Threat Intelligence / Slim Shady

Caution ⚠️⚠️⚠️
This is a REAL MALWARE.
PLEASE RUN IN A VIRTUAL MACHINE.
IF YOU RUN THIS PROGRAM ON YOUR REAL PC, YOU MUST ACCEPT THE CONSEQUENCES.

0x01 Questions

1. What user does the malware create?
2. What is the password of the created user by malware?
3. What persistence technique did the malware use?
4. What is the value of the registry key added by the malware?
5. What domain does the malware try to connect to?
6. In what process is it injecting information?
7. What is being injected?

0x02 Information Gathering

As we can see, the malware is written in C++ and is a 32-bit executable. Fortunately, the malware does not use a packer or loader to protect itself.

0x03 Static Analysis

Starting with the main_entry() function, we can identify a suspicious function at 0x402390.

(Note: Function names have been renamed for clarity.)

We can reconstruct the execution flow of the malware:

1. Anti-Debugger

   • Calls IsDebuggerPresent.
   • If a debugger is detected, execution aborts.

2. Anti-Sandbox Behavior

   • Waits until mouse movement is detected to delay execution in automated sandboxes.

3. User Distraction

   • Opens a YouTube URL in the default browser.

4. Drop Embedded Resource

   • Writes an embedded resource (ID 0x65) to:

     1	%TEMP%\vmware.log.jpg

5. Marker Search and Payload Decoding

   • Scans the dropped file for the marker string: hXJakl
   • XOR-decodes bytes following the marker using key 0x7D.

6. Process Injection

   • Creates a hidden instance of notepad.exe.
   • Allocates memory in the remote process and writes the decoded payload.

7. System Information Collection

   • Collects host info (IP, Username, Locale, OS, Privileges, UUID).
   • Writes data to:

     1	%APPDATA%\goodies.txt

8. Persistence Establishment

   • Copies itself to:

     1	%TEMP%\NotShady.exe

   • Creates a Registry Run key:

     1 2	HKCU\Software\Microsoft\Windows\CurrentVersion\Run Value name: Shadiest

9. Backdoor Account Creation

   • Creates a local user via NetUserAdd.
   • Username: RealSlimShady1337
   • Password: X0r3dS3crets! (Decrypted from byte_423024 using XOR key 0x55).

10. Data Exfiltration

    • Resolves C2 domain: shadystealerconnect.tk
    • Sends goodies.txt via HTTP POST.
    • Host header: shadystmalmronneoit.tk

Static Analysis Findings

Based on the static analysis, we can answer several questions:

• 1. What user does the malware create?
  • RealSlimShady1337
• 2. What is the password of the created user by malware?
  • X0r3dS3crets!
• 5. What domain does the malware try to connect to?
  • shadystealerconnect.tk
• 6. In what process is it injecting information?
  • notepad.exe

0x04 Online Sandbox / Dynamic Analysis

To verify findings and retrieve the injected content, I used the 360 Online Sandbox.

Registry Activity

The sandbox report confirms the malware modifies the registry for persistence.

This allows us to answer the persistence questions:

• 3. What persistence technique did the malware use?
  • T1547.001 (Registry Run Keys / Startup Folder)
• 4. What is the value of the registry key added by the malware?
  • Shadiest

Memory Injection

The report also highlights memory modification in another process.

Looking at the injected string in memory reveals the flag:

• 7. What is being injected?
  • FIN{50y0u41n7r34llysh4dy}