Quick reverse engineering session analyzing Varenyky malware, which is a spambot that was targeting users in France back in May of 2019. Dynamic execution of this malware is available at Any.Run. In addition, there is a great research made by WeLiveSecurity from ESET.

Analysis

Sample of Varenyky that will be analyzed in this post is packed with UPX - the Ultimate Packer for eXecutables. Fortunately for us, because of it’s wide usage, UPX packed samples can be easily unpacked using upx tool in Linux.

$ md5sum varenyky_packed 
a6dcf8deeb35f9fb2a81d62a31b1f045  varenyky_packed
$ upx -d varenyky_packed 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2018
UPX 3.95        Markus Oberhumer, Laszlo Molnar & John Reiser   Aug 26th 2018

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
  12404224 <-   3186176   25.69%    win32/pe     varenyky_packed

Unpacked 1 file.

$ md5sum varenyky_packed 
d7a5da1a8a8f57fa49c01f3edd344794  varenyky_packed

Now we’re ready to reverse engineer this sample. First thing first, let’s find our way into the main function of this malware.

Entrypoint Function Listing

This function, entry, is just to prepare command line arguments and call main, which in decompiled code is called FUN__004011f0. You can easily rename it using L key and then typing anything you want.

Entrypoint Decompiled

Now we can move on into the main function. Just from the starting point, we can see some interesting function calls.

Main Decompiled

First thing that get’s executed is a call to GetKeyboardLayout, which will save current keyboard layout in a variable. Later, the if statement will check on that variable and if it’s not equal to char \t or 0x19, the execution will stop with a message box.

MessageBox Notice

As the ASCII code for \t is 0x09, we can look for documentation of GetKeyboardLayout and see that these values represent two languages, which are Russian and English. Summing up, if keyboard layout is Russian or English, malware will exit with a message box.

Moving on, after passing condition, lets further analyze the code. First thing after the check is a call to FUN_00402230.

System Info Function

Here we can see that the function does basic enumeration, querying MachineGuid and ProcessorNameString register entries, username and computer name of a machine. After that, data will be encoded with a custom algorithm and saved. We can also notice, that the check in the beginning of the function will basically check whether that data was already saved, or was it null. In first case, enumeration will not be performed once again.

Encoded System Info

Looking at the ending code block, we can see another call to unkown function FUN_00402932. Looking at it seems to suggest that this function will try to detect if it’s running in debugger.

Is Debugged

Knowing that, we can move out of that function and back into the main.

File System Redirection

After saving enumerated system information, next step is to create a mutex and, after that, disable file system redirection. It’s done by first getting handle to Kernel32.dll with GetModuleHandleA and saving the function address of Wow64DisableWow64FsRedirection with GetProcAddress. Lastly, this system call is being executed.

Used Libraries

Moving on, next interesting call is to the function called FUN_00402170.

Create System Directory

It’s purpose is just to check if the path exists, named as encoded system information, exists. If not, it will create a directory with such name.

Next step would be to write all the libraries from the memory to corresponding files in newly created directory. Malware will also copy itself to such directory. To save files, a function called FUN_00402110 is used.

Save Data

Now, we’re at the end of the main function with just a few things to analyze.

End of main

At the function FUN_004021e0, we can see that the malware tries to add itself to Run register.

Autorun

After all of these preparation, malware will create new process of itself, started from the newly created directory. Execution stops, and in the newly created process all previously done steps will be ignored.

To analyze what malware does on the second run, we can take a look at the next functions from main. Firstly, we have a CreateThread system call with FUN_004019e0 function passsed as a worker. Already at the top there is a C2 domain for this particular sample. Looking more at this function, we can quickly notice that it’s responsible for sending out spam.

Spambot Function Spambot Function

Back in the main, after a new thread is created, we have a call to FUN_00402470 function.

Run Tor

We already know that the communication with C2 server is made over Tor network, but this function clearly shows how the tor.exe is started before any commands are received/sent.

After that, we have a call to FUN_00401630 function.

C2 Communication Function

Once again, the malware starts enumerating system, gathering information such as computer name, system info, version of operating system running on the infected machine, which will probably be sent to the C2.

C2 Communication Function 2

Moving on, we can once again see a C2 domain, this time with an exact path with which communication may have been established. After that, we can take a look at function FUN_00401da0, which crafts an HTTP request.

C2 Communication

Next, we have an interesting call to function FUN_00401000, which seems to be reacting to different commands sent from C2 server.

C2 Commands C2 Commands

Here we can understand how the sample reacts to commands such as UPDATE or UNINSTALL. Another interesting function executed at the end of this one is called FUN_00402610.

Download File Download File

Quickly analyzing it, we can suspect that the purpose of this function is to download something from the internet, and basing on the extension, either .bat or .exe run it using cmd.exe or CreateProcessA.

IOCs

C2:

jg4rli4xoagvvmw47fr2bnnfu7t2epj6owrgyoee7daoh4gxvbt3bhyd[.]onion

MD5:

packed: a6dcf8deeb35f9fb2a81d62a31b1f045
unpacked: d7a5da1a8a8f57fa49c01f3edd344794