, 8 tweets, 4 min read Read on Twitter
Another quick .NET triage/analysis of a related #PUBNUBRAT dropper/launcher (?) 1d155032232cd40c1788271546af36ec (U4.conf). This one we start immediately with extracting the 'app' resource using dnSpy to get 5bbe762b83e051776f1b5ea30ffc0050 (application/x-lzip).
5bbe762b83e051776f1b5ea30ffc0050 decompressed to the goliath ~8MB ca19c3c3c2ef656b33d7173a49186f5a (application/x-dosexec) which is also a .NET binary. Back in dnSpy, which nearly chokes on the size, we finally get to a main decryption routine.
We could take the next steps of this in a million ways, but this is easy to do in @GCHQ's #CyberChef. First From Base64 & To Hex the Key and IV for the crypto routine and save these in hex.
Next, take the base64 blob designated for the byte array and throw that into #CyberChef with a From Base64 and then add an AES Decrypt with the appropriate Key and IV, making sure to select an Input of Raw like so: gchq.github.io/CyberChef/#rec…
Finally, we download the raw output binary and see the juicy deets of 2b43bda53abdc08ba091953824096125 (application/x-dosexec) U4.conf.decrypted.dat.
We immediately confirm it is indeed PUBNUBRAT and we see a 'new' PDB path of F:\Project\Util_4\Ant\obj\Release\Utils_4.5.pdb which aligns with our prev findings & historical dev paths. I bet we can use unique path strings and predictable folder naming to find more related malz...
It is a pain in the ass and abhorrently manual, but whew this is fun. For my historical rants on PDB path pivoting see also
Though they wont fully execute without its config info, I uploaded the initial and final binary payload of this PUBNUBRAT to @anyrun_app: app.any.run/tasks/ee00bb9b… and app.any.run/tasks/66c97a4f… if you want to play along and test them.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Steve
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!