Tuesday, January 23, 2018

Generic .Net Unpacking

Nowadays, malware written in C# or VB.NET (also known as the Microsoft .NET Framework) has become more and more common. Ransomware, Spyware and Trojans, they are all available in .NET.

In contrast to C or C++ or even assembly, .NET is much easier and fast to implement. Via Reflection, the code can be dynamically loaded or called, providing an interesting possibility for obfuscation.

Fire and Fury

While browsing some malware samples we recently came across an interesting one:

The first layer is a WinRAR self-extracting archive:

The SFX archive extracts two files, a PE file written in C# and a PDF file. Both are launched:

The PDF indeed is the e-book version of the recently launched book "Fire and Fury" by Michael Wolff which details the behavior of U.S. President Donald Trump during the presidential campaign. The SFX file uses the PDF to conceal its main payload.

Since version 19 (July 2017) Joe Sandbox features automated decompilation of .NET samples. Therefore we can directly inspect the C# source code of fero.exe. Very interesting here is the Form_Load function:

The function decrypts a resource, then loads it, and finally calls its entry point. Wouldn't it be nice to get the decompiled code of the decrypted resource? Enter Generic .NET Unpacking.

Generic .Net Unpacking

Joe Sandbox Ultimate includes a generic PE unpacking engine for any PE file loaded into memory during analysis. Unpacked PE files can be directly downloaded from the analysis results webpage under the secondary analysis results:

With Joe Sandbox v21, those unpacked PE files are also automatically decompiled, resulting in generic .NET Unpacking and decompilation. Cool, isn't it?

Let us have a look at the code of the decrypted and decompiled resource:


Command Handler

Capture Screenshot

Key Logger

Thanks to generic .NET unpacking, we can find all the payloads including: capture screenshot, gather information, keylogger, download and execute, USB infection etc.

Of course, Joe Sandbox is able to automatically detect such code:

Final Words

Thanks to Joe Sandbox Ultimate's generic unpacking engine, analysts get access to any dynamically loaded PE files. With the help of the Joe Sandbox .NET Decompiler, those PE files are automatically converted to source code.

Source code enables the fastest and most accurate analysis of malware.

Interested in trying out Joe Sandbox Ultimate? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!

Full Joe Sandbox Analysis Report.