cd ../../Reversing Malware

A Brief Overview of the AMMYY RAT Downloader

4 minutes read

SHA-256: 963f1735e9ee06c66fdf3a831d7c262bc8bce0d7155e37f9a5aa2677e0a6090c

You can download the malware sample from malware-traffic-analysis.net

Stage 1

The main function is full of junk instructions, the most interesting function inside the main is decode_n_call function near the end:

1

Inside the decode_n_call function, it allocated memory, decodes a data from 0x0433220 address and jumps to it via call instruction:

2

3

It allocates two memory blocks, each 0x3000 length, with PAGE_EXECUTE_READWRITE permission:

4

After that, it writes some decoded data inside the first allocated memory:

5

Also, there is another loop which decodes/decrypts once again the written data in the memory:

6

Seems like it’s PE file, but still encoded, not valid yet.

Function 0x30A70 gets two arguments, the encoded/encrypted data and the second allocated memory, the function returns a decoded/decrypted PE file via the second argument:

7

It removes the main executable from the memory and copies recently decoded/decrypted code:

8

Section maps:

9

Inside 0x30730 (offset 0x730) function it build IAT for the new PE file:

10

After that, it jumps to the entry point of the new PE file:

11

Instead of continuing analysis, it’s much easier to dump the new PE and analyze it separately.

Stage 2

The second PE is full of junk instructions, too. The interesting part starts at 0x0401EED location.

12

Inside the sub_403B10 function, it tries to delete Settings, Microsoft\\Enc, AMMYY, Foundation and Foundation1 directories, also following files: wmihost.exe, settings3.bin, wmites.exe, wsus from different directories:

13

It uses sub_404450 to get a function addresses based on some kind of hash, which is passed via the second argument:

14

The 0x403DE0 function gets process name as the argument and terminates the corresponding process:

16

15

It executes following commands using ShellExecuteW function: cmd /C net.exe stop ammyy, cmd /C sc delete ammyy, cmd /C net.exe stop foundation and cmd /C sc delete foundation

17

These commands stop the malware if there is one.

It generates random name (via CoCreateGuid) for a PE file, which it downloads from http://185.176.221.29/ban3.dat:

18

Inside downloadNextStage_bin function, it downloads a file from the URL and saves at above-mentionshed location:

19

It copies the new file to CSIDL_COMMON_APPDATA\Microsoft Help\\wsus.exe and deletes original one:

20

Inside sub_402960 function if the user is an admin, it executes above-mentioned commands once again, registers the downloaded PE file as a service called foundation and starts it:

21

22

In the end, it deletes the original, second stage PE file:

23

If the user is not an admin, it uses a COM object (taskscd.dll) to create and run the executable (via scheduled task):

24

26

For the more detailed information look at sub_402360 function.

After that, same happens, it deletes the original, second stage PE file and exist via TerminateProcess call:

27

That’s all.

That was the brief overview of the AMMYY RAT Downloader.

Thank you for your time.

Discuss on Reddit

Twitter: @_qaz_qaz