Tryhackme [Day 9] Malware analysis She sells C# shells by the C2shore

Sudarshan Patel

·

Follow

8 min read

·

Dec 10, 2023

--

Listen

Share

Hello, fellow participants! I trust you’re all having a splendid day. Today marks the ninth day of the thrilling Advent of Cyber 2023 on TryHackMe. I want to extend my heartfelt gratitude to the entire TryHackMe team for orchestrating this enlightening event. Their unwavering commitment to disseminating knowledge globally is truly praiseworthy.

I appreciate the invaluable insights shared throughout this journey, and I want to express my thanks not only to the dedicated team at TryHackMe but also to each of you who takes the time to peruse my humble contribution in this write-up. May the spirit of this advent season continue to ignite our collective pursuit of knowledge and exploration.

Forensic McBlue and team uncover a deleted malware allowing Tracy McGreedy to control elves remotely. They prioritize safe malware analysis, delve into .NET binaries, and use dnSpy for decompilation. A strategic methodology guides their examination of the C2’s back-end infrastructure. Each step reveals the malware’s functionality and potential vulnerabilities. Armed with a deep understanding, they prepare to dismantle the malicious setup, countering the threat. The clock ticks down as they gear up for justice, aiming to safeguard the elf community from remote manipulation.

Learning Objectives

In this task, we will focus on the following vital learnings to assist Forensic McBlue in analysing the retrieved malware sample:

The foundations of analysing malware samples safely
The fundamentals of .NET binaries
The dnSpy tool for decompiling malware samples written in .NET
Building an essential methodology for analysing malware source code

Malware Handling 101

Imagine you have a suspicious computer program, like a virus, that you want to understand without risking harm to your own computer. Handling such programs can be dangerous because they’re designed to cause problems.

So, experts use something called a “sandbox.” It’s like a make-believe computer where they can safely test the suspicious program. This way, they can see what the program does without any real danger.

Here’s what a sandbox usually includes:

1. Network controls: Think of it like a fence around the sandbox. It keeps the suspicious program from connecting to the internet or spreading to other parts of the computer system.
2. Virtualization: This is like a magic trick. The suspicious program runs in a special, isolated environment within the computer. It’s not on the real computer; it’s like a computer inside a computer. This makes it easy to start fresh or get rid of everything after testing.
3. Monitoring and logging: The sandbox keeps a detailed record of everything the suspicious program tries to do. It’s like taking notes on its every move — what it tries to change, what it tries to connect to on the internet, and more. These notes help experts understand how the suspicious program works.

So, in simple terms, a sandbox is a safe and controlled space where experts can play with potentially harmful programs to learn about them without causing any harm to their real computers.

Introduction to .NET Compiled Binaries:

.NET binaries are compiled files containing code written in languages compatible with the .NET framework, such as C#, VB.NET, F#, or managed C++. These binaries are executable files (with the .exe extension) or dynamic link libraries (DLLs with the .dll extension). They can also be assemblies that contain multiple types and resources.

Compared to other programming languages like C or C++, languages that use .NET, such as C#, don’t directly translate the code into machine code after compilation. Instead, they use an intermediate language (IL), like a pseudocode, and translate it into native machine code during runtime via a Common Language Runtime (CLR) environment.

This may be a bit overwhelming. In simple terms, it’s only possible to analyse a C or C++ compiled binary by reading its assembly instructions (low-level). Meanwhile, a C# binary can be decompiled and its source code retrieved since the intermediate language contains metadata that can be reconverted to its source code form.

C2 Primer

According to Forensic McBlue, the retrieved malware sample is presumed to be related to the organisation’s remote mind control (over C2) incident. So, to build the right mindset in solving this case, let’s look at the run-through below about malware with C2 capabilities.

C2, or command and control, refers to a centralised system or infrastructure that malicious actors use to remotely manage and control compromised devices or systems. It serves as a channel through which attackers issue commands to compromised entities, enabling them to carry out various activities, such as data theft, surveillance, or further malware propagation.

Seeing C2 traffic means that malware has already been executed inside the victim machine, as detailed in the diagram above. In terms of cyber kill chain stages, the attacker has successfully crafted and delivered the malware to the target and potentially moves laterally inside the network to achieve its objectives.

To expound further, malware with C2 capabilities typically exhibits the following behaviours:

HTTP requests: C2 servers often communicate with compromised assets using HTTP(s) requests. These requests can be used to send commands or receive data.

Command execution: This behaviour is the most common, allowing attackers to execute OS commands inside the machine.

Sleep or delay: To evade detection and maintain stealth, threat actors typically instruct the running malware to enter a sleep or delay for a specific period. During this time, the malware won’t do anything; it will only connect back to the C2 server once the timer completes.

Decompiling Malware Samples With dnSpy

Now that we’ve tackled the theoretical concepts to build our technical skills, let’s start playing with fire (malware)!

Since we already assume that the malware sample is written in C#, we will use dnSpy to decompile the binary and review its source code.

dnSpy is an open-source .NET assembly (C#) debugger and editor. It is typically used for reverse engineering .NET applications and analysing their code and is primarily designed for examining and modifying .NET assemblies in a user-friendly, interactive way. It’s also capable of modifying the retrieved source code (editing), setting breakpoints, or running through the code one step at a time (debugging).

To proceed, let’s go to the virtual machine and start the dnSpy tool by double-clicking the shortcut on the desktop.

Once the tool is open, we will load the malware sample by navigating to File > Open located on the upper-left side of the application.

Once the malware sample is loaded, you’ll have a view like the image below. The next step is to click the Main string, which will take you to the entry point of the application.

Let’s get started with the task:

Accessing the Machine:

1. Start the Machine.
2. Click the Split view.

Question 1:

What HTTP User-Agent was used by the malware for its connection requests to the C2 server?

Answer:

To determine the HTTP method being used, you can examine the PostIt function. Follow these steps to navigate to the relevant code using dnSpy:

1. Open dnSpy.
2. Go to File -> Open.
3. Navigate to the desktop.
4. Click on “All Files” at the bottom to display all file types.
5. Select the file named “juicyTomatoydefang.”
6. Click and expand the folders “juicytomatoy” and “JuicyTomaToy.exe” to locate and inspect the program.

Within the code, locate the PostIt function and check for the HTTP method used, which should be a POST request.

Question 2:

What is the HTTP method used to submit the command execution output?

Answer: POST

This answer is simple looking at the above answer we can get the method used.

Question 3:

What key is used by the malware to encrypt or decrypt the C2 data?

Answer: youcanthackthissupersecurec2keys

To get the answer to this question, we just have to look into the encryption function. The answer is highlighted in the screenshot below.

Question 4:

What is the first HTTP URL used by the malware?

Answer: http://mcgreedysecretc2.thm/reg

To get the answer to this question, we have to revisit the main function. The answer is highlighted in the screenshot below.

Question 5:

How many seconds is the hardcoded value used by the sleep function?

Answer: 15

Within the Main function, there is a variable ‘count’ initialized to 15000. In programming conventions, time values are commonly expressed in milliseconds. Therefore, we can infer that the sleep time in this context is 15000 milliseconds, equivalent to 15 seconds.The answer is highlighted in the screenshot above.

Question 6:

What is the C2 command the attacker uses to execute commands via cmd.exe?

Answer: shell

Here, looking at the main function, if the command is shell, the block executes and it will execute the “cmd.exe”. So, the answer to this question is simple. You can also refer this in the screenshot below.

Question 7:

What is the domain used by the malware to download another binary?

Answer: stash.mcgreedy.thm

n the Main function, it is evident that the program attempts to connect to an additional domain for the purpose of downloading the malware. The screenshot below reveals the presence of another questionable domain.

Thank you for reading !

Happy Hacking !

Author: Sudarshan Patel