Quick reverse engineering session analyzing Varenyky malware, which is a spambot that was targeting users in France back in May of 2019. Dynamic execution of this malware is available at Any.Run. In addition, there is a great research made by WeLiveSecurity from ESET.
Interesting sample! It doesn't run with en-US locale but starts an activity with fr-FR on x64. Tries to connect to email services (25 port) and uses TOR to communicate with C2. What is it?— ANY.RUN (@anyrun_app) June 4, 2019
Sample of Varenyky that will be analyzed in this post is packed with
UPX - the Ultimate Packer for eXecutables. Fortunately for us, because of it’s wide usage,
UPX packed samples can be easily unpacked using
upx tool in Linux.
$ md5sum varenyky_packed a6dcf8deeb35f9fb2a81d62a31b1f045 varenyky_packed $ upx -d varenyky_packed Ultimate Packer for eXecutables Copyright (C) 1996 - 2018 UPX 3.95 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 26th 2018 File size Ratio Format Name -------------------- ------ ----------- ----------- 12404224 <- 3186176 25.69% win32/pe varenyky_packed Unpacked 1 file. $ md5sum varenyky_packed d7a5da1a8a8f57fa49c01f3edd344794 varenyky_packed
Now we’re ready to reverse engineer this sample. First thing first, let’s find our way into the
main function of this malware.
entry, is just to prepare command line arguments and call
main, which in decompiled code is called
FUN__004011f0. You can easily rename it using
L key and then typing anything you want.
Now we can move on into the
main function. Just from the starting point, we can see some interesting function calls.
First thing that get’s executed is a call to
GetKeyboardLayout, which will save current keyboard layout in a variable. Later, the
if statement will check on that variable and if it’s not equal to char
0x19, the execution will stop with a message box.
As the ASCII code for
0x09, we can look for documentation of
GetKeyboardLayout and see that these values represent two languages, which are Russian and English. Summing up, if keyboard layout is Russian or English, malware will exit with a message box.
Moving on, after passing condition, lets further analyze the code. First thing after the check is a call to
Here we can see that the function does basic enumeration, querying
ProcessorNameString register entries, username and computer name of a machine. After that, data will be encoded with a custom algorithm and saved. We can also notice, that the check in the beginning of the function will basically check whether that data was already saved, or was it null. In first case, enumeration will not be performed once again.
Looking at the ending code block, we can see another call to unkown function
FUN_00402932. Looking at it seems to suggest that this function will try to detect if it’s running in debugger.
Knowing that, we can move out of that function and back into the
After saving enumerated system information, next step is to create a mutex and, after that, disable file system redirection. It’s done by first getting handle to
GetModuleHandleA and saving the function address of
GetProcAddress. Lastly, this system call is being executed.
Moving on, next interesting call is to the function called
It’s purpose is just to check if the path exists, named as encoded system information, exists. If not, it will create a directory with such name.
Next step would be to write all the libraries from the memory to corresponding files in newly created directory. Malware will also copy itself to such directory. To save files, a function called
FUN_00402110 is used.
Now, we’re at the end of the
main function with just a few things to analyze.
At the function
FUN_004021e0, we can see that the malware tries to add itself to
After all of these preparation, malware will create new process of itself, started from the newly created directory. Execution stops, and in the newly created process all previously done steps will be ignored.
To analyze what malware does on the second run, we can take a look at the next functions from
main. Firstly, we have a
CreateThread system call with
FUN_004019e0 function passsed as a worker. Already at the top there is a C2 domain for this particular sample. Looking more at this function, we can quickly notice that it’s responsible for sending out spam.
Back in the
main, after a new thread is created, we have a call to
We already know that the communication with C2 server is made over Tor network, but this function clearly shows how the
tor.exe is started before any commands are received/sent.
After that, we have a call to
Once again, the malware starts enumerating system, gathering information such as computer name, system info, version of operating system running on the infected machine, which will probably be sent to the C2.
Moving on, we can once again see a C2 domain, this time with an exact path with which communication may have been established. After that, we can take a look at function
FUN_00401da0, which crafts an
Next, we have an interesting call to function
FUN_00401000, which seems to be reacting to different commands sent from C2 server.
Here we can understand how the sample reacts to commands such as
UNINSTALL. Another interesting function executed at the end of this one is called
Quickly analyzing it, we can suspect that the purpose of this function is to download something from the internet, and basing on the extension, either
.exe run it using
packed: a6dcf8deeb35f9fb2a81d62a31b1f045 unpacked: d7a5da1a8a8f57fa49c01f3edd344794