Another quick .NET triage/analysis of a related #PUBNUBRAT dropper/launcher (?) 1d155032232cd40c1788271546af36ec (U4.conf). This one we start immediately with extracting the 'app' resource using dnSpy to get 5bbe762b83e051776f1b5ea30ffc0050 (application/x-lzip).

5bbe762b83e051776f1b5ea30ffc0050 decompressed to the goliath ~8MB ca19c3c3c2ef656b33d7173a49186f5a (application/x-dosexec) which is also a .NET binary. Back in dnSpy, which nearly chokes on the size, we finally get to a main decryption routine.

We could take the next steps of this in a million ways, but this is easy to do in @GCHQ's #CyberChef. First From Base64 & To Hex the Key and IV for the crypto routine and save these in hex.

Next, take the base64 blob designated for the byte array and throw that into #CyberChef with a From Base64 and then add an AES Decrypt with the appropriate Key and IV, making sure to select an Input of Raw like so: gchq.github.io/CyberChef/#rec…

Finally, we download the raw output binary and see the juicy deets of 2b43bda53abdc08ba091953824096125 (application/x-dosexec) U4.conf.decrypted.dat.

We immediately confirm it is indeed PUBNUBRAT and we see a 'new' PDB path of F:\Project\Util_4\Ant\obj\Release\Utils_4.5.pdb which aligns with our prev findings & historical dev paths. I bet we can use unique path strings and predictable folder naming to find more related malz...

It is a pain in the ass and abhorrently manual, but whew this is fun. For my historical rants on PDB path pivoting see also

https://twitter.com/stvemillertime/status/1059650974166515712

Though they wont fully execute without its config info, I uploaded the initial and final binary payload of this PUBNUBRAT to @anyrun_app: app.any.run/tasks/ee00bb9b… and app.any.run/tasks/66c97a4f… if you want to play along and test them.