| ID | X0040 |
| Type | Downloader |
| Aliases | None |
| Platforms | Windows |
| Year | 2021 |
A commercial loader that consists of 2 stages used to download and execute payloads.
| Name | Use |
|---|---|
| Privilege Escalation::Process Injection::Dynamic-Link Library Injection (T1055.001) | Malware loads every part of the malware from different DLLs. [1] [2] |
| Defense Evasion::System Binary Proxy Execution::Regsvr32 (T1218.010) | Malware downloads a DLL from a remote server and launches it through regsvr32. In some cases, the loader saves the payload as an .ocx extension. [1] [2] |
| Discovery::File and Directory Discovery (T1083) | Malware queries target computer for a target folder. [1] |
| Execution::Scheduled Task/Job::Scheduled Task (T1053.005) | Malware schedules a task to execute regsvr32.exe every 3 minutes. [1] |
| Discovery::System Location Discovery::System Language Discovery (T1614.001) | Malware checks the language ID for the victim computer's language. If the language is part of the Commonwealth of Independent States (CIS), then the malware terminates. [2] |
| Discovery::Query Registry (T1012) | Malware loader retrieves the network domain name and computer name. [2] |
| Discovery::System Information Discovery (T1082) | Malware loader collects the full path of the process running the loader, basic CPU information, machine architecture, number of processors, victim logon server's name, RAM size, DNS domain, and MAC address. [2] |
| Persistence::Create or Modify System Process::Windows Service (T1543.003) | Malware loader creates a new instance of explorer.exe. [2] |
| Execution::Command and Scripting Interpreter::Windows Command Shell (T1059.003) | Malware loader runs cmd.exe to start payload with admin privileges. The loader can also act like a bot. [2] |
| Defense Evasion::System Binary Proxy Execution::Rundll32 (T1218.011) | Malware loader executes DLLs by using rundll32.exe. [2] |
| Execution::Command and Scripting Interpreter::PowerShell (T1059.001) | Malware loader can run PowerShell commands. [2] |
| Name | Use |
|---|---|
| Defense Evasion::Hidden Files and Directories::Location (F0005.002) | The malware searches for a target folder on the victim. If the target folder doesn't exist, the malware creates the folder by calling CreateDirectoryA and downloads the remote file into the new folder. [1] |
| Defense Evasion::Hidden Files and Directories::Extension (F0005.001) | The malware appends the filename and the extension .ocx to the ProgramData folder path. [1] |
| Command and Control::Ingress Tool Transfer (E1105) | The malware downloads DLLs from a hardcoded URL/remote server. [1] |
| Discovery::File and Directory Discovery (E1083) | The malware verifies that the working folder from the first stage loader exists on the system. The malware checks for the path for the Opera web browser; if it exists, the malware exits. [1] [2] |
| Collection::Archive Collected Data::Encoding-Standard Encoding (E1560.m03) | The malware sends data as a Base64 string of JSON. [2] |
| Name | Use |
|---|---|
| Anti-Behavioral Analysis::Virtual Machine Detection::Check Processes (B0009.003) | Malware checks if it is running in a sandbox. If it is running in a sandbox, the malware exits. [1] |
| Process::Check Mutex (C0043) | Malware checks if multiple instances of the same mutex is running. If multiple instances are running, the malware exits. [1] |
| Anti-Behavioral Analysis::Capture Evasion::Multiple Stages of Loaders (B0036.003) | Malware consists of 2 loaders. [2] |
| Execution::Install Additional Program (B0023) | Malware drops the first loader which is responsible for loading the main loader into memory. [1] |
| Anti-Static Analysis::Executable Code Obfuscation::API Hashing (B0032.001) | The function to import APIs uses a hash value and the DLL name of the target API. The API address returned from the function is stored into a global variance. API calls are obfuscated in the same manner as the stack strings and are resolved dynamically as the malware needs to use them. The malware encodes data in a stack string and copies that data into a global character buffer as a form of string obfuscation. [1] [2] |
| Anti-Static Analysis::Executable Code Obfuscation::Stack Strings (B0032.017) | The malware encodes data in a stack string and copies that data into a global character buffer as a form of string obfuscation. Different techniques are used to encrypt and obfuscate strings. Strings are dynamically decrypted when the malware needs to use them. [1] [2] |
| Anti-Static Analysis::Executable Code Obfuscation::Entry Point Obfuscation (B0032.009) | The malware has 4 different export functions. [1] |
| Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount (B0001.032) | The malware calls GetTickCount64 to retrieve timestamp. The malware executes Sleep and Beep in a repeated loop for 10 times. [1] |
| Anti-Behavioral Analysis::Capture Evasion::Memory-Only Payload (B0036.001) | Malware downloads multiple payloads (as files and DLLs) that are stored in a memory buffer. [1] [2] |
| Cryptography::Encrypt Data::RC4 (C0027.009) | Malware loader decrypts inner configurations (C2 server address, C2 server's gate, and a string for the RC4 encryption key for communication between the malware and the C2 server) stored in the binary. The malware also encrypts the value of each JSON key with RC4 and encodes the value with Base64. [2] |
| Command and Control::C2 Communication::Send Data (B0030.001) | Malware sends collected data about the system to C2 server. [2] |
| Execution::Remote Commands::Sleep (B0011.005) | If malware fails to send its collected data, then it sleeps. If the malware fails to execute any command, it sleeps for 4 minutes. [2] |
| Command and Control::C2 Communication::Receive Data (B0030.002) | C2 server returns Base64 encoded data containing the information about the next command for the loader. [2] |
| Command and Control::C2 Communication::Execute File (B0030.013) | The payload is run by explorer.exe, potentially with parameters. [2] |
| Execution::Remote Commands::Uninstall (B0011.006) | Malware loader can uninstall itself from the victim computer. [2] |
[1] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/
[2] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader