# A Brief Overview of the AMMYY RAT Downloader **[secrary.com/ReversingMalware/AMMY_RAT_Downloader/](https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/)** [cd ../reverse_engineering_malware 4 minutes read](https://secrary.com/ReversingMalware) [SHA-256: 963f1735e9ee06c66fdf3a831d7c262bc8bce0d7155e37f9a5aa2677e0a6090c](https://www.virustotal.com/#/file/963f1735e9ee06c66fdf3a831d7c262bc8bce0d7155e37f9a5aa2677e0a6090c/detection) [You can download the malware sample from malware-traffic-analysis.net](https://malware-traffic-analysis.net/2018/05/25/index.html) ## Stage 1 The main function is full of junk instructions, the most interesting function inside the `main is` ``` decode_n_call function near the end: ``` ----- Inside the `decode_n_call function, it allocated memory, decodes a data from` `0x0433220` address and jumps to it via `call instruction:` ----- ----- It allocates two memory blocks, each `0x3000 length, with` `PAGE_EXECUTE_READWRITE` permission: After that, it writes some decoded data inside the first allocated memory: ----- Also, there is another loop which decodes/decrypts once again the written data in the memory: ----- Seems like it’s `PE file, but still encoded, not valid yet.` Function `0x30A70 gets two arguments, the encoded/encrypted data and the second` allocated memory, the function returns a decoded/decrypted `PE file via the second` argument: ----- It removes the `main executable from the memory and copies recently decoded/decrypted` code: ----- Section maps: ----- Inside `0x30730 (offset` `0x730 ) function it build IAT for the new` `PE file:` ----- After that, it jumps to the entry point of the new `PE file:` ----- Instead of continuing analysis, it s much easier to dump the new `PE and analyze it` separately. ## Stage 2 The second `PE is full of junk instructions, too. The interesting part starts at` `0x0401EED` location. Inside the `sub_403B10 function, it tries to delete` `Settings,` `Microsoft\\Enc,` `AMMYY,` ``` Foundation and Foundation1 directories, also following files: wmihost.exe, settings3.bin, wmites.exe, wsus from different directories: ``` ----- It uses `sub_404450 to get a function addresses based on some kind of hash, which is` passed via the second argument: The `0x403DE0 function gets process name as the argument and terminates the` corresponding process: ----- It executes following commands using `ShellExecuteW function:` `cmd /C net.exe stop` ``` ammyy, cmd /C sc delete ammyy, cmd /C net.exe stop foundation and cmd /C sc delete foundation ``` ----- These commands stop the malware if there is one. It generates random name (via `CoCreateGuid ) for a` `PE file, which it downloads from` ----- Inside `downloadNextStage_bin function, it downloads a file from the URL and saves at` above-mentionshed location: It copies the new file to `CSIDL_COMMON_APPDATA\Microsoft Help\\wsus.exe and deletes` original one: ----- Inside `sub_402960 function if the user is an` `admin, it executes above-mentioned` commands once again, registers the downloaded `PE file as a service called` `foundation` and starts it: ----- In the end, it deletes the original, second stage `PE file:` ----- If the user is not an `admin, it uses a COM object ( taskscd.dll ) to create and run the` executable (via `scheduled task ):` ----- For the more detailed information look at `sub_402360 function.` After that, same happens, it deletes the original, second stage `PE file and exist via` ``` TerminateProcess call: ``` That’s all. That was the brief overview of the `AMMYY RAT Downloader .` Thank you for your time. ----- Discuss on [Reddit](https://www.reddit.com/r/ReverseEngineering/comments/8ryy2u/a_brief_overview_of_the_ammyy_rat_downloader/) Twitter: [@_qaz_qaz](https://twitter.com/_qaz_qaz) -----