Target: X-X.BonusBinaries\Malware.unknown.exe.malz
This sample exfiltrates cosmo.jpeg from the user's desktop via DNS requests and then exits. No files are written/modified, no commands are run, and no forms of persistence seem to be in place.
- MD5: 812A7C7EB9D7A4332B9E166AA09284D7
- SHA1: EC0D565AFE635C2C7863B2A05DF8A49C58B703A3
- SHA256: 81A10784AE60A58A969E858C9C4A2AE0D4EBE46E9BD6776992461C062F70099D
- Size: ~124 KB
- Flagged by 3/69 vendors on VirusTotal
- 32-bit executable
λ floss -n 8 Malware.unknown.exe > floss.txt
This is very likely a Nim binary:
λ grep -i 'nim' floss.txt | head
fatal.nim
fatal.nim
parseutils.nim
strutils.nim
streams.nim
setPositionImpl
getPositionImpl
oserr.nim
<SNIP>
File path Desktop\cosmo.jpeg is hardcoded into the binary:
λ grep -i \\ floss.txt
@Desktop\cosmo.jpeg
Some DLL files appear as strings in the binary:
λ grep -i '\.dll' floss.txt
@Can't load inet_ntop proc from Ws2_32.dll
@Ws2_32.dll
@Ws2_32.dll
@Bcrypt.dll
@Bcrypt.dll
KERNEL32.dll
msvcrt.dll
USER32.dll
What looks like three obfuscated domains:
λ grep -i 'l.o.c.a.l' floss.txt
@hwtwtwpw:w/w/whwewyw.wywowuwuwpw.wlwowcwawlw
@axuxtxhx.xnxsx.xlxoxcxaxlx
@.BcBoBsBmBoBsBfBuBrBbBoBoBtBsBeBmBpBoBrBiBuBmB.BlBoBcBaBlB
The three strings turn into:
http://hey.youup.localauth.ns.local.cosmosfurootsemporium.local
When run, the sample looks up hey.youup.local:
If no response is received for hey.youup.local, the program quits:
If hey.youup.local is up, the program continues running and repeatedly sends GET requests to http://hey.youup.local:
This continue until hey.youup.local "goes down", at which point there is a DNS lookup request to auth.ns.local and then DNS exfiltration begins using .cosmosfurootsemporium.local:
Note: To recreate:
- Modify FlareVM's hosts file to point
hey.youup.localto localhost - Run inetsim on REMnux
- Start a Python http.server on FlareVM to receive the first HTTP request and then close it to initiate DNS exfiltration
It appears that the DNS requests are exfiltrating Desktop\cosmo.jpeg:
Once it finishes exfiltrating Desktop\cosmo.jpeg, the sample exits:
If Desktop\cosmo.jpeg does not exist, the sample exits:
The program appears to be obfuscated, making use of a very large number of functions making it very hard and tiring to trace:
Since we already know what this binary does, I won't bother getting into advanced dynamic analysis, especially given the obfuscation in place.
The following YARA rule may be used to detect the sample on a computer:
rule DNS_Exfil_Cosmo_JPEG {
meta:
last_updated = "2023-03-05"
author = "William Moody"
description = "Detects (X-X.BonusBinaries) Malware.unknown.exe"
strings:
$cosmoPath = "Desktop\\cosmo.jpeg" ascii
$nim = "nim"
$PE_magic_byte = "MZ"
$d1 = "hwtwtwpw:w/w/whwewyw.wywowuwuwpw.wlwowcwawlw" ascii
$d2 = "axuxtxhx.xnxsx.xlxoxcxaxlx" ascii
$d3 = ".BcBoBsBmBoBsBfBuBrBbBoBoBtBsBeBmBpBoBrBiBuBmB.BlBoBcBaBlB" ascii
condition:
($PE_magic_byte and $nim)
and $cosmoPath
and ($d1 and $d2 and $d3)
}Example output:
λ yara64 rule.yara -r C:\ -w -p 32
DNS_Exfil_Cosmo_JPEG C:\\Users\flarevm\Desktop\Malware.unknown.exe