Z2A Custom Sample Part 2

image

Table of Contents

Introduction

Here we come to the next part of my write-up for Z2A custom sample.

Analysis stage 2

Making a quick triage summary showed that the stage 2 of this sample didn’t seem to be packed, so I decided to start analyzing it statically. The main function is at 0x401ea0

image

First, it tries to get the name of current module and checks something with it in the function sub_401660.

image

Diving into this function, I saw a repeated constant. Searching for that constant revealed that it is using CRC32 hashing. So I renamed this function to CRC32.

image

Returning to the main function, I deciced to use Hashdb plugin from OALab to look up the hash, and surprisingly, it resolved to svchost.exe.

image

The program checks if the name of the current module is svchost.exe. If it is, it jump to it’s main_routine. If not, it creates a new svchost process, writes over the process memory, and then continues to call main_routine.

image

I decided to focus on the main_routine function. It first resolves some APIs from wininet.dll, then decrypts a url and calls the sub_routine.

image

The URL contains another URL, which leads to an image of the Z2A logo. I decided to download it and continue analyzing the sub_routine function.

image

Inside the sub_routine function, it creates a new cruloader directory inside the temp directory and stores the image as output.jpg.

image

Then, it searchs for the string redaolurc inside the image, which is the reverse of the string cruloader.

image

Afterward, the content following the redaolurc string is XORed with 0x61. Then, a svchost process is created in a suspended state, which is a signal for process hollowing injection.

image

Jump to stage 3

Let’s dump stage 3 from the image and analyze it.

image

Well, the stage 3 is just about opening a message box. Looks like we’ve finished analyzing this sample.

image

Conclusion

It was a really fun and interesting challenge. However, it was quite easy when the author kept using the process hollowing technique for the injection part. I really expected to see other techniques to sharped my analysis skills. Still, I learned a lot of things from it!

#reverse #malware

Read Next

Qbot Technical Analysis

In this article, we take a look at how Qbot dynamically decrypts strings, creates API structs, and decrypts payloads. Then, we discuss about dealing with them using Binary Ninja and Binary Refinery.

Z2A Custom Sample Part 1

After many theoretical chapters, we finally move to a practical session with a custom sample. This is part one of my analysis.