The Python script leverages low-level interactions with the Windows operating system, which imports crucial libraries like `System.Reflection`, `ctypes`, and `wintypes`, enabling it to directly invoke Windows APIs.
It allows the script to manipulate system behavior at a fundamental level, potentially enabling actions like loading malicious payloads, modifying system settings, or evading security measures.
It is necessary to conduct additional research into the script because it has the potential to engage in malicious activity, despite the fact that its current score on Virustotal is relatively low.
The script modifies system behavior by patching critical APIs: AmsiScanBuffer and EtwEventWrite, which involves overwriting the initial bytes of these functions with custom code.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
For 64-bit systems, the patch for EtwEventWrite consists of four bytes (0x48, 0x33, 0xc0, 0xc3), while for 32-bit systems, it’s five bytes (0x33, 0xc0, 0xc2, 0x14, 0x00), which aims to prevent the execution of the original API functions, hindering security mechanisms like the Antimalware Scan Interface (AMSI) and event logging through Event Tracing for Windows (ETW).
It extracts a Base64-encoded string and decodes it, as the decoded data is then used to load an assembly, which is most likely a .NET assembly as Assembly.Load is a function from the System.Reflection namespace is commonly used in .NET.
After loading the assembly, the script creates an instance of the class specified by the EntryPoint property of the assembly. Finally, the script invokes the Invoke method on the EntryPoint of the assembly, effectively calling the entry point method of the loaded assembly.
The first bytes of the payload can be used to identify the file format. In this case, the initial bytes “MZ” followed by a specific byte pattern indicate a Portable Executable (PE) file format.
`base64dump.py` tool further confirms this by decoding the first 16 bytes, which repeat the string “GetModuleHandleA,” a function commonly used in Windows DLLs.
The `file` command identifies the file as a PE32+ executable, implying it’s a 64-bit executable for the Microsoft Windows environment and that it’s a .Net assembly, which is a program written in a high-level language and compiled into a format that can be executed on the .Net runtime environment.
Malware first copies itself to a disguised location and checks if it’s run from there. If so, it extracts the next stage payload and creates persistence by adding a registry key and a startup shortcut.
According to Sans ICS, the next stage is a .NET binary that uses reflection to bypass whitelisting and decodes a hex string containing the final payload, which is another SwaetRAT itself, and the malware also copies itself to another location and its C2 server can be extracted from the configuration.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
