Analysis of a DLL Downloader

Summary

  • SHA256: dedb8516befa4a5088000b8c7f699dae7f33761403dd355a14684ac89ff56a9a
  • Filename: Unknown
  • Filetype: DLL
  • File size: 39KB

From here on, the above DLL will be referred to as “downloader.dll”. The file is capable of:

  • Downloading files
  • Interacting with a C2 server

Malware Overview

This is an older file that was first identified around October 2021.

Downloader.dll is a downloader capable of downloading a file from a hardcoded command and control (C2) server. A follow-on stage was not identified.

The file disguises itself as an extension for Foxit Reader software. Foxit is a software that develops document formatting tools and is based in the U.S. and China.

Figure 1

Upon running the DLL, a request is made to online-manual.c1[.]biz, and a file is downloaded to %TEMP%. Looking at the strings output of the file, there is a large base64 encoded string that when decoded, appears to be a batch file as seen below.

@echo off

cd /d %TEMP%
:WAITING
timeout /t 1
if not exist "a.log" (goto WAITING)
del /f /q "a.log"
install.bat
del /f /q "%~dpnx0"

Again analyzing just the strings, we see a call to run the batch file via the following command:

cmd /c cd /d "%TEMP%" && temp.bat

One can only assume that the downloaded file is run with another command run via the DLL file:

cmd /c expand "%s" -F:* "%s" && del /f /q "%s" && echo OK > a.log

The encoded strings represented by “%s” are likely the downloaded file. We can see from the above output that the file is deleted upon the above command completing.

Network Indicators

The above infrastructure was tied to a possible Konni campaign by Black Lotus Labs in late November 2021.

Strings

  • online-manual.c1.biz
  • cmd /c expand “%s” -F:* “%s” && del /f /q “%s” && echo OK > a.log
  • /index.php?user_id=765&type=%d
  • \temp.bat
  • cmd / c cd /d “%TEMP%” && temp.bat
  • QGVjaG8gb2ZmDQoNCmNkIC9kICVURU1QJQ0KOldBSVRJTkcNCnRpbWVvdXQgL3QgMQ0KaWYgbm90IGV4aXN0ICJhLmxvZyIgKGdvdG8gV0FJVElORykNCmRlbCAvZiAvcSAiYS5sb2ciDQppbnN0YWxsLmJhdA0KZGVsIC9mIC9xICIlfmRwbngwIg==

Basic Snort/Suricata Rule

alert tcp $HOME_NET any -> any any (msg: “Probaly shouldnt run in production. Possible Konni DLL download URL,”; content: “index.php/user_id=”; content:”&type=”; threshold:type limit, track by_src, count 1, seconds m; sid:999999

Unfortunately, the C2 is likely no longer active, and this sample crashes when run in a sandbox. Still, this is an interesting sample that is likely tied to Konni, and learning occurred, so that is always a win!

Thank you for reading.

One response to “Analysis of a DLL Downloader”

%d bloggers like this: