LummaC2 - Malware Analysis Lab

30 minute read

Technical Analysis of LummaC2 Injector

Overview (AI generated from video):


The video script discusses the analysis of new malware uploaded to Malware Bazaar, which poses as Turbo Tax Activation. It explores the GitHub repository and identifies suspicious elements, such as the need for an internet connection for activation. The script also demonstrates the process of debugging and analyzing the injected malware in two different processes.

Key Highlights

πŸ“Œ Malware uploaded to Malware Bazaar poses as Turbo Tax Activation.
🚩 Suspicious elements include the need for an internet connection for activation.
πŸ” Debugging and analysis of injected malware in two different processes.
🧩 Different versions of the malware are detected and analyzed.

Key Insights

πŸ•΅οΈ The malware is disguised as Turbo Tax Activation, a popular software in the United States, but exhibits suspicious behavior such as requiring an internet connection for activation.
πŸ”„ The malware is injected into two different processes, regasm.exe and bitLockerToGo.exe, indicating potential persistence and evasion techniques.
πŸ“₯ By using tools like PE bear and API monitoring, the analyst identifies indicators of injection, such as virtual alloc and resume thread, and discovers the injected payload in memory.
πŸ“ Analysis of the dumped payloads reveals that the malware is Luma C2, a stealer that targets various applications like Discord, Steam, and web browsers, aiming to steal sensitive information.
🌐 The malware establishes connections with command and control (C2) domains, indicating communication with the attacker’s infrastructure for potential data exfiltration or further instructions.
πŸ”¬ The use of tools like FLOSS and API Monitor provides deeper insights into the malware’s behavior, including the extraction of C2 domain names and API calls used for communication.
⚠️ The analysis highlights the importance of thorough debugging, reverse engineering, and monitoring techniques to uncover the true nature and potential impact of malware infections.

Transcript (AI generated from video):

00:00:00	let's take a look at some new malware uploaded to malware Bazaar so this has been uploaded by an anonymous user and they state that the password is 2024 they also provide a little bit more context so we can see that this has been downloaded from GitHub and it looks like it's a repository posing as Turbo Tax Activation so Turbo Tax is a piece of software in the United States that you can purchase and that will allow you to do your taxes easier as far as I know I'm not from the us if we actually review this repository it does look like
00:00:30	it's a user account that's just spamming the about section with information saying Turbo Tax Turbo Tax crack Turbo Tax download Turbo Tax tools etc etc it states that the activation requires internet connection and it also states that the script applies the registry lock method to activate obviously I don't know what this is and it requires internet at the time of Activation so this is a bit of a red flag in itself right any type of malware or Trojan or information stealer if it goes off is going to want to have internet
00:01:01	connection otherwise the attack is not going to be able to get the information now something else suspicious is that if you highlight over this download you will see that it's actually pointing to a completely different GitHub user account and a completely different repository and if we look at that even as of one hour ago there has been a new version that has been released so we now have this version that has been updated that has the password 2024 and it is version 1.8.4 by this user which one 2138 and
00:01:32	once again this is linked from the user cross undefined hands this is likely controlled by the same thread actor you will notice that this has 59 forks and 25 Stars at the time of video which is actually getting quite High For This cracked software particularly considering it contains malware so let's actually dive into this and see what it contains so I've gone ahead and downloaded both of these on the leftand side we have version 1.8.2 and on the right hand side we have version 1.8.4 the actual dlls in this directory and
00:02:03	files seem similar in both instances there is mention of a key gen a key file icon engine and even license terms and all of this seems the same but what seems completely different is the actual setup file so on the left hand side we can see that this one has the big Shield indicating that it's going to prompt the user with UAC to say hey do you want to give this admin rights and we can actually highlight over this and see that doesn't really have any information it is also a stock icon whereas on the
00:02:31	right hand side we have an icon that is the cat from GitHub the octocat and we also see that there is this any MP4 studio is the company which is completely bizarre because this is supposed to be nothing to do with MP4 software there is a good chance that this is going to be the executable that's actually a malicious now I want to get an idea of the capability of both of these so the first thing I'm going to do is just look at the Imports so I've gone ahead and used PE bear and I've loaded in version 1.8.2 and the new
00:02:59	1.8.4 the first thing that I see is that both of them seem to have a BSS section however one of these BSS sections seem different to the other BSS in itself is a normal section on PE binaries but on this one it seems to have an upper case which is a little bit strange so if we look at the Imports on both binaries we can see that the first one only Imports kernel 32.dll and it has a number of imported functions the second one however Imports kernel 32.dll and msvcrt.dll so this looks like it's been
00:03:30	created in a different way and the sizes are completely different as well one of these is quite large at 30 mbes and created with inos setup whereas the other one is only about 500 Koby what we will notice is that on both of them they have indications that injections going to be performed so on this one we can see virtual Alec virtual protect being called we can see suspend thread as well and we can see resume thread and we can see create thread but we don't actually see create process for example that
00:04:02	could be used to spawn a process create a new thread in that overwrite that thread and run them maare so what we actually have is a case where it looks like injections being performed on this one and if we look at the other one we do also see virtual Alec again but we see a lot less of some of the other Imports that we saw it is quite possible that there is injection going on where these apis aren't being seen that they are being cooled indirectly and not directly imported to the executable in this way it could be using alternate
00:04:33	versions so it might be using anti resume thread or anti create process or ZW create process as opposed to create process so these are all things that we need to keep in mind when we're doing some sort of analysis but it does look like it's performing injection so what I want to do is confirm that this is likely going to be injecting into another process now there's a couple of ways that we can do this we could use procmon we could use process hacker we could just keep an eye on processes to see whether anything new SP horns and to
00:05:01	do that I'm going to use a bit of a obscure manner but it will work and I just find it a little bit interesting to actually tap into Windows Telemetry so what I'm going to do is I'm going to create a Powershell script and this is going to subscribe to a cim indication event and from that I can then make an action occur and so this is going to essentially be waiting listening for indications that a new process has started and then I'm going to use that to actually tell me what process has started so let's dive into a Powershell
00:05:31	script and do this so I've created a Powershell script and I'm just going to walk through what it's essentially doing the first line isn't going to do anything unless we've actually run this before what it's trying to do is to unregister the cim indication event that we've registered now what is a cim indication event like I said you can subscribe to anything to do with Windows management instrumentation and actually get notified when things occur so for example you could actually subscribe and
00:05:56	understand when a registry modification event occurs or a process starts which is what we're going to do here so the action is defining what we want to occur when this new process has started so in this case I'm going to be monitoring for all processes that start and I just wanted to essentially write those details to the console here hi everyone it's j here from the future if you are playing around with registering cim indication events do not make it so that when you are tracking new processes
00:06:24	created that you spawn a new process because if you don't have some filter here on that action taking place you may end up in a world of hurt I'll leave a clip here that shows my experience with that so we run the script it does look like it's set to run there's nothing in this directory yet if I run calculator or something uh yes oh no oh dear God oh God oh dear God oh no oh no oh no it's triggering on itself oh no what have I done oh boy oh boy oh no oh no we need to kill process we need to kill this we need to kill
00:07:02	this oh my goodness I have got a variable that's defined its name and one of the things that's exposed through this register cim indication event is the event variable and from that you can actually derive the process name the process ID parent process ID and a bit more information but they're the main ones that I'm interested in but what it doesn't expose his information such as the command line or the parent process name it only has the parent process ID so what I've done is I've gone and got a
00:07:32	little bit more Telemetry with Powershell here in that after this occurs I'm just going to be extracting the command line based on the process ID so we understand the command line of the process that's run as well then I'm also going to get the parent process name based on the identifier so the process ID that has spawned here as well and I'm basically just using the get cim instance using the win32 process and then I'm specifying that the process IDE has to be equal to the parent process ID that was exposed in our cim callback so
00:08:05	then we also will just get the command line associated with the parent process as well I could get the parent process name but I've gone with the command line at this point in time what I'm going to do is actually just run this and straight away you'll notice okay it says that this process started doesn't exist that's because it trying to unregister something that doesn't exist but if we don't have this in and we've run this before we're going to get clashes with it trying to create a new Source
00:08:30	identifier so a new Trace with the name process started when there is already one called process started here so it's currently running and it's just keeping an eye on processes that run so if I was to open up something like the calculator on Windows you will notice that my terminal now gets populated and it does show okay a new processor started dcom has launched calculator then we also see all these other processes that are happening and they're just things that are occurring in the background on my
00:08:55	Windows operating system so one of the things that I want to do now is actually run the malware that's going to give me a bit of an idea on whether that malware is spawning any other processes I'm going to do it for both because we've got a bit of an idea of the parent process situation here so I should be able to run both pieces of malware and see what's happening so I'm going to run setup.exe you'll see consent spawns because that's the UAC prompt on Windows if you see consent.exe it means that a
00:09:18	UAC prompt has popped up and then we can see that regasm.exe runs so that's a bit interesting you'll notice that it didn't actually capture the command line information as well so there's a good chance that this actually ran so quickly and terminated that we don't actually get any idea on the parent process or the current command line of this so there's a good chance that that is going to be injected into so it does look like this is injecting into the process regasm.exe and I really want to understand what that is but let's look
00:09:48	at the second variant to see if it's any different so run the second variant we can see that it launched from explorer.exe and at the moment it doesn't look like anything's occur but malware authors are a bit tricky they may have included some sort of timeout or some sort of delay oh and now straight away we see bit Locker too. exe spawns so now we have a indication that bit Locker to go is likely being injected into here and we see that same thing where it's not getting the command line so it actually ran so quickly that
00:10:16	we weren't able to execute this next part of the Powershell because there is a ever so slight delay when you run a process I think it's about a second so you run a process and a second later you get that call back so from that cim indication event that notifies that the process has run but there is that 1 second delay but we can see that bit Locker to go has spawned as well so these are the two processes that I really want to focus my efforts because it does look like it's injecting into these two different processors and
00:10:42	exactly what it's injecting into it we don't know yet so let's dive in the first thing to note is that setup.exe here is a 32-bit process the other version is a 64-bit process so that tells us that one of these is going to be running 64-bit operating system code and the other is 32-bit operating system code and all that does is mean that we have to use probably the right tool for the job to make sure that we are debugging in 32-bit version or 64-bit version respectively so for the first one I'm going to use X32 debug and what
00:11:14	I'm going to do is I'm going to spawn the process so selected setup and I want to include some break points the break points that I'm really interested in here because we didn't see any indication of particular apis being used I want to know if I can add a break point to something like anti resume thread because resuming the thread is what's going to have to happen if certain types of injection is occurring so let's do breakpoint on N resume thread and it looks like it has added a breakpoint and the other thing is that
00:11:44	it might be using Create process but it's not using Create process imported so maybe it's using ENT create process or ZW create process so I'm going to create break points on that as well so we got one on N create process and we got one on Z W create process so we've got ZW create process n resume thread and that is also accounting for the N create process there as well so let's give this a bit of a well I'm going to run the malware and we are at the entry breakpoint I'm going to click continue we can see okay it's now hit a
00:12:16	break point at n resume thread we can actually look to see if reg ASM has spawned and it looks like reg ASM has actually spawned so we can see this new process has started and we actually captured the parent command line in this case so now we've got a case where it's spawned and it's right before the thread is resumed so let's actually take a bit of a look at that process because that might actually now contain the payload in its memory so I really want to use one of the plugins that is included
00:12:46	within flare VM and is very useful which is Skiller so if we use plugins and we use Skiller one of the things that we can do is actually choose the process we're interested in so we can see a bunch of different processes in this case it is regasm.exe and if we click file we can look at dumping specific memory or specific sections so if we go dump memory and take a look we can actually see that one part of the memory at address 0x 400,000 it is actually set with execute read WR if this is execute read write there's a
00:13:16	good chance that this is the section of memory that has been injected into because without the ability to read write and execute a particular section in memory you're not going to be able to actually inject your payload and there is actually this dump PE that we can use here which makes this really quite useful so I'm going to specify this address and hit dump PE and I'm going to save this to Reg ASM dump. exe and now if I look on the desktop there does seem to be 306 KOB file which is reg ASM dump. exe this might actually be the
00:13:45	injected code one of the things that I'm going to do is run fake net because I want to understand whether this has been dumped in an executable format that I can actually run or not and if I do run it and it has been dumped in that format doesn't make any kind of nwor connections we could have done this Dynamic analysis to begin with but I've decided to be a little bit of a pain here and do it in this way so now that we've got this dumped let's see ooh interesting we've now run the dumped process and it says do you want run a
00:14:13	malware now this is actually a good sign that this is going to be lumac C2 because Luma C2 enforces a crypter on people that are using the malware so if it isn't packed and encrypted in some kind of way shape or form and is running in its raw format like this it prompts with the message do you want to run a malware now I'm a bit of a daredevil so I want to run the malware and straight away you'll notice that it makes a number of connections so there is a DNS request for this PW domain we do see a
00:14:42	bunch of do shop domains that it's connected back to as well so these seem to be the command and control domains associated with this malware so now we've got possibility that this is Luma malware but we're still not 100% sure one of the things that we can do is use floss which is the flare obvious skated St ring solver and this is created by the team at flare the fire ey Labs Advanced reverse engineering team so let's actually give this a shot I'm going to specify floss against reg ASM dump. exe now floss it can be seen as
00:15:12	strings on steroids in that it's going to be getting a lot more information than just the strings binary will get it's going to understand some of the obfuscated strings that are being built on the stack and it's also going to bring some of them to light as well so it's really quite a powerful tool creat by the team so let's see what comes back using the floss utility against this now dumped binary and we can begin to see stuff that looks like user agent strings we can begin to see stuff that looks
00:15:39	like it's targeting Thunderbird and steam and we do see this mention of configuration this buy now on telegram that is Luma no work and there seems to be a Luma C2 build that is May 25th 2024 so this now gives us a good idea that this is actually the Luma C2 Steeler we know that this is targeting Discord and we can see that it's targeting valve so it's targeting Steam and probably a bunch of other things that we were able to pull out from this binary of Interest Luma C2 does generally have a Tesla
00:16:12	browser user agent however it does look like maybe this is changed in later builds or is customizable because we see a static string mentioned for the user agent that is no longer something that is severely obvious to us nonetheless it does look like the end result of this cracked piece piece of software at least the previous version is dumping Luma stealer into memory and then that's going to go and steal parts of information from your system it's going to steal your passwords your credentials
00:16:40	your sessions anything else so let's take a look at now the second version and see if it's any different this time I'm going to open up x64 debug because this one is a 64-bit executable as opposed to a 32-bit executable so I'm going to use the right tool for the job so I'm going to go ahead and open up that next version this git softwares and this setup version now once again we might need to Define some break points because we haven't actually got the break points set for the process injection that's likely going to be
00:17:07	occurring but in this case we did have things that were a bit more common so we could probably do it on resume thread maybe we can do entty create process and it does look like that's there as well so now let's go ahead and run this malware and see whether we capture anything or it breaks at the right moment to figure out what's going to be dropped into this process memory remember that this one is actually going to be connecting through the bit Locker to go executable as opposed to the regge ASM executable so I'm going to go ahead
00:17:39	and run the malware and it does look like we have probably the initial tless callbacks that's fine let's get through that the entry breakpoint let's get through that and now we've hit resume thread let's see if any process has spawned and in this case it doesn't look like a new process has spawned yet so we haven't actually seen evidence of that bit Locker to go spawning I am just going to use use the plug-in Skiller and see if we have anything running and it doesn't look like we do that is the bit
00:18:05	Locker to go I'm also going to confirm that this isn't a 32-bit process and it also doesn't look like it's run yet so let's continue running the malware remembering that there was actually a bit of time that we had to wait before the bit Locker process ran 3 hours later and so I can actually see that this bit Locker Discovery volume contents bit Locker to go executable has now spawned and we've hit a break point on that resume thread as well so there's a good chance that this has actually been injected into but it may not have been
00:18:32	the only way we'll know is if we actually dump it and take a look once again I've got Skiller open but this is Skiller in the 32-bit version so we did have a 64-bit executable and as part of the unpacking and injection routine is injecting into a 32bit process so we do have to use the Skiller x86 version that's within the X32 debug as opposed to the x640 buug so I'm going to dump bit Locker to go I'm going to dump the memory and let's see if we've got any kind of execute read right so we've got
00:19:01	execute read and we've got execute read right here and I'm just going to name it bit Locker to goore dump exit it has an invalid PE file or invalid PE header try reading PE header from the disk slpress and so a useful tool that we can use here is process hacker I've actually opened up the bit Locker to go memory space here and we can see that there is that read ride execute and this is about 352 Koby that has actually been allocated to this which gives us an idea that this is around the same size of the
00:19:31	injected payload that we saw before but the difference is if we actually look at this we will see the memory space is empty so there is absolutely no bies that are currently within this process memory space so this gives us a bit of an idea that it hasn't yet wrode the bytes to memory and we're going to need the bytes to be written to memory otherwise we're not going to be able to dump this from memory so what I'm going to do is see if I can create a breakpoint on right process memory and it says that I have been able to do that
00:19:58	so let's actually run the M again resume thread we keep hitting resume thread you can see the hits go up as we do this I'm actually going to disable that for the point in time and resume and it does look like we've actually hit right process memory now there's a good chance that what it's doing is writing those bytes so that it can be injected into that process and if we actually look and we follow this in dump we can see that there is an MZ header that is going to be written to the process memory so this
00:20:24	is likely the entirety of that and what I can do is before it resumes that thread we can actually now enable the resume thread breakpoint again we're going to enable that we're going to step over this function so it writes the processes to the memory space so we can see that in the call here where it's writing those process bytes is writing them to this 28b with all the zeros and we know that this is actually the Base address that we were going to have our byes written to so this is what was empty that 28b with all the zeros so now
00:20:58	it's going to be writing those B BS into this process memory it hasn't done it yet as we can see here so there are some calls we can see entty query virtual memory here but now that the call to entty WR virtual memory has been called so we could create a breakpoint on that in the future as well we do actually see that the bytes have been written into the bit Locker to go process memory so we have that MZ header and we have all the bytes here so now what we can do is actually dump that because that's really
00:21:24	what we want because that is the PE file now we can use the same thing we can use Skiller in order to do this we could probably even do it here by basically just specifying save or actually going in and copying the entirety of this file so we can save this as the bit Locker to go and replace it and now we actually have 352 bytes on the endpoint this isn't necessarily the PE file there might be other parts in this memory that's allocated that are actually not part of the PE file if we were to use
00:21:51	something like Skiller so with the 32bit we go plugins we go Skiller we specify the bit Locker to go process then we go file dump memory and we find that memory that we had that has execute read right which was this one page execute read right we do that dump PE and we actually specify this as the bit Locker to go executable we're going to name it the dump so we know and now we've actually dumped that file and if we look on the endpoint this is actually 305 kiloby so you can see the difference between
00:22:18	dumping it just manually through process hacker in that way and actually dumping it through something like skill up now we actually have the dump here let's see if it is the same you run a malware now we've got a good idea idea that this is actually running probably the same malware Luma C2 and we've still got fake net running as we can see here if we actually run the malware we can see connections back to the same C2 domains that we saw before and I'm sure if we actually ran a command prompt and ran
00:22:43	floss on this we would probably find that this is the exact same payload that was in version 1.8.2 except this is the version 1.8.4 still delivering the same malware and not actually being this cracked software and we can see the similar things we can see a similar user agent we can see also here evidence of stealing cookies from web browsers we can see stealing emails Discord mentioned the clipboard. txt we can see Luma C2 built on the exact same day so it is the same malware build here and we can actually see that it's
00:23:17	extracted some C2 information so one of the domains the cat laac jelly o WPS do shop has actually come out now with floss and all this other information so we've got a good idea that this is deploying lumac C2 into the memory as well here we could actually monitor the API calls to get more information about where this is connecting back to we know that this is connecting back to the domain but there is actually something that it would want to post to that domain or make a get request to a particular URL endpoint we can actually
00:23:50	look and see that both of these files are 32-bit so we have 32-bit payload here and we have a 32-bit payload here so one of the tools I want to use is API monitor Now API monitor is a fantastic tool that's created that is quite powerful in that it's able to monitor different API calls that an executable makes and what's being passed to those API calls you will have to enable whatever you want on the left hand side here for a starting point I like to enable everything just so that I can start with all the information and
00:24:21	filter back as opposed to missing something now I can choose a process to Monitor and I want to monitor the reg ASM and then also the bit Locker to go dump because they are what we've dumped from the process memory and we are able to actually just run these because we've dumped them correct so let's say we want to do red JSM dump do you want to run a malware yes thank you I want to build that snowman now I'm also going to choose the bit Locker to go dump and I want to run a malware and you'll see
00:24:45	that the calls have stopped very quickly so even though this is the malware there is a good chance that this does what it needs to do and stops terminates and that's what we actually saw in the behavior in the initial aspects of our analysis so if I take a look at the API call we can see that there are standard reads on different things there's a lot on this app help so I am going to filter out this I'm going to just go exclude and I'm going to exclude the API calling module name yeah let's do the calling
00:25:11	module name so we can see the loading of particular DLS and this kind of Unicode string is going to allow us to get a lot more information when we're doing analysis in this fashion once again we can see share cred with HTTP this has all come through this RTL in it Unicode string so I might actually want to just include that API let's include that API name and straight away we get more information on what may be happening but it hasn't actually given us the C2 information so now we might actually
00:25:37	need to change our filter just a little bit to get that back and so the way to do that is we can go filter and we can look at our display filter and we can just clear that and say Yes clear that filter and we're back to starting point now because we actually did see the C2 domains and we want to get that information let's actually look for those one of those connected to this ReliOn flu . shop what I'm going to do is I'm going to do a find and we're going to look for that and we actually found it pretty quickly and so this is
00:26:05	using the ipv for string to address exw so this seems to be checking to see ipv4 and IPv6 addresses we could actually filter just based on that or we could actually only include that module so the module that we have here is the win httpd which is a bit interesting so I'm just going to include that and straight away we see all of the C2 domains here but we don't see exactly what it's connecting back to and so if I clear my display filter here now you can see this RTL Unicode to utf8 n now this is more
00:26:37	interesting if I was to only include this let's say this API now we can actually see evidence of the end points that this is connecting back to so we can see that it is connecting back to this/ API and that is consistent across all of the activity that we see here and we see the same on the other execution so now we have a good idea on what this is connecting back to and also the command and control domains associated with these malware and we also know that it's being injected into two different
00:27:06	processes regasm.exe and the bit Locker to go executable we also had a bit of fun using cim indication events to notify when a process starts but that's it that's all I wanted to show you today thanks so much for sticking in please give us a like subscribe the video is free didn't cost you anything if you have any thoughts feelings comments anything else please leave them in the comment section below and I will catch you next time time