Reversing Csharp And DotNET Framework
Sample Details
Sample Name-Malware.cryptlib64.dll Malware Type- C2 Dropper
Analysis
Upon running floss we see some interesting strings-
mscorelib is a part of a C# binary. Thus this is a C# binary and a part of the .NET framework.
Note-
C# is part of the .NET framework. C# binaries don't interact directly with the OS but with the .NET framework. C# is executed by the CLR(common Language Runtime). After C# is compiled, it is converted to IL(Intermediary Language) which is further run by the CLR.
Turn on inetsim on REMnux and use DNSspy on flare-vm
On dnspy we get-
The dll has two classes - Cryptor and Program
Cryptor-
Program-
We see a base64 string in Program function.
Also a xml and a vbs file is being created.
Now we run the dll using rundll32 and the main method of the dll - embed.
rundll32.exe .\Malware.cryptlib64.dll,embedAfter running, we find the xml file -
Also a registry key has been created by the dll pointing to the vbs file-
The xml file is using MSBuild to execute malware. Running it-
It is requesting for something off of -http://ocsp.digicert.com and srv.masterchiefsgruntemporium.local.
Conclusion
This is a C2 dropper from the Covenant C2 framework. When run, a grunt from the c2 framework will deliver the malware to the system.
Last updated