skip to content
Pocket Change

Malware Analysis: Zero2Automated Custom Sample PART 2

/ 3 min read

malwareanalysis

Second Stage Analysis

This is the continuation of the first part where we analyze the second and third stages of the custom malware sample.

image

Jumping straight into the first function:

  • The malware retrieves the executable’s own filename and calculates its CRC32 hash.
  • It then checks whether this hash matches a hardcoded value, effectively validating the file name hasn’t changed.
image
  • sub_401dc0: A CRC32 calculator function using the standard polynomial 0xEDB88320.
image
  • sub_401dc0 is also used to obfuscate API names.
image 
00413c44  char const (* data_413c44)[0xd] = data_413c1c {"kernel32.dll"}

Talking a deeper dive into the function we see:

  • Loading a DLL by index
  • Walking its export table
  • Hashing each export name using CRC32
  • Comparing it to a target hash
  • Returning the address of the matching API

We can use the HashDB plugin from OALabs implemented on Binary Ninja by Cindy Xiao, to deobfuscate the functions.

image

Example of resolved API addresses after deobfuscation.

image

We can see an obfuscated string, we can easily decrypt using cyberchef. Its Rotates each byte left by 4 bits and XORs the result with 0xC5

image

The decrypted string is a URL, likely pointing to the payload.

image

The URL hosts an image file, which contains embedded payload data.

image

This function:

  • Allocates memory.

  • Downloads the image from the URL.

  • Returns a pointer to the data buffer.

image
  • We can see anothre obfuscated string, which results to svchost.exe.
  • The process is created in a suspended state using the CREATE_SUSPENDED flag.
image

This function downloads and writes the payload to disk.

image

Getting the temp directory and creating directory with cruloader.

  • Opens a file inside the temp directory
  • Writes the downloaded payload to this file.
  • Closes the file handle.
image

Continuing on the analysis of the function, its decrypting a hexdump which results in ruloader, and its searching for the string in the dowloaded image.

image

Using HxD confirms that ruloader exists in the image, marks start of embedded payload.

image

The data after the marker is XOR’ed with 0x61.

image

The result is a valid PE file, this will be third stage executable.

image

Following the flow after extracting the exectuable from image, it decrypts obfuscated string which is C:\Windows\System32\svchost.exe and creates the process in suspended state.

image

This function performs process hollowing by injecting a payload into a suspended process svchost.exe. It:

  1. Allocates memory in the target using VirtualAllocEx.
  2. Writes the new PE image via WriteProcessMemory.
  3. Sets the entry point with SetThreadContext.
  4. Starts execution by calling ResumeThread.

Result: The process appears legitimate but runs malicious code.

Third Stage

image Lets analayze the third stage, the entropy is extremely low.

image

The executable is just a Message box Uh Oh, Hacked!!.

image

This wraps up the analysis of the Zero2Automated custom sample, revealing its multi-stage design, obfuscation, and final execution via process hollowing.