Context of this Entry
The context originates from MalwareHunterTeam Tweet. This introduces an executable named GoogleDriverSetup.exe, It is compiled using Rust based JavaScript runtime called Deno. Let’s get started!
stage01 : Evil Deno
It all starts with an executable that sizes to approx.81.4MB, it’s a DenoJS compiled executable:
This holds the JavaScript to run in the resources section of the binary. This technique is referenced from Evil Deno.
The JavaScript can be deobfuscated using deobfuscate.io. This simply contains a powershell command that’ll execute another powershell script loaded from remote URL dynamically:
stage02 : set startup item
This script declares some variables at first:
Downloads script1.aspx from an url and Python3.13.7:
It then sets up a system startup task that runs script (script1.aspx) on startup using pythonw.exe.
stage03 : python shellcode loader
This script1.aspx marshal loads a python code object, then executes exec() after base64 decode and zlib decompress:
Once we get the code-object to be loaded, we can then prepend PYC header of 16byte of Python3.13 to make it a PYC file, then using Pylingual we decompile the pyc file to get following python code on the right:
As the name of the decompiled python says heap_alloc_shellcode_loader.py, it loads a shellcode(a DLL file) to the current process using simple CreateThread() call using python ctypes module.
stage04: the DLL file
similar samples found based on imphash: c3d7ddc86c9402d44b3c8487b2ead7aa :
main driver function are same, also both uses same Mutex string : Global\\OALvPABeVdMtx
sub_180009240() of this sample performs anti-hooking setups and checks like:
Setting the ProcessInstrumentationCallback to NULL via NtSetInformationProcess API call, that can be used bypass EDR hooks.
Followed by code that resolves many API dynamically and check if it can get the syscall of those exports from ntdll, this technique checks if any trampolines are in place or not:
before and aftre running sub_180009240():
if any anomaly detected then move onto load the module from disk:
Then the sample’s further logic comes from various vtable functions calls:
from here-on it will call function related to system recon, C2 connection, download and executes function and so on.
It starts off with some system recon, to eventually send to the their C2 server http[:]//185.193.125[.]160/d :
While i was debugging’ in my Windows10 VM and step over the following IWbemLocator::ConnectServer function call at offset 0x7AB5 the debugger never returned, maybe because my VM COMServer was not responding:
The other sample includes additional unpacking routine as part of anti-analysis measures before calling vtables functions, but the purpose remains the same for both samples:
Suspicions of these being CobaltStrike beacon based on some detection:
- https://otx.alienvault.com/indicator/file/84f34f24a7f7852ac1c5e99ec3de6e215138d7b8a39514963dc6596945b105d8
- https://www.virustotal.com/gui/file/c5f717f2bb294ae97df415900c1c4e025b73fa6b709d4ed0395c3e157a3b2e0e/community
stage05: another python script
This stage eventually attempts to use cmstp.exe (to gain elevated privileges) and a malicious INF file to execute arbitrary PowerShell code from a remote source https[:]//pastebin.com/raw/TvvskyQL,
The script2.aspx is on the left, decoded and decompressed output is on the right:
then it simulates a user pressing Enter (via ctypes and window messages) to silently approve prompts.
stage06: multi-user persistence
This script ensure persistence by creating a scheduled task for each user that’ll execute script1.aspx on logon with additional settings, then starts the task immediately.
IOC(s)
- source :
https://x.com/malwrhunterteam/status/1964023478060716437 GoogleDriverSetup.exe:84f34f24a7f7852ac1c5e99ec3de6e215138d7b8a39514963dc6596945b105d8:https://cutt[.]ly/drivefilestreamGoogleDriveexe→https://www.dropbox[.]com/scl/fi/fn1bowuqm3dmnr8boa295/GoogleDriverSetup.exe?rlkey=jm264ztoaocmtsufy3hepd49m&st=9z0aua3v&dl=1ololo.aspx:https[:]//ololo-dsj.pages[.]dev/ololo.aspxscript1.aspx:https[:]//4243384121f3d8cfb9681a012552537f.pages.dev/script1.aspxShellcode (DLL):9231e77c960570548cd053d9a9eaaf62e50e7b21b36521d82b31a02d7f9f57cdhas C2http[:]//185.193.125[.]160/d- similar sample:
c5f717f2bb294ae97df415900c1c4e025b73fa6b709d4ed0395c3e157a3b2e0ehas C2https://swiftedgecloud[.]com/d
- similar sample:
script2.aspx:https://42a25631.yr52byzdja.pages[.]dev/script2.aspxhttps://pastebin[.]com/raw/TvvskyQL
More reads
- https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/
- https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
- checking the hooks : https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions
- https://www.outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
- windows system call table : https://j00ru.vexillium.org/syscalls/nt/64/
- https://splintercod3.blogspot.com/p/weaponizing-mapping-injection-with.html
- https://www.riskinsight-wavestone.com/en/2023/10/process-injection-using-ntsetinformationprocess/
- https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/