1. Hunting
Recently, in my free time, I continue hunting samples related to PlugX malware of the Mustang Panda group. Among the results returned by VirusTotal, there is a file submitted to VT from LV (Latvia ??) at 2022-12-06 06:39:03 UTC:
Recently, in my free time, I continue hunting samples related to PlugX malware of the Mustang Panda group. Among the results returned by VirusTotal, there is a file submitted to VT from LV (Latvia ??) at 2022-12-06 06:39:03 UTC:
Sample hash is: fc345d151b44639631fc6b88a979462dfba3aa5c281ee3a526c550359268c694
This write-up of mine will be divided into three parts:
Loader: https://bazaar.abuse.ch/sample/816c4a2117b90dc75d91056ca32a36ffd32d561aa433ee3f97126ba490e6d60a/
Unpacked: 7bd942857a29e7f2931da2bd8fa1d118
Here is the the pseudo-code of the function that decodes the strings:
_BYTE *__usercall vdr_decrypt_strings@<eax>(uint32_t len@<ecx>, char *xor_key, const char *encStr)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
cnt = 0x208;
v5 = Destination;
do
{
*v5 = 0;
v5 = (v5 + 1);
--cnt;
}
while ( cnt );
wcscat(Destination, L"Nor again is there anyone who loves or pursues or desires to obtain pain of itself, because it is pain");
wcslen(Destination);
wcslen(Destination);
wcslen(Destination);
wcslen(Destination);
decStr = LocalAlloc(0x40u, len + 1);
wcslen(Destination);
wcslen(Destination);
wcslen(Destination);
wcslen(Destination);
decStr[len] = 0;
wcslen(Destination);
wcslen(Destination);
wcslen(Destination);
wcslen(Destination);
for ( i = 0; i < len; ++i )
{
wcslen(Destination);
wcslen(Destination);
decStr[i] = xor_key[i] ^ encStr[i % strlen(encStr)]; <-- xor loop
wcslen(Destination);
wcslen(Destination);
}
wcslen(Destination);
wcslen(Destination);
memset(Destination, 0, sizeof(Destination));
return decStr;
}