# Reversing Csharp And DotNET Framework

## Sample Details

***

Sample Name-Malware.cryptlib64.dll\
Malware Type- C2 Dropper<br>

## Analysis

***

Upon running floss we see some interesting strings-<br>

<figure><img src="https://2429440930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fvmiq90eCUf7ZZMUGm7Qu%2Fuploads%2Ft2VdBZRc4GsBpX10du2i%2Fimage.png?alt=media&#x26;token=6b1b39fa-4e41-46f2-b0eb-95b7a85f2021" alt=""><figcaption></figcaption></figure>

`mscorelib` is a part of a C# binary. Thus this is a C# binary and a part of the .NET framework.

### Note-

C# is part of the .NET framework. C# binaries don't interact directly with the OS but with the .NET framework. C# is executed by the CLR(common Language Runtime).\
After C# is compiled, it is converted to IL(Intermediary Language) which is further run by the CLR.

Turn on inetsim on REMnux and use DNSspy on flare-vm

On dnspy we get-<br>

<figure><img src="https://2429440930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fvmiq90eCUf7ZZMUGm7Qu%2Fuploads%2FCtQXcqqCJMKJNKG5Eu5N%2Fimage.png?alt=media&#x26;token=dca1c4e2-1db9-4641-a06a-65bfa765beed" alt=""><figcaption></figcaption></figure>

The dll has two classes - `Cryptor` and `Program`

<figure><img src="https://2429440930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fvmiq90eCUf7ZZMUGm7Qu%2Fuploads%2F9LwOoHhD5jbKGk6HAX46%2Fimage.png?alt=media&#x26;token=b19e8ff9-119e-4446-9842-6151017f6d45" alt=""><figcaption></figcaption></figure>

`Cryptor`-

<figure><img src="https://2429440930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fvmiq90eCUf7ZZMUGm7Qu%2Fuploads%2FpVqLINZKhm4riwzvD2Jk%2Fimage.png?alt=media&#x26;token=83d68803-bd02-43e0-a588-56016c013991" alt=""><figcaption></figcaption></figure>

`Program`-

<figure><img src="https://2429440930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fvmiq90eCUf7ZZMUGm7Qu%2Fuploads%2FtKF8UDbg7Fy9vHR4rsF4%2Fimage.png?alt=media&#x26;token=86f02ef4-1d1d-4ad8-bcf0-670b384eb19e" alt=""><figcaption></figcaption></figure>

We see a base64 string in `Program` function.

<figure><img src="https://2429440930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fvmiq90eCUf7ZZMUGm7Qu%2Fuploads%2FdRQjpnUvW9VKvz8qeQhy%2Fimage.png?alt=media&#x26;token=672b2c70-6f4c-464b-ad74-35c522bf1d72" alt=""><figcaption></figcaption></figure>

Also a xml and a vbs file is being created.\
Now we run the dll using rundll32 and the main method of the dll - `embed`.

```
	 rundll32.exe .\Malware.cryptlib64.dll,embed
```

After running, we find the xml file -

<figure><img src="https://2429440930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fvmiq90eCUf7ZZMUGm7Qu%2Fuploads%2F39KbzWG9ERHeQFaYmLKN%2Fimage.png?alt=media&#x26;token=71b1b958-4e20-454e-af19-576aae08bc32" alt=""><figcaption></figcaption></figure>

Also a registry key has been created by the dll pointing to the vbs file-

<figure><img src="https://2429440930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fvmiq90eCUf7ZZMUGm7Qu%2Fuploads%2F5wQROkV3xEShTKX85Nxf%2Fimage.png?alt=media&#x26;token=7afc0415-26ca-4586-9a6b-a2d529023915" alt=""><figcaption></figcaption></figure>

The xml file is using MSBuild to execute malware. Running it-<br>

<figure><img src="https://2429440930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fvmiq90eCUf7ZZMUGm7Qu%2Fuploads%2FvFmCt7w4LXAuUMmow1ai%2Fimage.png?alt=media&#x26;token=a76651eb-e738-467c-8f42-38d82be2451c" alt=""><figcaption></figcaption></figure>

It is requesting for something off of -`http://ocsp.digicert.com` and `srv.masterchiefsgruntemporium.local`.

## Conclusion

***

This is a C2 dropper from the Covenant C2 framework. When run, a grunt from the c2 framework will deliver the malware to the system.