Search code examples
vb.netexedecompilingmalware

Received a possibly malicious .exe, can someone tell me what the attacker intended to do?

I'm not sure what this code does, it is probably malicious.. Please be careful and DO NOT attempt to compile it..

I received a .exe file that probably does something malicious since it was named as ".jpg.exe", it had a fake jpg icon and it has some stealth options like setting the Opacity to 0, ShowInTaskbar to False and many other settings.

I do know VB, but I'm not experienced enough to tell what it does. Can someone please tell me what this person intended to do to my computer with this program?

He had these declarations:

Imports System
Imports System.ComponentModel
Imports System.Drawing
Imports System.IO
Imports System.Reflection
Imports System.Security.Cryptography
Imports System.Windows.Forms

This function

 Public Shared Function Decrypt(ByVal input As Byte()) As Byte()
            Dim aes As Aes
            Dim bytes As New PasswordDeriveBytes("xdldfklgjdfklgjdfklgjdflgkdfj", New Byte() { &H26, &H16, 11, &H4E })
            Dim stream As New MemoryStream
            aes = New AesManaged With { _
                .Key = bytes.GetBytes((aes.KeySize / 8)), _
                .IV = bytes.GetBytes((aes.BlockSize / 8)) _
            }
            Dim stream2 As New CryptoStream(stream, aes.CreateDecryptor, CryptoStreamMode.Write)
            stream2.Write(input, 0, input.Length)
            stream2.Close
            Return stream.ToArray
        End Function

I'm assuming this function is meant to decrypt passowrd hashes saved on my computer or something?

And this is the main function, it is very long so I added it to text file:

http://ninjastormns.my3gb.com/DecompiledVBCode.txt

I'm sorry for posting such an unusual question, but I need to know what this guy was after and this felt like the right place to ask. Thank you.

Please note that if this code turns out to be malicious as I'm suspecting, I'll remove it once the question is solved to avoid it being reused.

Solution

  • I did not spend much time on this, but the code as shown simply decrypts a large binary blob into an in-memory assembly, then runs it.

    Since the Decrypt routine itself looked harmless, I copied it into a new project, then ran:

    System.IO.File.WriteAllBytes("C:\quarantine\danger.out", Decrypt(New Byte() { &HBC, &H7B, 220, &H4F, &H60, &H56, &HCA, ... }))

    This wrote the decrypted bytes of the malicious assembly into a file at "C:\quarantine\danger.out". When I did this, my antivirus immediately quarantined the file and flagged it as "Backdoor.Ratenjay", which is listed as a backdoor trojan.

    Since I was feeling foolhardy adventurous, I restored the quarantined file and opened it with ILSpy. Among other things, it appears to:

    • add a firewall exception for itself using netsh
    • copy itself to the startup folder
    • log keystrokes
    • monitor the current foreground window
    • connect to a dynamic DNS subdomain to send/receive data
    • save downloaded data to the filesystem, then run the downloaded file

    The answer to your question would be that the attacker intended to open a backdoor on your computer in order to monitor your system, and to download and run arbitrary commands.