Reversing Csharp And DotNET Framework

PreviousPhishing Excel Embedded Malware NextYARA rules

Last updated 1 month ago

Reversing Csharp And DotNET Framework

Sample Details

Sample Name-Malware.cryptlib64.dll Malware Type- C2 Dropper

Analysis

Upon running floss we see some interesting strings-

mscorelib is a part of a C# binary. Thus this is a C# binary and a part of the .NET framework.

Note-

C# is part of the .NET framework. C# binaries don't interact directly with the OS but with the .NET framework. C# is executed by the CLR(common Language Runtime). After C# is compiled, it is converted to IL(Intermediary Language) which is further run by the CLR.

Turn on inetsim on REMnux and use DNSspy on flare-vm

On dnspy we get-

The dll has two classes - Cryptor and Program

Cryptor-

Program-

We see a base64 string in Program function.

Also a xml and a vbs file is being created. Now we run the dll using rundll32 and the main method of the dll - embed.

	 rundll32.exe .\Malware.cryptlib64.dll,embed

After running, we find the xml file -

Also a registry key has been created by the dll pointing to the vbs file-

The xml file is using MSBuild to execute malware. Running it-

It is requesting for something off of -http://ocsp.digicert.com and srv.masterchiefsgruntemporium.local.

Conclusion

This is a C2 dropper from the Covenant C2 framework. When run, a grunt from the c2 framework will deliver the malware to the system.

PreviousPhishing Excel Embedded Malware NextYARA rules

Last updated 1 month ago