can see that in this environment. exit so let's get past all of this let's we've got our we've got our pointer here let's actually just change what's going to run next so I'm just going to right click here and make it set next statement we've just completely jumped over those methods that we don't need so let's go ahead and step into this one now and we can continue with our analysis so I'm going to step over a few of these looks
00:07:29	like we've got installation path and actually if we zoom out a bit here we can kind of see that this is just building parts of the program building strings that are used in it or configuration and so I want to skip over pretty much all of this as well this looks like it's flags on whether it's going to do something or not so displaying a fake message seems to be one of the flags that can be added but we do have these static fields and this is where all the configuration details are being stored so if we expand out
00:08:01	this we can see yes it performed an anti-vm check yes it did anti sandboxy yes it's got an assembly associated with it but this is null at the moment so this would be might be interested to see what this turns into because that might be injected into another process down the line but if we go down these all seem like they're going to be filled uh there is the installation file name of pdf. exe and there is this installation registry path as well that seems to be the startup run key that's going to ensure
00:08:33	that this runs at boot so I probably want to come down to around here and add a break point and around here and add a break point let's continue and we've managed to hit this one so that's nice so I might just step into this this looks like it's probably to do with getting the information to do with installing at startup so we can see it getting all those kind of configuration details as well so let's step over some of these and we should start to see some of this populate so hidden startup is false you can see startup folder is
00:09:07	false and now we've got past that and we're moving into this next method of melt get currency symbol and so this looks like it's to do with a temporary folder as well so maybe this is planting itself at a temporary folder but let's go into it and see what we can find it is getting temporary path let's jump out of that and that looks like it's actually being assigned to a value in the static Fields here and so what's interesting is you can actually see both of these so now there's temp folder that's our app data local temp directory
00:09:40	but there's also this mention of it going to be installed at sisw 64 so now we already know where this is likely going to be planted for persistence so let's keep going and see what we can find so now we're in past we're going to do that f11 shift f11 trick so shift f11 to step out f11 step in so we're on pass we're on 2 in 32 these are just basic so nothing of interest and now we've got through all of that function there and that is quite literally just determining if flag is on or off or not and now it uses that in the next slot of
00:10:20	checks and so that was obviously false because if it was true we would have been in that next slot of function there so we're going to jump in and look at this is me member of and there is a chance that we could step over it but I don't want us to find that this is actually performing some sort of function that then causes it to kick off without us stopping it although that might actually be in this get instantiation method based on the name and it looks like it probably is so I might just go ahead and take the risk
00:10:52	here you got a risk it to get the biscuit all my brother and hopefully I'm going to hit break okay so had a weight function in there so it's trying to pause before it continues so we can actually continue from here with a F1 shift f11 we just need I I don't know what the actual timeout is okay we managed to get past it relatively quickly so it's not not too bad so we're going to step out and then we've got some more stuff being decompiled and so we get past that that's the weight method stepping out of the weight method
00:11:27	and now we're at this get instantiation method okay we're making progress so let's step into this one and it looks like this has configuration for if it's currently installed or not and it's checking if it's not equal to zero so this actually might be some sort of check to see the malware might actually function in a way that if you run it it will never do what it's supposed to do it will only establish persistence and then if you are running it from the persistence then it'll do what it's supposed to to do
00:12:00	which is a little bit smart and a little bit interesting so let's see what we've got here so we've got truncate PA build prop so I'm just still doing I've stepped out and that's it that's it it's stopped running there let's actually look at our running tasks just to see if anything funny is happening at the moment and you can see there is there's this ping process where it's waiting 42 seconds and that seems to be tied to this as well where it seems be copying to the sisw 64 directory and then then
00:12:34	running it so I'm going to kill this process tree before it can do that and we're going to take a look just to see if it did actually copy to the sisw 64 directory so we're looking for a pdf. exe and it doesn't look like it has it looks like we're actually we actually stopped that before it actually did it by killing that ping process so by killing that tree the Ping process and everything that it was going to follow we actually stopped it before it was able to set up persistence but we actually want this to have persistence
00:13:07	set up because it seems to be doing something different depending on if it's running from six W sisw 64 or not so what I'm going to do is I'm going to follow the same process except we are going to copy it over let's go into our desktop let's find the payload pdf. exe and we're just going to this in the right directory and now we're going to open this up in the end Spire so I'm just going to go View and I'm going to collapse all the tree nodes we are going to here we are close old in memory modules and now what
00:13:43	I'm going to do is even close off that one and we are going to start from here round two fight debug the program we're going to break on create process just so that we can see if we got these module break points and we do that's still there beautiful none of the other break points actually remain so we're going to have to add them in again so let's go again create process hit continue all right we're here we're going to step in we going to add we're going to step in Yep this one we're stepping into uh yep step into step out step into
00:14:29	step out out step into step out step into and now we've got this where it's invoking it so we step into this one we add the break point here we continue we hit that break point now we step into and now we have this break point where we are returning that object but that's fine because we shouldn't even need to get to that if we just have this get hit so we hit that f11 get targets at least desktop cool now we're actually getting somewhere we are inside of the [Music] invoke and now we're getting somewhere
00:15:12	this is all just stuff being loaded and so this is ideally uh getting Clos to where I wanted to be but not where I actually want to be so step out so this is we can actually kind of get to the next part of where we want to go so I'm just going to zoom out here this is all to do with form thing created let's continue step out step out step out step out of that as well and here we are now we've actually broken into where we needed to be that took a little bit ideally what I want to do is remember all of this is just building
00:15:54	configuration details for the malware so I want to find where the so we go down we get through we run invalid path chars we go down we run through all of this and it was under lunar moth length I want to go into that and there was get field props Max Prime array length believe it was Max Prime array length we run through all this stuff yada y y seems to be injection persistence configuration details and then we have the anti VMS check here so this is where I want to add the break point continue all right Beauty we're in
00:16:35	let's step into it let's bypass all these checks we set this as the next statement ah let's go step into this we're going to create a break point on theur currency signal again currency symbol I should say okay now we've got this seems to actually be new stuff that's occurring that we didn't have before so we do have this load by occurring and this unsafe invoke internal I will look at the processes that are running and rather than use this I wonder if I can go proc Explorer I got this yep so this is a bit
00:17:17	nicer so now we should actually have our PDF process here and we do so that's good so we're looking at reflection occurring we have the name of some byes that are being loaded okay so here now we've got this running out of sisw 64 but there is now this raw assembly that's being mentioned and it is quite long although I don't know what these bites are that's mentioned here so there is a chance that maybe this is Shell Code so let's actually call this uh stage three 3.dll and we're going to go back to
00:18:00	where we are storing this stuff and let's take a look at it in let's go detected easy okay it's net again so that's interesting let's collapse this collapse this collapse this and see if it was anything different it's a different size and it is we now see this other module name that is complete jish uh there's this my class seems to be some decompiling issues so that's a bit interesting cuz this looks like it's going to be injected and maybe there is more injection occuring from it interesting let's continue with our analysis and see
00:18:44	what it on unravels cuz we do have this binary here now so I'm just going to remove it for the time being and we'll continue so that we get the in memory stuff so we going to do f11 f11 f11 and now we've hit this install method again so we can now see the same name that we saw before so that's going to be loaded into memory this is the Manifest module being mentioned there we do still have the break points so if it hits memory we should know about it and have a break on that I am still stepping over at the
00:19:20	moment though cuz I don't want to miss that being said if this is injecting into memory which it does look like it's going to be we should see this happen so uh let me just look at the modules uh we we probably actually won't see it happen because it's already occurred here it's already in memory here so we're going to just have to continue going and see where we land um I will mention you can see the inmemory dynamic and optimize tabs here so this has got yes for inmemory as we would expect to see and
00:19:55	if we wanted to just dump it we we could dump it but we've already got it so gets the relevant Fields cool then we have the unsafe invoke now we have it getting the tights waiting I'm just waiting for you to show where we land so I am going to add a break point there and we're going to do step over instead know it's a bit risky at this stage but we can hopefully see time helpers so this actually has the name here so we're looking good looking good it's getting the methods got the unsafe invoke stuff
00:20:33	happening cuz the one thing I want to do is know what is going to run once this is invoked in memory and at the moment I'm not 100% sure on that I know that it will be this module but I don't know what in this module so let's step over now we're here follow this through play the game1 shift f11 f11 shift f11 f11 shift f 11 so now we can see this instance being mentioned type member name object so we might actually have ah so it does look like it's this YF and then it goes into this I so the I is where it's going
00:21:15	to be starting here this is a bit interesting seems like a button text has got C we maybe that's going to build out into C Windows just going to look at my running processes see if anything unus us has started doesn't look like it at this stage I might actually run Rock watch just to see new starting processes that's benign let's continue okay now we're into a different part of this so the interesting thing here now is that we get this text where it is building the string invoke member which is very
00:21:52	interesting so if we can look at where that text is used and it does look like it's going to be used down here ideally we should be able to add a break point here and if all is well it's just going to skip over all the junk and actually give us what we need to know we just still okay so now we've actually got the load image like we had originally and we have aurar assembly which has the 4D 5A so let's save this and check to see if this is the same as what we saved before for stage 3.dll I'm just going to name it stage
00:22:30	four it might actually be stage three still uh this only 2 kiloby it is also net so this is actually another another lot of assembly which has been wrapped and is being dynamically loaded so this goes down the rabbit hole although there doesn't seem to be much here I'm going to close this one off remove it and see what happens so looks like it's actually storing it I mean that's interesting if this is a static field it is all this is being stored as static field is anything suspicious started up no all pretty much me right
00:23:09	I'm going to step out of this this is now interesting because it is uh having an entry point of Colonel 32s virtual protect so this actually might be more along the lines of Performing injection and I'm kind of looking through this and it would not surprise me if that's what this stuff is doing it's injecting into a process there's quite a lot of this from handle I wonder if we can put a break point on some of this like return new thread that seems like a perfect point and invoke again seems like a
00:23:41	perfect point but ideally we'll see this hit memory this is returning if a debugger is attached so a debugger is attached here which means this might actually kill itself this might be an anti- debugger check so I'm going to see if I can find out where that occurs there is memory streams being mentioned here as well so very likely that something is being loaded into memory all right there's a lot of this stuff we just want to know what's going on so let's see where this is being used so I do want to add a break point there and
00:24:17	then maybe if we get to it we can step over it all right we've got invoke again what are we invoking combination of two objects okay we'll hit have 11 this is getting the method info now does this mean we just had something else hit memory don't recall putting a break point here it doesn't look like we did so it looks like this might actually be when this ZM properly hits memory now which is that four stage and this actually has a compiler time stamp which is a bit interesting it's back in 2022 bit more activity
00:24:54	now but this is likely all me wonder if I I can well I can't just clear can I clear all yeah all right cool let's continue these are my checks if a debuggers attached I really hope this doesn't kill it here there's every chance that it will but I haven't seen any kind of just keep seemingly cycling through checks if the debugger is logging and then throws a sleeping thread back on checking if the debugger is attached it was at this moment that he knew he up and it's killed itself it's just killed itself there actually it
00:25:46	looks like it's injected into installutil.exe righto let's dump this process well I am pumped up so I do have this tool called uh PD 64 which is a process dump and so I'm actually going to run a PD 64 dxc I'm going to run it on the PID 644 and there we go we got pretty much the full dump of everything associated with this DS loaded everything now we're not going to need 99% of this uh and now we can kill it I'm going to kill it because we don't want it to be running we're going to go back to here and we're
00:26:29	going to throw this as the stage four going to paste all these in now we're not going to need pretty much any of these DLS there are hidden modules so possibly hold on to those but all these normal ones I'm going to delete and it's really this and this that I'm interested in cuz this looks like an executable the others look like a dll what one of these is hiding some code and this one's quite large this one kind of is as well some of these hidden modules could be nothing but then again there could be more so
00:27:10	let's go and take a look at detected easy and this is actually net so once again net even this is net so this going to be a bit interesting what I'm going to do is remove all these assemblies and just throw all of these in here and see what we get we can see install U yep okay cool looks like this is kind of the metad data associated with the legitimate install util this is a bit different though so this looks like it's going to be our next stage here so that's this one this is the larger of the others so all these may be not so
00:27:49	interesting but what is definitely interesting is that next stage that we found so here we go let's jump into the next one here we begin to see something that looks like it is command and control related because we are talking about TLS protocols being defined so Network traffic we have something that says enable key logger so fantastic we seem to have gotten something malicious now hi it's joh here from the future for those getting Deja Vu you're not mistaken the reason why you're getting Deja Vu is what we just just uncovered
00:28:29	was agent Tesla and the code looks identical to something that we looked at previously let me just show you that clip just so that you can uh put your mind at ease to the entry point because this is a PE file and it looks like it does have stuff to do with network communication due to the TLs information being defined here let's go back anyway so we've got application run but we do have these other particular classes so this one is defined here this method is run here and it looks like there's a a
00:28:58	lot more methods that are being executed in this particular function so there is this screen logger that's aventures to me so even though this is deploying likely a rat and information stealer into memory whether that's agent Tesla what we unraveled was actually dark tortilla Which I found a really good report by secure works and a lot of the stuff that we saw when we were going through the analysis then align perfectly to what was reported by secure works so I will link that in the description and that's what I wanted to
00:29:33	show you was unraveling this what what is dark to a tiller let me just me just double check this unraveling this complex and highly configurable net based crypto so that's all let me know your thoughts feelings uh comments anything else below and I'll catch you next time