# Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic] **[tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html](https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html)** Today I just want to share some interesting obfuscation and anti memory forensic techniques I've learned from Netwalker Ransomware that makes its code more time consuming and hard to analyze. This also include the first part which is a obfuscated powershell that will serve as the loader of the malware. ## Stage 1: Obfuscated Powershell: This netwalker ransomware variant start with 3 stages as follows: 1st Layer : base 64 encoded powershell 2nd Layer: (after decoding the base64) is an encrypted array of bytes using xor command with decryption key of 0xc4, that will be run in scriptblock command. 3rd Layer : (after the decrypted 2nd layer) is a 2 sets of hex bytes array which is the x86 and 64 version of Netwalker binary files that will be injected in a process by a C# code that will be loaded and compile using powershell. ----- figure 1: the 3 layered powershell script ----- figure 2: the C# loader written in powershell using Add-Type ## Stage 2: No MZ Header Binaries as far as we saw in the last stage of the powershell, it will inject the ransomware (x86 or x64 binaries) to the explorer.exe process. The interesting part is after I decode those hex byte array, I notice that there are no MZ header to the binary file that are one technique to evade memory forensic tools or some quick check for injected executable to a process. ----- figure 3: NO MZ Header Files ## Stage 3: Obfuscated API Call Using Structure This Netwalker Ransomware has no import table. It will dynamically harvest its needed API using some hashing algorithm search to all export table of all needed DLL modules to executes its malicious code then save it to a structure object. Below is the screenshot how the raw Hexray view of the import harvesting before and after resolving the API hash and the structure Array using Idapython. ----- figure 4: API harvesting Function ----- The Hashing Algorithm is really looks complicated base on its graph but actually it is just a loop of xor and rotate bit operation with specific keys. figure 5: Hashing algorithm But the Obfuscation does not ends here. As we remember that it place the resolved API address into a structure object. Then this structure was initialized to a another variable by a function then do the access the member of the structure out of that which make the analysis more confusing. ----- figure 6: Declare multiple Structure as a obfuscation Thanks for IDA Python for helping me in creating a structure out of harvested API it needs to make the static analysis more easily. ----- figure 7: Add Structure ### Lesson Learn: I learned that the there are so many way to obfuscate code from analysis and even the data structure can be used to make the analysis little bit confusing during analysis like what I experience. :) ----- ### IOC: [https://app.any.run/tasks/6bb00be0-cd0a-4d9a-a1ea-72cd275ded0e/](https://app.any.run/tasks/6bb00be0-cd0a-4d9a-a1ea-72cd275ded0e/) **Powershell:** filename: powershell.ps1 md5: 5bec43ea21e95a68abafa8c7f99d1e6c sha1: 22df933f2b33f3f4ffee22b51b4f8fa0268bb327 sha256: b7c7fa9b74aacf331871a9e5438678bce46002618fa106429225161d94e22e44 **x64 Netwalker Ransomware:** filename: x64.bin md5: bc96c744bd66ddfaa79d467b757b8628 sha1: a379f9e04708d773a2dec897166780b026f4c4ea sha256: 2c245db9fb9b2c6e84832662dda3dfff3c6b21128d9fec115f5b989fb090841d **x86 Netwalker Ransomware:** filename: x86_raw.bin md5: de61b852cadac6afe307652b187ca5df sha1: fa02c1d394bc150d8a62d3f991d0fdc042ee9724 sha256: e8c5c0b70d45a5dc80d678ed7102abf9882efb9cbc2cff20f171d60d5205051d -----