, 8 tweets, 6 min read Read on Twitter
This is malware analysis 101 for most folks, but I thought I'd share a quick thread on easy .NET analysis using a recent wave of a malicious xlsx downloading PUBNUBRAT. cc @issuemakerslab @blackorbird and @navSi16 who all tweeted about this in Jan. #threathunting #dfir
88017e9f2c277fa05ee07ecc99a0a2dc (홍삼6품단가 .xlsx) is a doc that has multiple follow-on payloads including 05683b9a13910d768b7982d013c31cb9 (U3.conf)... see also 홀리데이 와이퍼(Operation Holiday Wiper)로 귀환한 로켓맨 APT 캠페인 by @alac blog.alyac.co.kr/2089
05683b9a13910d768b7982d013c31cb9 (U3.conf) is a backdoor that uses the PubNub API (a legit service) for C2 (see @MITREattack's T1102). It's a .NET binary and without its config it doesn't do much a sandbox. How do you detect network C2 over PubNubApi?
For quick and easy example of what it does, we pull it up in a utility such as .NET Reflector, dnSpy or dotPeek and look at the decompiled main function.
We see that the Main does a lzip decompress of the resource 'app.' We manually extract the 'app' resource (2b12f34291ba5f4e9a0a9b6b533f8b59) and use something like lzip.exe to decompress it.
Finally, we arrive at the binary d16fb1be17f2e972f1104481e9cd1368 (application/x-dosexec) and we see that it has very clear overlaps with #PUBNUBRAT based on plaintext strings and "new" PUBNUBRAT PDB path F:\Project\Util_3\Ant\obj\Release\Utils_3.5.pdb <- good for #threathunting
It is an easy, albeit manual, pivot for people triaging malware and doing research and all quickly doable within @FireEye's own #FlareVM github.com/fireeye/flare-…. Hope that was instructive (or at least a good reminder) for life in .NET.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Steve
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!