Analysis of vzlom_vk (Failed)
Malware obtained from any.run. It’s an unknown executable which unpacks itself, fails to run
update.exe and prints out some russian.
|File Type||Portable Executable 32|
|File Info||Microsoft Visual C++ 8|
When run, it prints out the following text:
The system cannot find the file update.exe Вас приветствует программа взлома ВК аккаунтов! Благодарим за приобретение лицензии нашей программы! Вы уверенны, что хотите начать? (да/нет):
Using the trusty google translator, that turns into:
You are welcomed by the program for hacking VK accounts! Thank you for purchasing our software license! Are you sure you want to start? (yes / no):
This appears to be a tool for hacking VK accounts, which is “the largest social network in Russia and the CIS”. This is also a cracked version, seeing how I definitely don’t own a license.
When I enter
y, the following shows up:
Введите id жертвы:
Translated, that means:
Enter victim id:
So, here is a hacking tool for VK accounts and it asks for a victim ID, now who do I not like in Russia… I’ll just put 0.
Now it prints out
Next is a progress bar, which gets up to 25%, followed by a python error:
Traceback (most recent call last): File "vzlom_vk.py", line 21, in <module> FileNotFoundError: [WinError 2] The system cannot find the file specified 'update.exe'  Failed to execute script vzlom_vk
Later I’ll focuse on trying to extracting this python script.
Detect It Easy provides very useful information about how the executable is packed:
|Protector||ENIGMA(4.0 build 2020.5.17 10:10:13)[-]|
To dump this, I will quite simply run the malware and use Process Dump, pointing it to the process ID of the child of the malware.
Dumped executable initial analysis
Just from looking at strings, there are multiple things we can infer:
|Py_*||Python C api used|
|inflate 1.2.11 Copyright 1995-2017 Mark Adler||Zlib compression used|
|Fls*||Fiber Local Storage (FLS) used|
|Software\Borland\Delphi\RTL||Delphi (Locales) used|
|RIJNDAEL||AES encryption used|
|Yarrow has not been reseeded||Yarrow pseudorandom number generator used|
|EP_*||Engima Protector keys are validated|
|9iCCPPhotoshop ICC profile||Photoshop colour profiles are referenced|
|IEUser MSEDGEWIN10||Dumps are fingerprinted|
It’s very likely that most of these details are related to the ENIGMA packer.
Files dynamically written
The unpacked exe extracts resources into
C:\Users\IEUser\AppData\Local\Temp\_MEI5562, where there are: python extension modules, library dlls, locale files and tkinter. However, the script
vzlom_vk.py is missing.
Near the end of the procmon log, I find the following entry:
vzlom_vk.exe 994 CreateFile C:\Users\IEUser\AppData\Local\Temp\_MEI5562\vzlom_vk.py
However, this file is never written to, therefore this is not in fact the location of the python script, but rather the location the python process thinks its at because in reality the script was loaded in dynamically through the python C api.
Based off the python C api documentation, the following used methods are of interest for finding the code which is dynamically executed:
All of these imports are referenced at least once in the same function.
0x1032900: +------+ |Import| +-+--+-+ | | +------+ | | +-------+ | Fail <-+ +-+>Import| +------+ +--+--+-+ | | +------+ | | +------+ | Fail <-+ +->Import| +------+ +-+--+-+ | | +------+ | | +------+ | Fail <-+ +->Import| +------+ +-+--+-+ | | +------+ | | +------+ | Fail <-+ +->Import| +------+ +-+--+-+ | | +------+ | | +------+ | Fail <-+ +->Import| +------+ +-+--+-+ | | +------+ | | +-------+ | Fail <-+ +-+>Import| +------+ +--+--+-+ | | +------+ | | | Fail <-+ +->....... +------+
This function simply populates all of the python imports.
Here are the xrefs to
|w||get_python_imports+4DB||mov ds:PyEval_EvalCode, eax|
|o||.nicuew:013F3420||dd rva PyEval_EvalCode; Import Address Table|
Based off this, we can identify that
python_executor is responsible for python code calling at least partially.
I spotted the string
_MEIPASS2, which after some googling turns out is an environment variable for PyInstaller. Therefore, let’s see if this can be extracted using the PyInstaller Extractor
struct.error: unpack requires a buffer of 4 bytes
Always worthy a try to use pre-existing tools, even if they don’t often work out.
Let’s take a look again at the files which were dynamically written.
.pyd files are simply dlls.
strings to try to find where
__main__ could possibly be. Debugging didn’t reveal what the script actually is. Python dumpers don’t seem to exist.
Therefore, until I learn more about python reverse engineering through more reverse engineering, this project will be put on hold.