Hello, recently CrunchyRoll was attacked with a DNS Hijack and a malware was delivered. The malware does some strange stuff that I can’t comprehend but here are just my notes from the little effort that I put into it.

Sample SHA1: 7F0C19EEC1913F193B236C59742E469E16CE4DE2

Opening the file up in IDA and traversing to WinMain, we see this:

The file performs startup persistence, and then allocate some memory, copy the shellcode there, and then execute it.

Opening the file up in OllyDbg, we break after the VirtualAlloc call and step into the shellcode (which is rather small).

First, it obtained EIP using the common call-pop method. Strangely however, unlike most malware, it doesn’t have a function that does something like this:

pop eax

push eax

ret

but rater chose to do it via a jump and a call back to pop eax. I suppose this might also be a form of a

Next, it jumps into a bruteforce loop.

After it is complete, EBX’s value is 0xB2FB9B40, which is then flipped with a bswap instruction. We finally reach the self decryptor, having obtained our key:

After that it is a bunch of weird stuff happens that I didn’t really look at but anyways, if you want to continue reverse engineering now you have a little more information I guess.

It seems like the malware receives a shellcode from the CnC and then performs a jmp to it, nothing more.

Regarding reddit, people tends to become stupid and post false information (hurr durr russian ip hurr durr ransomware), please disregard them, thanks. No, it was not hosted in Russia, the CnC is @ an OVH server in France. (145.239.41 dot 131).

Oh and here’s the dumped shellcode for your viewing pleasure.

ciao

https://bartblaze.blogspot.com/2017/11/crunchyroll-hack-delivers-malware.html

bartblaze wrote another nice article regarding this malware, you might want to look into it.