Simple analysis of a .net sample

1 . Sample profile

1.1  Sample information

Virus name: 1d494e530060d1b4d320cfe58eedca4f732cf8f3

MD5: 8F47BB964E517429B9C50989B2D59005

SHA1: 1D494E530060D1B4D320CFE58EEDCA4F732CF8F3

CRC32: 9BD6E1BF

1.2  Test environment and tools

2.1.1 Test environment

Windows 7 32-bit operating system

2.1.2 Test tool

Shell checking tools: PEID, ExeinfoPE

Monitoring tools: Tinder sword, PCHunter

Debugging tool: dnSpy

1.3 Basic analysis 

1 . 3.1 virus check shell 

   Use PEID to check the shell, as shown in Figure 1-1 is a C# program

 

Figure 1-1 Virus shell check

 

1 . 3.2 encryption algorithm 

Unpack the malicious program manually, use the PEID plug-in to view the encryption algorithm of the malicious program, there is no encryption algorithm

 

Figure 1-3 Encryption algorithm

1 . 3.3 cloud sandbox analysis 

The malicious sample was uploaded to the Weibu cloud sandbox, and the malicious program was found to have the following behaviors.

 

 

Figure 1-4 Cloud sandbox analysis

2. Specific behavior analysis

2.1 Main behavior 

Drag the virus sample into the velvet sword and filter it to the behavior monitoring. You can see that the virus releases a PE file, starts the PE file and invades the process.

 

Figure 2-1 Virus release file

Filtering to the execution monitoring, I saw that the malicious program loaded some modules.

 

Figure 2-2 Execution monitoring

Filter to file monitoring

 

Figure 2-3 File monitoring

Filter to network monitoring

 

Figure 2-4 Network monitoring

Finally, use the registry comparison tool to compare before and after running the malicious program. The registry key is set in Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows.

3 . Malicious code analysis

3 . 1 virus main program analysis 

Start analyzing the main program

Drag the virus into dnSpy and see that there are a lot of garbled characters in the picture, it should be confused, use de4dot

 

Figure 3-1 Obfuscated code

Seeing that there are a lot of garbled characters in the picture, it should be obfuscated. Use de4dot to eliminate obfuscation.

 

Figure 3-2 Deobfuscated code

After de-obfuscation, the code is clear and easy to see, find the main function

 

Figure 3-2 main function

 

Figure 3-3 Determine whether the file exists

First determine whether C:\\Users\\VicZ\\scvhosts.exe exists

 

Figure 3-4 Copy files

If it does not exist, copy the current file to C:\\Users\\VicZ\\scvhosts.exe and start it to end the current process.

 

Figure 3-5 Setting to hide

If it exists, set the file attribute of C:\\Users\\VicZ\\scvhosts.exe to hidden

 

Figure 3-6 Open the registry

 

Figure 3-7 Set key value

Open the registry Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows to set the key value

 

Figure 3-8 The first address of the buffer

 

Figure 3-9 Splicing command

Splicing command.

 

Figure 3-10 Remote thread injection

The remote thread injects C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\csc.exe, connects to the network, and sends data packets.

The function ends.

 

4 . Manual killing

1. Delete the file C:\\Users\\VicZ\\scvhosts.exe

2. Delete the generated registry