1/9 Vishal Thakur July 13, 2021 Malware Analysis: New Trojan Double Dropper engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb Vishal Thakur Follow Apr 16, 2018 · 5 min read In this article, we will analyze a new trojan dropper — so new it has yet to be named. It is a newly observed VBS malware that uses multiple layers of code obfuscation and very well- structured code to drop and execute two embedded RATs. For now, I’m calling it “Schneiken:” https://github.com/vithakur/schneiken There are three main layers of encoding. All encoding is in Base64. This particular malware works by dropping two RATs on the disk. The first one is Dunihi RAT and the second one is Ratty JRAT. Some malware only using half the code of this malware, have also been discovered in the wild. Here’s an example, wrongly being detected as Valyria by some AVs (1213003eb7cb1e26a97dc310f47892fc). This malware is only dropping the Dunihi RAT, not the Ratty JRAT. Let’s begin analyzing this malware by looking at the flow of the campaign. Campaign Flow: Phish > HREF > PDF > HREF > ZIP > VBS > Dunihi + JRAT > C2 Code Structure: Stage1 > stage2 Stage2 > vCNkCxcKEd.vbs > Dunihi RAT AND Stage3 Stage3 > Ratty (JRAT) + Watcher.vbs + Master.vbs “\RATTY.jar” — JRAT https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb https://malienist.medium.com/?source=post_page-----5ed0a943adb-------------------------------- https://malienist.medium.com/?source=post_page-----5ed0a943adb-------------------------------- https://medium.com/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fsubscribe%2Fuser%2Fbacf5a190f41&operation=register&redirect=https%3A%2F%2Fengineering.salesforce.com%2Fmalware-analysis-new-trojan-double-dropper-5ed0a943adb&user=Vishal+Thakur&userId=bacf5a190f41&source=post_page-bacf5a190f41----5ed0a943adb---------------------follow_byline----------- https://github.com/vithakur/schneiken 2/9 “\rXvOlRHjpw.vbs” — Watcher “\UhVHQvjFGb.vbs” — Master Analysis Let’s take a look at the execution, step by step. Stage 1 At this stage, the code structure is quite simple. All of the stage 2 code is base64 encoded and simple replace statement fixes minor obfuscations that are there in the code to add another layer of obfuscation to the already encoded code. Take a look at the “zzzzzzzzzz” function. It uses the ADODB stream object to process the string as binary data. This means that the decoded code can be executed after it has been successfully decoded. Let’s take a look at this code block and layout the purpose of important lines: 3/9 This function is then called on by the Private Function “decode64”, which in turn uses the Microsoft XMLDOM object to further process the data. The last item to be called id the Private Sub, where all the decoding takes place. As we can see in the block below, the encoded data streches into almost a thousand lines. Now let’s take a look at the flow of the code in this stage: 4/9 And finally, let’s take a look at the encoded string itself: Once decoded, the malware moves into the next stage. Stage 2 5/9 In this stage, two important things take place. First, a new file is created. This file, as we can see in the code block below, is named “vCNkCxcKEd.vbs”. This file will decode into the watcher code that makes sure that the code is running at all times. The second thing that happens at this stage is the creation of stage 3 code: The first part of stage 2 execution should give us another VBS script by the name of vCNkCxcKEd.VBS. This script, on execution, should give us the decoded, ready-to-go version of the Dunihi RAT. 6/9 This what the Dunihi RAT should look like after the encoded string shown above in stage 2 is decoded: Stage 3 This is the final stage of the main malware execution. This stage will get us all the files that are needed for the successful execution of the malware. Stage 3 results in creation of three files: 7/9 “\RATTY.jar” — “\rXvOlRHjpw.vbs” — “\UhVHQvjFGb.vbs” — The first file to be executed is the Watcher. Watcher then runs the other two: Watcher makes sure the RAT and the master file are running. If they are not found to be running, it executes them. Let’s have a look at the code block: 8/9 The master makes sure the watcher is running. If it is not running, it executes it. It also adds the required entries to the registry At this point in the execution flow, all the files have been successfully deployed and executed. The RAT will now establish connection back to the C2 and start executing the commands it has been programmed to run. Conclusion 9/9 This malware is new at the time of this writing. The infection vector is phishing emails but it comes fully packed and loaded to drop a complete JRAT on the victim’s computer and have it up and running within seconds of execution. At this time the embedded RATs are Ratty JRAT and Dunihi RAT, but for the purpose of this post, we will not be analyzing those. I will include the details at the end of the post though. All the de-obfuscated and decoded files can be found at one of my git repos: https://github.com/vithakur/schneiken. Schneiken Dropper: FileName: TT COPY.vbs MD5: 47f21544a7479cae3e20488731ba6aa6 JRAT: FileName: RATTY.jar MD5: 9b93c76d2dacf7adaacfc1e99dae8089 https://github.com/vithakur/schneiken