4 minutes read

SHA-256: 963f1735e9ee06c66fdf3a831d7c262bc8bce0d7155e37f9a5aa2677e0a6090c

You can download the malware sample from malware-traffic-analysis.net

Stage 1

The main function is full of junk instructions, the most interesting function inside the main is decode_n_call function near the end:

Inside the decode_n_call function, it allocated memory, decodes a data from 0x0433220 address and jumps to it via call instruction:

It allocates two memory blocks, each 0x3000 length, with PAGE_EXECUTE_READWRITE permission:

After that, it writes some decoded data inside the first allocated memory:

Also, there is another loop which decodes/decrypts once again the written data in the memory:

Seems like it’s PE file, but still encoded, not valid yet.

Function 0x30A70 gets two arguments, the encoded/encrypted data and the second allocated memory, the function returns a decoded/decrypted PE file via the second argument:

It removes the main executable from the memory and copies recently decoded/decrypted code:

Section maps:

Inside 0x30730 (offset 0x730 ) function it build IAT for the new PE file:

After that, it jumps to the entry point of the new PE file:

Instead of continuing analysis, it’s much easier to dump the new PE and analyze it separately.

Stage 2

The second PE is full of junk instructions, too. The interesting part starts at 0x0401EED location.

Inside the sub_403B10 function, it tries to delete Settings , Microsoft\\Enc , AMMYY , Foundation and Foundation1 directories, also following files: wmihost.exe , settings3.bin , wmites.exe , wsus from different directories:

It uses sub_404450 to get a function addresses based on some kind of hash, which is passed via the second argument:

The 0x403DE0 function gets process name as the argument and terminates the corresponding process:

It executes following commands using ShellExecuteW function: cmd /C net.exe stop ammyy , cmd /C sc delete ammyy , cmd /C net.exe stop foundation and cmd /C sc delete foundation

These commands stop the malware if there is one.

It generates random name (via CoCreateGuid ) for a PE file, which it downloads from http://185.176.221.29/ban3.dat :

Inside downloadNextStage_bin function, it downloads a file from the URL and saves at above-mentionshed location:

It copies the new file to CSIDL_COMMON_APPDATA\Microsoft Help\\wsus.exe and deletes original one:

Inside sub_402960 function if the user is an admin , it executes above-mentioned commands once again, registers the downloaded PE file as a service called foundation and starts it:

In the end, it deletes the original, second stage PE file:

If the user is not an admin , it uses a COM object ( taskscd.dll ) to create and run the executable (via scheduled task ):

For the more detailed information look at sub_402360 function.

After that, same happens, it deletes the original, second stage PE file and exist via TerminateProcess call:

That’s all.

That was the brief overview of the AMMYY RAT Downloader .

Thank you for your time.

Discuss on Reddit

Twitter: @_qaz_qaz