Unpacking ASProtect malware

Ciph3r
3 min readApr 18, 2022

--

I came across a malware when i browsing any.run . I thought i would give it a try to reverse it , so i downloaded the sample and started reversing it . The tools that i used for this are Detect It Easy and procmon . I did everything by analyzing the logs

I used DIE to detect if any packer is used . I thought i might get lucky and detect it easy will detect the packer used . I was right

Detect it easy detected the packer used . I tried opening it in Ghidra and there was no functions , not even a stub . Not going to lie , I still do not know why there was no assembly . I thought i will try a different approach .

So i ran the malware and captured the events with procmon . I saw that the malware was starting a “Applaunch.exe” and after that it exits

Starting Applaunch.exe

So I hooked applaunch.exe and just read through the logs . After going through the entire log file . I found that it downloads an exe from discord called Starter.exe . It also communicates with a C2 server . Since it was mostly plain text , I was able to capture the packets but its out of scope for this post . The packets mostly contained some system info like installed softwares , browsers avaialble,cpu and gpu info etc . Here are the two discord link that the malware used

https://cdn.discordapp.com/attachments/941913992258007105/951157895477727232/build.exe

https://cdn.discordapp.com/attachments/941913992258007105/951172439352692746/Starter.exe

After doing some other stuffs it tries to start the exe called starter.exe which is a .NET binary

I used dnSpy to reverse engineer the Starter.exe . It was a quite simple binary. The basic job of the binary is to run some basic checks . First the malware checks the RAM and VRAM . If its less it exits . Then it checks for running processes such as vboxtray,vboxservice etc . If it finds a service like that it exits . If not it decrypts and runs an encrypted payload

After that it decrypts a string which is the link to the malware . It downloads the miner and creates a process . This is the decrypted link

https://github.com/lalakara31/asodajs/raw/main/MainModule.exe

I made a simple decryptor in C# . Its available here

https://github.com/cipher1234/kiba . The sample can be found here https://app.any.run/tasks/5e6a2873-8b83-44f2-8356-0ad6060b1be8/

--

--