Analysis of vzlom_vk (Failed)

2021-11-09 778 words 4 minutes

Contents

Malware obtained from any.run. It’s an unknown executable which unpacks itself, fails to run update.exe and prints out some russian.

Property	Value
MD5	18b065e37c55a00d7a023f5cef02bde4
SHA1	fb6e6596c617f932cd9c7740b29ed6f5dda8a88c
SHA256	bc4896abbf0726df8b9ef9134d584bbe1b649f59e453bbc327f8cd5b5b5a0651
File Type	Portable Executable 32
File Info	Microsoft Visual C++ 8

First run

When run, it prints out the following text:

The system cannot find the file update.exe
Вас приветствует программа взлома ВК аккаунтов!
Благодарим за приобретение лицензии нашей программы!
Вы уверенны, что хотите начать? (да/нет):

Using the trusty google translator, that turns into:

You are welcomed by the program for hacking VK accounts!
Thank you for purchasing our software license!
Are you sure you want to start? (yes / no):

This appears to be a tool for hacking VK accounts, which is “the largest social network in Russia and the CIS”. This is also a cracked version, seeing how I definitely don’t own a license.

When I enter y, the following shows up:

Введите id жертвы:

Translated, that means:

Enter victim id:

So, here is a hacking tool for VK accounts and it asks for a victim ID, now who do I not like in Russia… I’ll just put 0.

Now it prints out

Загрузка...

which means

Loading...

Next is a progress bar, which gets up to 25%, followed by a python error:

Traceback (most recent call last):
  File "vzlom_vk.py", line 21, in <module>
FileNotFoundError: [WinError 2] The system cannot find the file specified 'update.exe'
[1548] Failed to execute script vzlom_vk

Later I’ll focuse on trying to extracting this python script.

Unpacking

Detect It Easy provides very useful information about how the executable is packed:

Property	Value
Protector	ENIGMA(4.0 build 2020.5.17 10:10:13)[-]
Linker	Microsoft Linker(8.0*)[Console32,console]
Overlay	zlib archive(-)[-]

To dump this, I will quite simply run the malware and use Process Dump, pointing it to the process ID of the child of the malware.

Dumped executable initial analysis

Just from looking at strings, there are multiple things we can infer:

String	Inference
Py_*	Python C api used
inflate 1.2.11 Copyright 1995-2017 Mark Adler	Zlib compression used
Fls*	Fiber Local Storage (FLS) used
Software\Borland\Delphi\RTL	Delphi (Locales) used
RIJNDAEL	AES encryption used
Yarrow has not been reseeded	Yarrow pseudorandom number generator used
EP_*	Engima Protector keys are validated
9iCCPPhotoshop ICC profile	Photoshop colour profiles are referenced
IEUser MSEDGEWIN10	Dumps are fingerprinted

It’s very likely that most of these details are related to the ENIGMA packer.

Files dynamically written

The unpacked exe extracts resources into C:\Users\IEUser\AppData\Local\Temp\_MEI5562, where there are: python extension modules, library dlls, locale files and tkinter. However, the script vzlom_vk.py is missing.

Near the end of the procmon log, I find the following entry:

vzlom_vk.exe 994 CreateFile C:\Users\IEUser\AppData\Local\Temp\_MEI5562\vzlom_vk.py

However, this file is never written to, therefore this is not in fact the location of the python script, but rather the location the python process thinks its at because in reality the script was loaded in dynamically through the python C api.

Python extraction

Based off the python C api documentation, the following used methods are of interest for finding the code which is dynamically executed:

All of these imports are referenced at least once in the same function.

0x1032900:

       +------+
       |Import|
       +-+--+-+
         |  |
+------+ |  | +-------+
| Fail <-+  +-+>Import|
+------+      +--+--+-+
                 |  |
        +------+ |  | +------+
        | Fail <-+  +->Import|
        +------+      +-+--+-+
                        |  |
               +------+ |  | +------+
               | Fail <-+  +->Import|
               +------+      +-+--+-+
                               |  |
                      +------+ |  | +------+
                      | Fail <-+  +->Import|
                      +------+      +-+--+-+
                                      |  |
                             +------+ |  | +------+
                             | Fail <-+  +->Import|
                             +------+      +-+--+-+
                                             |  |
                                    +------+ |  | +-------+
                                    | Fail <-+  +-+>Import|
                                    +------+      +--+--+-+
                                                     |  |
                                            +------+ |  |
                                            | Fail <-+  +->.......
                                            +------+

This function simply populates all of the python imports.

Here are the xrefs to PyEval_EvalCode:

Type	Address	Text
r	python_executor+160	call ds:PyEval_EvalCode
w	get_python_imports+4DB	mov ds:PyEval_EvalCode, eax
o	.nicuew:013F3420	dd rva PyEval_EvalCode; Import Address Table

Based off this, we can identify that python_executor is responsible for python code calling at least partially.

PyInstaller

I spotted the string _MEIPASS2, which after some googling turns out is an environment variable for PyInstaller. Therefore, let’s see if this can be extracted using the PyInstaller Extractor

struct.error: unpack requires a buffer of 4 bytes

Always worthy a try to use pre-existing tools, even if they don’t often work out.

PyInstaller files

Let’s take a look again at the files which were dynamically written.

The .pyd files are simply dlls.

Failure

I ran strings to try to find where __main__ could possibly be. Debugging didn’t reveal what the script actually is. Python dumpers don’t seem to exist.

Therefore, until I learn more about python reverse engineering through more reverse engineering, this project will be put on hold.