skip to content
secrary[dot]com

A Brief Overview of the AMMYY RAT Downloader

/

malware-analysis

SHA-256 Hash

SHA-256: 963f1735e9ee06c66fdf3a831d7c262bc8bce0d7155e37f9a5aa2677e0a6090c

You can download the malware sample from malware-traffic-analysis.net.

Stage 1

The main function is filled with junk instructions, but the most interesting function within main is the decode_n_call function located near the end:

1

Inside the decode_n_call function, memory is allocated, data is decoded from the 0x0433220 address, and execution jumps to it via the call instruction:

2 3

It allocates two memory blocks, each 0x3000 in length, with PAGE_EXECUTE_READWRITE permission:

4

After that, some decoded data is written into the first allocated memory:

5

Additionally, there is another loop that decodes/decrypts the written data in memory:

6

It seems like it’s a PE file, but it is still encoded and not valid yet.

The function at 0x30A70 takes two arguments: the encoded/encrypted data and the second allocated memory. It returns a decoded/decrypted PE file via the second argument:

7

It removes the main executable from memory and copies the recently decoded/decrypted code:

8

Section Maps

9

Inside the 0x30730 (offset 0x730) function, it builds the Import Address Table (IAT) for the new PE file:

10

After that, it jumps to the entry point of the new PE file:

11

Instead of continuing the analysis, it is much easier to dump the new PE and analyze it separately.

Stage 2

The second PE is also filled with junk instructions. The interesting part starts at the 0x0401EED location:

12

Inside the sub_403B10 function, it attempts to delete the following directories: Settings, Microsoft\\Enc, AMMYY, Foundation, and Foundation1, as well as the following files: wmihost.exe, settings3.bin, wmites.exe, and wsus from various directories:

13

It uses sub_404450 to obtain function addresses based on some kind of hash, which is passed as the second argument:

14

The 0x403DE0 function takes the process name as an argument and terminates the corresponding process:

16 15

It executes the following commands using the ShellExecuteW function:

  • cmd /C net.exe stop ammyy
  • cmd /C sc delete ammyy
  • cmd /C net.exe stop foundation
  • cmd /C sc delete foundation
17

These commands stop the malware if it is running.

It generates a random name (via CoCreateGuid) for a PE file, which it downloads from http://185.176.221.29/ban3.dat:

18

Inside the downloadNextStage_bin function, it downloads a file from the URL and saves it at the previously mentioned location:

19

It copies the new file to CSIDL_COMMON_APPDATA\Microsoft Help\\wsus.exe and deletes the original one:

20

Inside the sub_402960 function, if the user is an admin, it executes the above-mentioned commands again, registers the downloaded PE file as a service called foundation, and starts it:

21 22

In the end, it deletes the original second-stage PE file:

23

If the user is not an admin, it uses a COM object (taskscd.dll) to create and run the executable via a scheduled task:

24 26

For more detailed information, refer to the sub_402360 function.

After that, the same process occurs: it deletes the original second-stage PE file and exits via the TerminateProcess call:

27