cd ../../Reversing Malware

Trojan Enosch

3 minutes read

SHA256: e09bb7d13702e7afc9a8bd49b4fe997deb61e439cdf8a055ac1bfce50cbdb417

File type: Win32 EXE

Let’s open in ProtectionID:

1

We have malware written in C++ without obfuscation and protection, I get the sample from hybrid-analysis, also there is a good summery about the malware on Sophos webpage.

From imports, it seems like malware uses Windows crypto API:

2

Very interesting strings in the file:

3

Chilkat is a cross-language, cross-platform API providing 90+ classes for many Internet protocols, formats, and algorithms. Maybe malware uses this library to provide some high-level abstraction.

It’s possible Crypto API is used by Chilkat.

Based on SSMA there are two possible emails, maybe Chilkat is used to send emails.

4

Instead of running in our sandbox, let’s use hybrid-analysis report to guide us on the deeper analysis.

From the analysis, the malware uses Run key as persistence method and requests two domains: smtp.gmail.com and google.fr

I think to get an idea how to works the malware we even don’t need to run it (debug it), just open in IDA and disassemble it.

First, it checks Run key and sets it if there is no gtalkupdate:

5

6

7

…executes two threads with same StartAddress - sub_401710 and waits for them, that’s all:

8

Let’s see what’s inside sub_401710 function.

The malware loops until successful internet connection and gets a list of drives:

9

Snippet from WaitUntilConnection:

10

Connect to Google:

11

18_google

After this for each drive malware searches and sends .doc and docx to an attacker using mail, I renamed function accordingly:

12

If the entry is directory function is called recursively:

13

14

Check if file’s extension is .doc or docx :

15

….and send the file using mail, there are many unknown functions, maybe they are from third-party library Chilkat:

16

There are Yahoo mail and GetComputerNameA function, after running with fakenet it seems like Yahoo is recipient’s mail and result of GetComputerNameA is subject of mail:

17

19_mail

That’s all. I’m new to reversing malware and any kind of feedback will be helpful for me.

Twitter: @_qaz_qaz