1/20 A Brief Overview of the AMMYY RAT Downloader secrary.com/ReversingMalware/AMMY_RAT_Downloader/ cd ../reverse_engineering_malware 4 minutes read SHA-256: 963f1735e9ee06c66fdf3a831d7c262bc8bce0d7155e37f9a5aa2677e0a6090c You can download the malware sample from malware-traffic-analysis.net Stage 1 The main function is full of junk instructions, the most interesting function inside the main is decode_n_call function near the end: https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/ https://secrary.com/ReversingMalware https://www.virustotal.com/#/file/963f1735e9ee06c66fdf3a831d7c262bc8bce0d7155e37f9a5aa2677e0a6090c/detection https://malware-traffic-analysis.net/2018/05/25/index.html 2/20 Inside the decode_n_call function, it allocated memory, decodes a data from 0x0433220 address and jumps to it via call instruction: 3/20 66 a2 a5 env_str_ver_info (47665, 47665, 47665); alloc mem = VirtualAlloc(@, @xD2@u, flAllocationType, @x4@u); eee eb 32842: env_str_ver_info_ (68702, 60702, -12632842); vl4 = 206; vo = 44331; vwl5 = &vl4; v30 = -206; alloc mem_code = alloc_mem; vw25 = &va3s v33 = 2465; for (i =@8; i ¢ 4; ++i } t vVi6 = -37266766; vi = 372666575 } for ( index_code = @; index_code < @x348; tHindex_code ) t coword = *&dword_433220[4 * index_code]; Ox7556 = @x7558; v3 = OxFFFFFFBQ; coword = @x7558 “ ROL4 (c_ word - index_code, 5); *(alloc_mem + index_code} = c_word; t yvS9 = D2OBY25 for ( j = 6; j < 45 +4) ) vie = @xFesDCCec; v9 += 219961; vis = 513625 vo4 = &v38; vS9o -= @x1658; kernel32_ handle = GetModuleHandleA("kernel32")4;5 vio = dword_4@2CD8; v28 = 98200: v2l = 5182; v22 = 163566; vw23 = &v13; y24 = 354087; wis = -251564599; for ( k= @; k < 45 Hk j t vi3 *= (vl3 | @xFAC6A2MA) - 241301498; wl2 = -2413@1498 / (v24 + 1) - 241301498; } env_str_ver_info (v24, "m_TempAdaptBut", alloc mem code(&kernel32_ handle); cieieniieetellcriicichlalen w3l = -1524553; wey = &vl6: v24); 3/20 4/20 It allocates two memory blocks, each 0x3000 length, with PAGE_EXECUTE_READWRITE permission: After that, it writes some decoded data inside the first allocated memory: 5/20 Also, there is another loop which decodes/decrypts once again the written data in the memory: 6/20 Seems like it’s PE file, but still encoded, not valid yet. Function 0x30A70 gets two arguments, the encoded/encrypted data and the second allocated memory, the function returns a decoded/decrypted PE file via the second argument: 7/20 It removes the main executable from the memory and copies recently decoded/decrypted code: 8/20 Section maps: 9/20 Inside 0x30730 (offset 0x730 ) function it build IAT for the new PE file: 10/20 After that, it jumps to the entry point of the new PE file: 11/20 Instead of continuing analysis, it’s much easier to dump the new PE and analyze it separately. Stage 2 The second PE is full of junk instructions, too. The interesting part starts at 0x0401EED location. Inside the sub_403B10 function, it tries to delete Settings , Microsoft\\Enc , AMMYY , Foundation and Foundation1 directories, also following files: wmihost.exe , settings3.bin , wmites.exe , wsus from different directories: 12/20 It uses sub_404450 to get a function addresses based on some kind of hash, which is passed via the second argument: The 0x403DE0 function gets process name as the argument and terminates the corresponding process: 13/20 It executes following commands using ShellExecuteW function: cmd /C net.exe stop ammyy , cmd /C sc delete ammyy , cmd /C net.exe stop foundation and cmd /C sc delete foundation 14/20 These commands stop the malware if there is one. It generates random name (via CoCreateGuid ) for a PE file, which it downloads from http://185.176.221.29/ban3.dat : 15/20 Inside downloadNextStage_bin function, it downloads a file from the URL and saves at above-mentionshed location: It copies the new file to CSIDL_COMMON_APPDATA\Microsoft Help\\wsus.exe and deletes original one: 16/20 Inside sub_402960 function if the user is an admin , it executes above-mentioned commands once again, registers the downloaded PE file as a service called foundation and starts it: 17/20 In the end, it deletes the original, second stage PE file: 18/20 If the user is not an admin , it uses a COM object ( taskscd.dll ) to create and run the executable (via scheduled task ): 19/20 For the more detailed information look at sub_402360 function. After that, same happens, it deletes the original, second stage PE file and exist via TerminateProcess call: That’s all. That was the brief overview of the AMMYY RAT Downloader . Thank you for your time. 20/20 Discuss on Reddit Twitter: @_qaz_qaz https://www.reddit.com/r/ReverseEngineering/comments/8ryy2u/a_brief_overview_of_the_ammyy_rat_downloader/ https://twitter.com/_qaz_qaz