0xHasi2026-03-01T12:06:15+00:00https://lehasas.github.ioLehasa SeoeValleyRAT (Part 1): Static Analysis - From Go Loader to Decrypted Implant2026-02-28T00:00:00+00:00https://lehasas.github.io/valleyrat-part-1-static-analysis<p>This write-up documents my static analysis of the sample <a href="https://malops.io/challenges/valleyrat"><em>ValleyRAT</em></a> from MalOps. The goal was to understand what the binary does without leaning on dynamic analysis, packet capture, or full behavioral emulation. I stuck to triage, disassembly, and payload extraction to build a narrative while answering the challenge questions.</p>
<p>I noticed that the sample used a binary protocol for C2 communication, so this write-up does not cover protocol analysis or network emulation. I will cover that in <strong>Part 2</strong>.</p>
<blockquote>
<p>Safety note: all analysis was done in an isolated lab. Don’t run unknown samples on a host you care about.</p>
</blockquote>
<h2 id="1-string-analysis--initial-triage">1. String Analysis / Initial Triage</h2>
<p>I started with basic triage: <strong>FLOSS + PE Studio</strong>. The goal was to form hypotheses before touching a disassembler.</p>
<h3 id="11-floss-output-go-build-fingerprinting">1.1 FLOSS Output: Go Build Fingerprinting</h3>
<p>FLOSS immediately suggested a <strong>Go v1.20-compiled</strong> binary:</p>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-string-analysis/1-floss-challenge.png" alt="Running floss against the challenge binary" /></p>
<p>Opening the file we dumped the strings to, we then see a Go toolchain fingerprint confirming the above observation:</p>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-string-analysis/2-toolchain-strings.png" alt="Go compiler toolchain strings" /></p>
<p>At this point, my default “Go malware” mental model kicked in: minimal imports and runtime API resolution.</p>
<h3 id="12-high-level-capability-hypotheses-from-strings">1.2 High-level Capability Hypotheses from Strings</h3>
<p>From raw strings alone, the sample looked like it could do:</p>
<ul>
<li>Filesystem/ Path Operations</li>
<li>Windows Registry Interaction</li>
<li>Network Activity Interaction</li>
<li>Process/ Thread primitives (to be confirmed)</li>
</ul>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-string-analysis/3-observed-capabilities.png" alt="Observed capabilities" /></p>
<p>One string that stood out is:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">./loader.go</code></li>
</ul>
<p>This is not proof by itself, but it is a strong signal that this was built from a Go project with an explicit loader component.</p>
<h3 id="13-persistence-indicator">1.3 Persistence Indicator</h3>
<p>A very strong persistence indicator appeared directly:</p>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-string-analysis/4-registry-run-persistance.png" alt="Registry run key" /></p>
<p>This indicates Run key persistence<sup id="fnref:1" role="doc-noteref"><a href="#fn:1" class="footnote" rel="footnote">1</a></sup>, which immediately becomes a working hypothesis:</p>
<blockquote>
<p>The sample persists by adding itself to the Run key.</p>
</blockquote>
<h3 id="14-imports-minimal-footprint">1.4 Imports: Minimal Footprint</h3>
<p>The import footprint was small (just <code class="language-plaintext highlighter-rouge">Kernel32.dll</code>), which matches the “resolve everything dynamically” style that shows up in many loader stubs.</p>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-string-analysis/5-library-imports.png" alt="Library imports" /></p>
<p>By the end of triage, the model I wanted to prove was:</p>
<ul>
<li>Go Loader Stub</li>
<li>Persistence via Run key</li>
<li>Embedded Encrypted Payload</li>
<li>Decrypt -> Allocate -> Execute in-memory Pattern</li>
</ul>
<h2 id="2-disassembly--entrypoint-investigation-go-runtime">2. Disassembly / Entrypoint Investigation (Go Runtime)</h2>
<h3 id="21-cutter-early-crypto-hints">2.1 Cutter: Early Crypto Hints</h3>
<p>I like Cutter’s Overview tab, so to start the journey, we’ll look at it first:</p>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-disassembly/1-cutter-overview.png" alt="Sample's Cutter Overview" /></p>
<p>Initial analysis flagged crypto-relevant code paths, which lined up with the embedded-payload hypothesis.</p>
<h3 id="22-ghidra-entrypoint---go-runtime---mainmain">2.2 Ghidra: Entrypoint -> Go Runtime -> <code class="language-plaintext highlighter-rouge">main.main</code></h3>
<p>In Ghidra, following the PE entrypoint landed us in the standard Go startup (<code class="language-plaintext highlighter-rouge">runtime.rt0_go</code> and friends). The important part is that the runtime eventually scheduled and called the program logic via <code class="language-plaintext highlighter-rouge">main.main</code>.</p>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-disassembly/2-main-main.png" alt="Sample's Cutter Overview" /></p>
<p>So <code class="language-plaintext highlighter-rouge">main.main</code> is the true behavioral start of this sample, not the raw entrypoint. We can also see the previously noted <code class="language-plaintext highlighter-rouge">./loader.go</code> string, which suggests this address maps to line 67 in the original Go source.</p>
<h2 id="3-stage-13---loader-logic-mainmain-call-tree">3. Stage 1/3 - Loader Logic: <code class="language-plaintext highlighter-rouge">main.main</code> Call Tree</h2>
<p>Once we reach <code class="language-plaintext highlighter-rouge">main.main</code>, the structure was clean and very loader-shaped:</p>
<ul>
<li>Establish Persistence</li>
<li>Perform Payload Decryption</li>
<li>Perform Payload Loading (in-memory execution)</li>
</ul>
<p>This story was clearly evident when we look at the function call tree within the <code class="language-plaintext highlighter-rouge">main.main</code> function:</p>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-disassembly/3-ghidra-main-main-call-tree.png" alt="Main.main function call tree" /></p>
<p>We will walk through each of these stages implemented by the functions above to verify the hypotheses.</p>
<h3 id="31-persistence-enableautostart">3.1 Persistence: <code class="language-plaintext highlighter-rouge">enableAutoStart()</code></h3>
<p>Persistence is implemented via the function <code class="language-plaintext highlighter-rouge">enableAutoStart()</code>, using <code class="language-plaintext highlighter-rouge">os.Executable()</code> and <code class="language-plaintext highlighter-rouge">golang.org/x/sys/windows/registry</code>.</p>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-disassembly/4-enable-auto-start-call.png" alt="Persistence setup" /></p>
<h4 id="311-locate-the-current-executable-path">3.1.1 Locate The Current Executable Path</h4>
<p>The binary calls <code class="language-plaintext highlighter-rouge">os.Executable()</code> and then normalizes it (i.e. <code class="language-plaintext highlighter-rouge">filepath.Abs()</code>), meaning it persists <em>whatever path the binary is currently running from</em> rather than a hardcoded install location.</p>
<p>Disassembly fragments I used as anchors:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="mo">0047</span><span class="n">b969</span> <span class="n">e8</span> <span class="mi">52</span> <span class="mi">52</span> <span class="n">CALL</span> <span class="n">os</span><span class="o">::</span><span class="n">os</span><span class="p">.</span><span class="n">Executable</span>
<span class="mo">0047</span><span class="n">b978</span> <span class="n">e8</span> <span class="mi">23</span> <span class="mi">7</span><span class="n">d</span> <span class="n">CALL</span> <span class="n">path</span><span class="o">/</span><span class="n">filepath</span><span class="o">::</span><span class="n">path</span><span class="o">/</span><span class="n">filepath</span><span class="p">.</span><span class="n">abs</span>
</code></pre></div></div>
<h4 id="312-open-the-run-key-hkcu">3.1.2 Open The Run Key (HKCU)</h4>
<p>The sample opens:</p>
<div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run
</code></pre></div></div>
<p>This matched the string-derived hypothesis exactly.</p>
<h4 id="313-set-value-name-calculatorapp_autostart">3.1.3 Set Value Name: <code class="language-plaintext highlighter-rouge">CalculatorApp_AutoStart</code></h4>
<p>It writes a string value named:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">CalculatorApp_AutoStart</code></li>
</ul>
<p>whose data is the absolute path to the current executable.</p>
<h4 id="314-cleanup">3.1.4 Cleanup</h4>
<p>It closes the registry key via a small closure (<code class="language-plaintext highlighter-rouge">enableAutoStart.func1</code>). Nothing fancy, but it’s a useful tell that this is “real” Go code rather than a crude stub.</p>
<h3 id="32-payload-decryption-aesdecryptbyecb">3.2 Payload Decryption: <code class="language-plaintext highlighter-rouge">AesDecryptByECB()</code></h3>
<p>Next came the payload decryption routine.</p>
<p>Looking through the disassembly, we can see the preparatory steps for the payload decryption routine below.</p>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-disassembly/5-aes-decrypt-by-ecb-call.png" alt="Payload Decryption Logic" /></p>
<h4 id="321-encrypted-blob-location-and-size">3.2.1 Encrypted Blob Location and Size</h4>
<p>From the above we determine:</p>
<ul>
<li>The address of the encrypted blob: <code class="language-plaintext highlighter-rouge">DAT_004b4fa8</code></li>
<li>The size of the payload: <code class="language-plaintext highlighter-rouge">0x25660</code> bytes (153,184 bytes)</li>
</ul>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="mo">0047</span><span class="n">be4c</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">35</span> <span class="n">LEA</span> <span class="n">RSI</span><span class="p">,[</span><span class="n">DAT_004b4fa8</span><span class="p">]</span>
<span class="mo">0047</span><span class="n">be5b</span> <span class="n">bb</span> <span class="mi">60</span> <span class="mi">56</span> <span class="n">MOV</span> <span class="n">EBX</span><span class="p">,</span><span class="mh">0x25660</span>
</code></pre></div></div>
<h4 id="322-key-material">3.2.2 Key Material</h4>
<p>The AES key is hardcoded as a 16-byte string (AES-128 length):</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="mo">0047</span><span class="n">be63</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">3</span><span class="n">d</span> <span class="n">LEA</span> <span class="n">RDI</span><span class="p">,[</span><span class="n">s_1ws12uuu11j</span><span class="o">*</span><span class="n">p5fr_00495639</span><span class="p">]</span>
<span class="mo">0047</span><span class="n">be6a</span> <span class="n">be</span> <span class="mi">10</span> <span class="mo">00</span> <span class="n">MOV</span> <span class="n">ESI</span><span class="p">,</span><span class="mh">0x10</span>
<span class="mo">0047</span><span class="n">be6f</span> <span class="n">e8</span> <span class="mi">4</span><span class="n">c</span> <span class="n">fc</span> <span class="n">CALL</span> <span class="n">main</span><span class="o">::</span><span class="n">main</span><span class="p">.</span><span class="n">AesDecryptByECB</span>
</code></pre></div></div>
<p>More specifically, the key is:</p>
<div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>1ws12uuu11j*p5fr
</code></pre></div></div>
<p>There’s also a staging/copy loop before the decrypt call. Effectively, the loader copies the embedded bytes into a buffer and then decrypts in memory using the above key.</p>
<h4 id="323-static-payload-extraction">3.2.3 Static Payload Extraction</h4>
<p>Given the information above, we can extract the payload without running the sample and dumping memory at runtime. The following script uses the recovered constants directly.</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">pefile</span>
<span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span>
<span class="kn">from</span> <span class="nn">pathlib</span> <span class="kn">import</span> <span class="n">Path</span>
<span class="n">PE_PATH</span> <span class="o">=</span> <span class="s">"challenge"</span> <span class="c1"># Sample Name
</span>
<span class="n">PAYLOAD_VA</span> <span class="o">=</span> <span class="mh">0x004B4FA8</span> <span class="c1"># Virtual address of payload
</span><span class="n">PAYLOAD_SIZE</span> <span class="o">=</span> <span class="mh">0x25660</span> <span class="c1"># Size of payload
</span><span class="n">AES_KEY</span> <span class="o">=</span> <span class="sa">b</span><span class="s">"1ws12uuu11j*p5fr"</span> <span class="c1"># AES decryption key
</span>
<span class="n">OUT_ENC</span> <span class="o">=</span> <span class="s">"payload.encrypted"</span>
<span class="n">OUT_DEC</span> <span class="o">=</span> <span class="s">"payload.decrypted"</span>
<span class="k">def</span> <span class="nf">va_to_file_offset</span><span class="p">(</span><span class="n">pe</span><span class="p">,</span> <span class="n">va</span><span class="p">):</span>
<span class="n">image_base</span> <span class="o">=</span> <span class="n">pe</span><span class="p">.</span><span class="n">OPTIONAL_HEADER</span><span class="p">.</span><span class="n">ImageBase</span>
<span class="n">rva</span> <span class="o">=</span> <span class="n">va</span> <span class="o">-</span> <span class="n">image_base</span>
<span class="k">return</span> <span class="n">pe</span><span class="p">.</span><span class="n">get_offset_from_rva</span><span class="p">(</span><span class="n">rva</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">extract_decrypted_payload</span><span class="p">(</span><span class="n">pe</span><span class="p">,</span> <span class="n">offset</span><span class="p">,</span> <span class="n">payload_va</span><span class="p">,</span> <span class="n">payload_size</span><span class="p">,</span> <span class="n">decryption_key</span><span class="p">):</span>
<span class="k">print</span><span class="p">(</span><span class="sa">f</span><span class="s">"[+] Encrypted Payload Virtual Address: 0x</span><span class="si">{</span><span class="n">payload_va</span><span class="si">:</span><span class="n">X</span><span class="si">}</span><span class="s"> → At file offset: 0x</span><span class="si">{</span><span class="n">offset</span><span class="si">:</span><span class="n">X</span><span class="si">}</span><span class="s">"</span><span class="p">)</span>
<span class="n">encrypted</span> <span class="o">=</span> <span class="n">pe</span><span class="p">.</span><span class="n">__data__</span><span class="p">[</span><span class="n">offset</span><span class="p">:</span><span class="n">offset</span> <span class="o">+</span> <span class="n">payload_size</span><span class="p">]</span>
<span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">encrypted</span><span class="p">)</span> <span class="o">!=</span> <span class="n">payload_size</span><span class="p">:</span>
<span class="k">raise</span> <span class="nb">RuntimeError</span><span class="p">(</span><span class="s">"[-] Failed to read full payload"</span><span class="p">)</span>
<span class="n">Path</span><span class="p">(</span><span class="n">OUT_ENC</span><span class="p">).</span><span class="n">write_bytes</span><span class="p">(</span><span class="n">encrypted</span><span class="p">)</span>
<span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">encrypted</span><span class="p">)</span> <span class="o">%</span> <span class="mi">16</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">:</span>
<span class="k">raise</span> <span class="nb">RuntimeError</span><span class="p">(</span><span class="s">"[-] Payload not AES block-aligned"</span><span class="p">)</span>
<span class="n">cipher</span> <span class="o">=</span> <span class="n">AES</span><span class="p">.</span><span class="n">new</span><span class="p">(</span><span class="n">decryption_key</span><span class="p">,</span> <span class="n">AES</span><span class="p">.</span><span class="n">MODE_ECB</span><span class="p">)</span>
<span class="n">decrypted</span> <span class="o">=</span> <span class="n">cipher</span><span class="p">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">encrypted</span><span class="p">)</span>
<span class="n">Path</span><span class="p">(</span><span class="n">OUT_DEC</span><span class="p">).</span><span class="n">write_bytes</span><span class="p">(</span><span class="n">decrypted</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="sa">f</span><span class="s">"[+] Extracted </span><span class="si">{</span><span class="nb">len</span><span class="p">(</span><span class="n">decrypted</span><span class="p">)</span><span class="si">}</span><span class="s"> decrypted bytes"</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="sa">f</span><span class="s">"[+] Final decrypted payload written to file: </span><span class="si">{</span><span class="n">OUT_DEC</span><span class="si">}</span><span class="s">"</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">main</span><span class="p">():</span>
<span class="k">print</span><span class="p">(</span><span class="s">"[*] Starting payload extraction...</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span>
<span class="n">pe</span> <span class="o">=</span> <span class="n">pefile</span><span class="p">.</span><span class="n">PE</span><span class="p">(</span><span class="n">PE_PATH</span><span class="p">)</span>
<span class="n">offset</span> <span class="o">=</span> <span class="n">va_to_file_offset</span><span class="p">(</span><span class="n">pe</span><span class="p">,</span> <span class="n">PAYLOAD_VA</span><span class="p">)</span>
<span class="n">extract_decrypted_payload</span><span class="p">(</span><span class="n">pe</span><span class="p">,</span> <span class="n">offset</span><span class="p">,</span> <span class="n">PAYLOAD_VA</span><span class="p">,</span> <span class="n">PAYLOAD_SIZE</span><span class="p">,</span> <span class="n">AES_KEY</span><span class="p">)</span>
<span class="k">print</span><span class="p">(</span><span class="s">"</span><span class="se">\n</span><span class="s">[*] Payload extraction completed successfully."</span><span class="p">)</span>
<span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">"__main__"</span><span class="p">:</span>
<span class="n">main</span><span class="p">()</span>
</code></pre></div></div>
<p>Running the script successfully extracted and decrypted the payload using the identified key.</p>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-payload-extraction/1-payload-extraction.png" alt="Payload Decryption and Extraction" /></p>
<p>Running the <code class="language-plaintext highlighter-rouge">file</code> command on the extracted decrypted payload, we see that it can’t find any recognizable header information to tell us what type of file this is. This will be our next task, to determine what this payload is.</p>
<h3 id="33-payload-loading-in-memory-execution-via-kernel32">3.3 Payload Loading: In-Memory Execution via <code class="language-plaintext highlighter-rouge">kernel32</code></h3>
<p>Immediately after decryption, the loader follows the classic sequence:</p>
<ul>
<li>load <code class="language-plaintext highlighter-rouge">kernel32.dll</code></li>
<li>resolve APIs dynamically</li>
<li>allocate RWX (or allocate + change protection)</li>
<li>copy decrypted bytes</li>
<li>execute via new thread</li>
<li>wait</li>
</ul>
<p>The resolved API set included:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">VirtualAlloc</code></li>
<li><code class="language-plaintext highlighter-rouge">RtlMoveMemory</code></li>
<li><code class="language-plaintext highlighter-rouge">CreateThread</code></li>
<li><code class="language-plaintext highlighter-rouge">WaitForSingleObject</code></li>
</ul>
<p>In Go this showed up via syscall wrappers like <code class="language-plaintext highlighter-rouge">syscall.MustLoadDLL</code> and <code class="language-plaintext highlighter-rouge">(*DLL).MustFindProc</code>.</p>
<p>At this point, the stage-0 identity was no longer a hypothesis: this binary is a loader.</p>
<h2 id="4-stage-23---decrypted-payload-shellcode-container">4. Stage 2/3 - Decrypted Payload: Shellcode Container</h2>
<p>The next question was simple: what is the 153,184-byte decrypted buffer?</p>
<h3 id="41-extraction-confirmation">4.1 Extraction Confirmation</h3>
<p>Using the loader’s own constants, as proven above, we confirmed the following about the payload:</p>
<ul>
<li>Virtual Address: <code class="language-plaintext highlighter-rouge">0x4B4FA8</code></li>
<li>File Offset: <code class="language-plaintext highlighter-rouge">0xB37A8</code></li>
<li>Size: <code class="language-plaintext highlighter-rouge">0x25660</code></li>
</ul>
<p>After extracting and decrypting the embedded payload, I loaded the resulting blob into Cutter expecting something PE-shaped (MZ header, sections, import table, etc.). Instead, Cutter reported:</p>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-payload-extraction/2-cutter-overview.png" alt="Payload Cutter Overview" /></p>
<p>The file format is unknown because it does not start with a recognizable executable container format, which correlates with the <code class="language-plaintext highlighter-rouge">file</code> command output. Regardless, a few observations stand out:</p>
<ul>
<li>
<p><strong>Bits: 64</strong>
Even without a recognized file format, Cutter can still infer architecture from heuristics (instruction patterns, entropy, and typical prologues). It identified this blob as 64-bit code, which is consistent with what we later confirm via DIE.</p>
</li>
<li>
<p><strong>Base Addr: <code class="language-plaintext highlighter-rouge">0x00000000</code></strong>
Normal PE binaries embed an ImageBase and relocation information. Shellcode does not. With “Format: N/A”, Cutter has no structural metadata to anchor the blob, so it maps it as a flat buffer and assigns a default base address.</p>
</li>
</ul>
<p>This is one of the first observations that hints to us that we might be dealing with shellcode, i.e. it’s not meant to be loaded by the Windows loader. It’s meant to be copied into memory and executed.</p>
<ul>
<li><strong>Mode: <code class="language-plaintext highlighter-rouge">r-x</code></strong>
Cutter is indicating that it is treating this payload as executable code. Which aligns with a memory execution pipeline (<code class="language-plaintext highlighter-rouge">VirtualAlloc</code> -> <code class="language-plaintext highlighter-rouge">RtlMoveMemory</code> -> <code class="language-plaintext highlighter-rouge">CreateThread</code>).</li>
</ul>
<p>So, even though Cutter couldn’t classify it as a PE, its view is consistent with what the stage-0 Go loader does, which is to decrypt a blob, allocate memory, and then execute it.</p>
<h3 id="42-shellcode-characteristics">4.2 Shellcode Characteristics</h3>
<p>Next we try to sanity-check the payload with scdbg:</p>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-payload-extraction/3-shellcode-debug-peb-walk.png" alt="Payload Shellcode Debugger" /></p>
<p>At first glance, the line that jumps out is:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">mov</span> <span class="n">eax</span><span class="p">,</span> <span class="p">[</span><span class="mh">0x30</span><span class="p">]</span>
</code></pre></div></div>
<h4 id="421-why-mov-eax-0x30">4.2.1 Why <code class="language-plaintext highlighter-rouge">mov eax, [0x30]</code>?</h4>
<p>I have seen this technique before. It suggests the shellcode is trying to reach the PEB (Process Environment Block) to enumerate loaded modules (kernel32, ntdll, etc.) without relying on imports<sup id="fnref:3" role="doc-noteref"><a href="#fn:3" class="footnote" rel="footnote">2</a></sup>.</p>
<ul>
<li>On x86, shellcode commonly uses fs:[0x30] to get the PEB pointer.</li>
<li>On x64, the analogous approach uses gs:[0x60] for the PEB.</li>
</ul>
<p>The trace shows <code class="language-plaintext highlighter-rouge">mov eax, [0x30]</code> — not <code class="language-plaintext highlighter-rouge">mov eax, fs:[0x30]</code>.</p>
<p>That detail matters.</p>
<h4 id="422-why-scdbg-stopped-wrong-execution-model">4.2.2 Why <code class="language-plaintext highlighter-rouge">scdbg</code> Stopped: Wrong Execution Model</h4>
<p><code class="language-plaintext highlighter-rouge">scdbg</code> is historically oriented around 32-bit shellcode emulation patterns<sup id="fnref:4" role="doc-noteref"><a href="#fn:4" class="footnote" rel="footnote">3</a></sup> and simplified Windows environment emulation. The payload here is <code class="language-plaintext highlighter-rouge">AMD64</code> Donut shellcode, which expects:</p>
<ul>
<li>A 64-bit execution context</li>
<li>Correct segment register usage (GS access for PEB style lookups)</li>
<li>Correct assumptions about memory layout and loader-provided structures</li>
</ul>
<p>So <code class="language-plaintext highlighter-rouge">scdbg</code> trying to interpret this blob ends up in a mismatch:</p>
<ul>
<li>It hits memory reads that should have been relative to a segment base or runtime-resolved pointer,</li>
<li>But instead it tries to read absolute address <code class="language-plaintext highlighter-rouge">0x00000000</code> or <code class="language-plaintext highlighter-rouge">0x30</code> in a flat emulation space,</li>
<li>It then dies with error accessing <code class="language-plaintext highlighter-rouge">0x00000000</code> not mapped.</li>
</ul>
<p>Essentially this tells us that the emulator is the wrong tool for this job.</p>
<p>So the conclusion from here is:</p>
<blockquote>
<p>This blob behaves like shellcode, but scdbg can’t execute it meaningfully because it’s the wrong architecture/assumption set.</p>
</blockquote>
<p>That’s what pushed me to switch tools.</p>
<h3 id="43-donut-identification-and-unpacking">4.3 Donut Identification and Unpacking</h3>
<p>Since scdbg wasn’t a good fit, I ran the blob through Detect It Easy (DIE). DIE classified it as:</p>
<blockquote>
<p>Shellcode: Donut(0.9.2)[AMD64]</p>
</blockquote>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-payload-extraction/4-die-donut-detected.png" alt="Payload DIE Detection" /></p>
<p>DIE suggested the payload is <strong>Donut</strong> shellcode<sup id="fnref:2" role="doc-noteref"><a href="#fn:2" class="footnote" rel="footnote">4</a></sup>: a position-independent wrapper commonly used to deliver PE payloads. We know that:</p>
<ul>
<li>A PE file is meant to be loaded by the Windows loader (it has headers, sections, imports, relocations).</li>
<li>Shellcode is meant to be dropped into memory and executed without the OS loader.</li>
<li>Donut bridges the gap by packaging a PE (or other module) into a self-contained shellcode “launcher” that:
<ul>
<li>Resolves needed APIs dynamically,</li>
<li>Allocates memory,</li>
<li>Reconstructs or maps the embedded module,</li>
<li>And transfers execution to it.</li>
</ul>
</li>
</ul>
<p>So in this multi-stage chain:</p>
<ul>
<li>Go loader decrypts blob → executes it</li>
<li>Blob is Donut shellcode → whose job is to unpack/map an embedded PE</li>
<li>That embedded PE is the real implant (the part that actually “does things”)</li>
</ul>
<p>I used a tool called <a href="https://github.com/volexity/donut-decryptor">donut_decryptor</a>, which can parse the shellcode and extract the embedded <code class="language-plaintext highlighter-rouge">DONUT_INSTANCE</code> structure. Running it against <code class="language-plaintext highlighter-rouge">payload.decrypted</code> produced:</p>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-payload-extraction/5-donut-undonut.png" alt="Undonut the payload" /></p>
<p>The tool does find the <code class="language-plaintext highlighter-rouge">DONUT_INSTANCE</code> structure, and recovers the binary and writes it to <code class="language-plaintext highlighter-rouge">mod_payload.decrypted</code>, and also produces more information about the instance.</p>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-payload-extraction/6-donut-instance-info.png" alt="Undonut instance information" /></p>
<p>After “undonuting,” we can see that the recovered artifact is a real PE:</p>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-payload-extraction/7-donut-third-stage-payload.png" alt="Undonut recovered PE" /></p>
<p>That’s the transition point where the Go loader stops being interesting and the native implant begins.</p>
<h2 id="5-stage-33---deobfuscated-donut-payload-native-x64-pe-implant">5. Stage 3/3 - Deobfuscated Donut Payload: Native x64 PE Implant</h2>
<p>Once the Donut wrapper is peeled away, the recovered payload behaves like a conventional native Windows implant. We again load it into cutter to get a general overview of it.</p>
<p><img src="/public/images/2026-02-15-valleyrat-part-1-static-analysis/valley-rat-payload-extraction/8-mod-payload-cutter.png" alt="Undonut recovered PE" /></p>
<p>Analysing it we observe that it enters through the PE entrypoint, runs CRT startup, sets up process-local state, and then transitions into its “real” operational loop.</p>
<h3 id="51-crt-startup-and-heap-setup">5.1 CRT Startup and Heap Setup</h3>
<p>From the implant entrypoint, execution flows through the usual C/C++ runtime machinery (the CRT).</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">entry</span>
<span class="mi">140009</span><span class="n">a74</span> <span class="mi">48</span> <span class="mi">83</span> <span class="n">ec</span> <span class="mi">28</span> <span class="n">SUB</span> <span class="n">RSP</span><span class="p">,</span><span class="mh">0x28</span>
<span class="mi">140009</span><span class="n">a78</span> <span class="n">e8</span> <span class="mi">93</span> <span class="mi">3</span><span class="n">c</span> <span class="n">CALL</span> <span class="n">__security_init_cookie</span>
<span class="mi">140009</span><span class="n">a7d</span> <span class="mi">48</span> <span class="mi">83</span> <span class="n">c4</span> <span class="mi">28</span> <span class="n">ADD</span> <span class="n">RSP</span><span class="p">,</span><span class="mh">0x28</span>
<span class="mi">140009</span><span class="n">a81</span> <span class="n">e9</span> <span class="mi">76</span> <span class="n">fe</span> <span class="n">JMP</span> <span class="n">__tmainCRTStartup</span><span class="p">()</span>
</code></pre></div></div>
<p>That means it is preparing the process for normal Win32 execution: initializing security cookies, setting up thread-local storage, initializing global constructors (if any), and establishing an allocator strategy.</p>
<p>A detail that stood out is that the implant did not simply rely on the default process heap forever. Instead, early in initialization it created a <strong>private heap</strong> using:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">HeapCreate()</code> - allocates a dedicated heap object owned by the process</li>
<li><code class="language-plaintext highlighter-rouge">HeapAlloc()</code> - uses that heap for subsequent allocations</li>
</ul>
<p>This was handled by a <code class="language-plaintext highlighter-rouge">_heap_init()</code> call:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="mi">140009950</span> <span class="mi">89</span> <span class="mi">5</span><span class="n">c</span> <span class="mi">24</span> <span class="mi">40</span> <span class="n">MOV</span> <span class="n">dword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_res8</span><span class="p">],</span><span class="n">EBX</span>
<span class="mi">140009954</span> <span class="n">e8</span> <span class="mi">6</span><span class="n">f</span> <span class="mo">05</span> <span class="n">CALL</span> <span class="n">_heap_init</span>
</code></pre></div></div>
<p>In the failure paths of the above operations (calls resembling <code class="language-plaintext highlighter-rouge">FUN_14000a30c(0x1c)</code> / <code class="language-plaintext highlighter-rouge">FUN_14000a30c(0x10)</code>), the behavior matches fail-fast CRT-style enforcement. The implant checks critical initialization results (like heap handle creation). If the handle is null, it does not continue; it aborts through an error routine. This can be seen as early environment checking: if something about the environment is wrong (emulation, restricted sandbox, incompatible runtime), it exits early and avoids noisy crashes later.</p>
<h3 id="52-environment-check">5.2 Environment Check</h3>
<p>Again, in <code class="language-plaintext highlighter-rouge">_heap_init()</code> the implant calls <code class="language-plaintext highlighter-rouge">GetVersion()</code>.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="mi">140009</span><span class="n">eeb</span> <span class="mi">48</span> <span class="mi">85</span> <span class="n">c0</span> <span class="n">TEST</span> <span class="n">RAX</span><span class="p">,</span><span class="n">RAX</span>
<span class="mi">140009</span><span class="n">eee</span> <span class="mi">74</span> <span class="mi">29</span> <span class="n">JZ</span> <span class="n">LAB_140009f19</span>
<span class="mi">140009</span><span class="n">ef0</span> <span class="n">ff</span> <span class="mi">15</span> <span class="mo">02</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">KERNEL32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">GetVersion</span><span class="p">]</span>
</code></pre></div></div>
<p>This was interpreted as the implant asking, “what kind of Windows am I on?” It likely does this to support:</p>
<ul>
<li><strong>Compatibility gates</strong>: Avoid executing paths that rely on APIs not present on older systems.</li>
<li><strong>Behavior selection</strong>: Different injection methods, persistence tactics, or system paths by version.</li>
<li><strong>Profiling</strong>: OS version becomes part of an environment fingerprint or telemetry report to the operator.</li>
</ul>
<p>Given the rest of the implant’s behavior (threading, registry usage, dumping via DbgHelp), the most conservative interpretation is that it’s used for <strong>gating and branching</strong>.</p>
<h2 id="6-anti-analysis-and-self-process-dumping">6. Anti-Analysis and Self-Process Dumping</h2>
<p>After initial setup, execution reaches <code class="language-plaintext highlighter-rouge">FUN_140008580</code>. This function is best understood as a <strong>runtime staging hub</strong>: it wires up crash/exception handling, performs stealthy UI behavior, and then kicks off the long-running worker thread that later drives C2 behavior. Specifically, this function does at least four distinct things:</p>
<ul>
<li>Installs the unhandled exception filter</li>
<li>Hides the console window</li>
<li>Posts a thread message (likely to pump or unblock something UI/message related)</li>
<li>Spawns the worker thread (FUN_1400080e0) and waits on it</li>
</ul>
<p>The first important call here is <code class="language-plaintext highlighter-rouge">SetUnhandledExceptionFilter</code>. This registers <code class="language-plaintext highlighter-rouge">FUN_140008550</code> as the process-wide unhandled exception filter. If an exception occurs and nothing catches it, Windows will invoke this handler instead of immediately terminating the process with the default crash UI.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">FUN_140008580</span>
<span class="mi">140008580</span> <span class="mi">48</span> <span class="mi">83</span> <span class="n">ec</span> <span class="mi">38</span> <span class="n">SUB</span> <span class="n">RSP</span><span class="p">,</span><span class="mh">0x38</span>
<span class="mi">140008584</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">0</span><span class="n">d</span> <span class="n">LEA</span> <span class="n">RCX</span><span class="p">,[</span><span class="n">FUN_140008550</span><span class="p">]</span>
<span class="mi">14000858</span><span class="n">b</span> <span class="n">ff</span> <span class="mi">15</span> <span class="mi">97</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">KERNEL32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">SetUnhandledExceptionFilter</span><span class="p">]</span>
</code></pre></div></div>
<p>Immediately afterward, the implant calls <code class="language-plaintext highlighter-rouge">GetConsoleWindow()</code> and then <code class="language-plaintext highlighter-rouge">ShowWindow(hWnd, 0)</code>. Passing <code class="language-plaintext highlighter-rouge">0</code> corresponds to <code class="language-plaintext highlighter-rouge">SW_HIDE</code><sup id="fnref:5" role="doc-noteref"><a href="#fn:5" class="footnote" rel="footnote">5</a></sup>, i.e., it hides its console window if one exists. A console-compiled payload is far noisier if it leaves a visible window on the user desktop.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="mi">140008591</span> <span class="n">ff</span> <span class="mi">15</span> <span class="n">a9</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">KERNEL32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">GetConsoleWindow</span><span class="p">]</span>
<span class="mi">140008597</span> <span class="mi">33</span> <span class="n">d2</span> <span class="n">XOR</span> <span class="n">EDX</span><span class="p">,</span><span class="n">EDX</span>
<span class="mi">140008599</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">b</span> <span class="n">c8</span> <span class="n">MOV</span> <span class="n">RCX</span><span class="p">,</span><span class="n">RAX</span>
<span class="mi">14000859</span><span class="n">c</span> <span class="n">ff</span> <span class="mi">15</span> <span class="n">b6</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">USER32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">ShowWindow</span><span class="p">]</span>
<span class="p">...</span>
</code></pre></div></div>
<p>Finally, <code class="language-plaintext highlighter-rouge">FUN_140008580</code> spawns the worker thread, so the main thread becomes a supervisor. It creates the operational thread and waits on it.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">...</span>
<span class="mi">1400085</span><span class="n">c6</span> <span class="mi">4</span><span class="n">c</span> <span class="mi">8</span><span class="n">d</span> <span class="mo">05</span> <span class="n">LEA</span> <span class="n">R8</span><span class="p">,[</span><span class="n">FUN_1400080e0</span><span class="p">]</span>
<span class="mi">1400085</span><span class="n">cd</span> <span class="mi">45</span> <span class="mi">33</span> <span class="n">c9</span> <span class="n">XOR</span> <span class="n">R9D</span><span class="p">,</span><span class="n">R9D</span>
<span class="mi">1400085</span><span class="n">d0</span> <span class="mi">4</span><span class="n">c</span> <span class="mi">89</span> <span class="mi">5</span><span class="n">c</span> <span class="n">MOV</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_10</span><span class="p">],</span><span class="n">R11</span>
<span class="mi">1400085</span><span class="n">d5</span> <span class="mi">33</span> <span class="n">d2</span> <span class="n">XOR</span> <span class="n">EDX</span><span class="p">,</span><span class="n">EDX</span>
<span class="mi">1400085</span><span class="n">d7</span> <span class="mi">33</span> <span class="n">c9</span> <span class="n">XOR</span> <span class="n">ECX</span><span class="p">,</span><span class="n">ECX</span>
<span class="mi">1400085</span><span class="n">d9</span> <span class="mi">44</span> <span class="mi">89</span> <span class="mi">5</span><span class="n">c</span> <span class="n">MOV</span> <span class="n">dword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_18</span><span class="p">],</span><span class="n">R11D</span>
<span class="mi">1400085</span><span class="n">de</span> <span class="n">ff</span> <span class="mi">15</span> <span class="mi">8</span><span class="n">c</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">KERNEL32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">CreateThread</span><span class="p">]</span>
<span class="mf">1400085e4</span> <span class="mi">83</span> <span class="n">ca</span> <span class="n">ff</span> <span class="n">OR</span> <span class="n">EDX</span><span class="p">,</span><span class="mh">0xffffffff</span>
<span class="mf">1400085e7</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">b</span> <span class="n">c8</span> <span class="n">MOV</span> <span class="n">RCX</span><span class="p">,</span><span class="n">RAX</span>
<span class="mi">1400085</span><span class="n">ea</span> <span class="mi">48</span> <span class="mi">89</span> <span class="mo">05</span> <span class="n">MOV</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">DAT_1400234f0</span><span class="p">],</span><span class="n">RAX</span>
<span class="mi">1400085</span><span class="n">f1</span> <span class="n">ff</span> <span class="mi">15</span> <span class="mi">59</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">KERNEL32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">WaitForSingleObject</span><span class="p">]</span>
<span class="mi">1400085</span><span class="n">f7</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">b</span> <span class="mi">0</span><span class="n">d</span> <span class="n">MOV</span> <span class="n">RCX</span><span class="p">,</span><span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">DAT_1400234f0</span><span class="p">]</span>
<span class="mi">1400085</span><span class="n">fe</span> <span class="n">ff</span> <span class="mi">15</span> <span class="mi">74</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">KERNEL32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">CloseHandle</span><span class="p">]</span>
<span class="mi">140008604</span> <span class="n">b9</span> <span class="mi">2</span><span class="n">c</span> <span class="mo">01</span> <span class="n">MOV</span> <span class="n">ECX</span><span class="p">,</span><span class="mh">0x12c</span>
<span class="mi">140008609</span> <span class="n">ff</span> <span class="mi">15</span> <span class="mi">51</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">KERNEL32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">Sleep</span><span class="p">]</span>
</code></pre></div></div>
<h3 id="61-fun_140008550-exception-filter--debugger-gate">6.1 FUN_140008550: Exception Filter + Debugger Gate</h3>
<p>The exception filter itself begins with a debugger check:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code> <span class="n">FUN_140008550</span>
<span class="mi">140008550</span> <span class="mi">40</span> <span class="mi">53</span> <span class="n">PUSH</span> <span class="n">RBX</span>
<span class="mi">140008552</span> <span class="mi">48</span> <span class="mi">83</span> <span class="n">ec</span> <span class="mi">20</span> <span class="n">SUB</span> <span class="n">RSP</span><span class="p">,</span><span class="mh">0x20</span>
<span class="mi">140008556</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">b</span> <span class="n">d9</span> <span class="n">MOV</span> <span class="n">RBX</span><span class="p">,</span><span class="n">RCX</span>
<span class="mi">140008559</span> <span class="n">ff</span> <span class="mi">15</span> <span class="mo">01</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">KERNEL32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">IsDebuggerPresent</span><span class="p">]</span>
<span class="mi">14000855</span><span class="n">f</span> <span class="mi">85</span> <span class="n">c0</span> <span class="n">TEST</span> <span class="n">EAX</span><span class="p">,</span><span class="n">EAX</span>
<span class="mi">140008561</span> <span class="mi">74</span> <span class="mi">08</span> <span class="n">JZ</span> <span class="n">LAB_14000856b</span>
<span class="mi">140008563</span> <span class="mi">33</span> <span class="n">c0</span> <span class="n">XOR</span> <span class="n">EAX</span><span class="p">,</span><span class="n">EAX</span>
<span class="mi">140008565</span> <span class="mi">48</span> <span class="mi">83</span> <span class="n">c4</span> <span class="mi">20</span> <span class="n">ADD</span> <span class="n">RSP</span><span class="p">,</span><span class="mh">0x20</span>
<span class="mi">140008569</span> <span class="mi">5</span><span class="n">b</span> <span class="n">POP</span> <span class="n">RBX</span>
<span class="mi">14000856</span><span class="n">a</span> <span class="n">c3</span> <span class="n">RET</span>
</code></pre></div></div>
<p>Two behaviors stand out immediately:</p>
<ul>
<li>If a debugger is detected -> return early (skip the noisy part).</li>
<li>Otherwise -> proceed into a second branch that performs a dump routine (<code class="language-plaintext highlighter-rouge">FUN_140008370</code>).</li>
</ul>
<p>As an unhandled exception filter, Windows calls this function with exception-context-like data. The hypothesis here is that the handler’s purpose is less about “handling” an exception and more about conditionally executing the dump logic.</p>
<p>The dump routine path includes:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="mi">14000838</span><span class="n">f</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">0</span><span class="n">d</span> <span class="n">LEA</span> <span class="n">RCX</span><span class="p">,[</span><span class="n">u_DbgHelp</span><span class="p">.</span><span class="n">dll_14001ab68</span><span class="p">]</span>
<span class="mi">140008396</span> <span class="n">ff</span> <span class="mi">15</span> <span class="mi">9</span><span class="n">c</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">KERNEL32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">LoadLibraryW</span><span class="p">]</span>
<span class="p">...</span>
<span class="mi">1400083</span><span class="n">ac</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">15</span> <span class="n">LEA</span> <span class="n">RDX</span><span class="p">,[</span><span class="n">s_MiniDumpWriteDump_14001ab80</span><span class="p">]</span>
<span class="mi">1400083</span><span class="n">b3</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">b</span> <span class="n">c8</span> <span class="n">MOV</span> <span class="n">RCX</span><span class="p">,</span><span class="n">RAX</span>
<span class="p">...</span>
<span class="mi">1400083</span><span class="n">b6</span> <span class="mi">48</span> <span class="mi">89</span> <span class="n">ac</span> <span class="n">MOV</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_res10</span><span class="p">],</span><span class="n">RBP</span>
<span class="mi">1400083</span><span class="n">be</span> <span class="n">ff</span> <span class="mi">15</span> <span class="mi">8</span><span class="n">c</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">KERNEL32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">GetProcAddress</span><span class="p">]</span>
<span class="p">...</span>
<span class="mi">14000840</span><span class="n">d</span> <span class="n">ff</span> <span class="mi">15</span> <span class="mi">45</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">KERNEL32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">GetLocalTime</span><span class="p">]</span>
<span class="p">...</span>
<span class="mi">14000844</span><span class="n">a</span> <span class="mi">4</span><span class="n">c</span> <span class="mi">8</span><span class="n">d</span> <span class="mo">05</span> <span class="n">LEA</span> <span class="n">R8</span><span class="p">,[</span><span class="n">u_</span><span class="o">!</span><span class="n">analyze_</span><span class="o">-</span><span class="n">v_14001ab98</span><span class="p">]</span>
<span class="mi">140008451</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">15</span> <span class="n">LEA</span> <span class="n">RDX</span><span class="p">,[</span><span class="n">u_</span><span class="o">%</span><span class="n">s</span><span class="o">-%</span><span class="mo">04</span><span class="n">d</span><span class="o">%</span><span class="mo">02</span><span class="n">d</span><span class="o">%</span><span class="mo">02</span><span class="n">d</span><span class="o">-%</span><span class="mo">02</span><span class="n">d</span><span class="o">%</span><span class="mo">02</span><span class="n">d</span><span class="o">%</span><span class="mo">02</span><span class="n">d</span><span class="p">.</span><span class="n">dmp_14001a</span>
<span class="mi">140008458</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">4</span><span class="n">c</span> <span class="n">LEA</span> <span class="n">RCX</span><span class="o">=></span><span class="n">local_238</span><span class="p">,[</span><span class="n">RSP</span> <span class="o">+</span> <span class="mh">0x70</span><span class="p">]</span>
<span class="mi">14000845</span><span class="n">d</span> <span class="n">ff</span> <span class="mi">15</span> <span class="mo">05</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">USER32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">wsprintfW</span><span class="p">]</span>
<span class="p">...</span>
<span class="mi">140008463</span> <span class="mi">4</span><span class="n">c</span> <span class="mi">89</span> <span class="mi">6</span><span class="n">c</span> <span class="n">MOV</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_278</span><span class="p">],</span><span class="n">R13</span>
<span class="mi">140008468</span> <span class="mi">45</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">45</span> <span class="mo">03</span> <span class="n">LEA</span> <span class="n">R8D</span><span class="p">,[</span><span class="n">R13</span> <span class="o">+</span> <span class="mh">0x3</span><span class="p">]</span>
<span class="mi">14000846</span><span class="n">c</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">4</span><span class="n">c</span> <span class="n">LEA</span> <span class="n">RCX</span><span class="o">=></span><span class="n">local_238</span><span class="p">,[</span><span class="n">RSP</span> <span class="o">+</span> <span class="mh">0x70</span><span class="p">]</span>
<span class="mi">140008471</span> <span class="mi">45</span> <span class="mi">33</span> <span class="n">c9</span> <span class="n">XOR</span> <span class="n">R9D</span><span class="p">,</span><span class="n">R9D</span>
<span class="mi">140008474</span> <span class="n">ba</span> <span class="mo">00</span> <span class="mo">00</span> <span class="n">MOV</span> <span class="n">EDX</span><span class="p">,</span><span class="mh">0xc0000000</span>
<span class="mi">140008479</span> <span class="mi">44</span> <span class="mi">89</span> <span class="mi">6</span><span class="n">c</span> <span class="n">MOV</span> <span class="n">dword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_280</span><span class="p">],</span><span class="n">R13D</span>
<span class="mi">14000847</span><span class="n">e</span> <span class="n">c7</span> <span class="mi">44</span> <span class="mi">24</span> <span class="n">MOV</span> <span class="n">dword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_288</span><span class="p">],</span><span class="mh">0x2</span>
<span class="mi">140008486</span> <span class="n">ff</span> <span class="mi">15</span> <span class="n">bc</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">KERNEL32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">CreateFileW</span><span class="p">]</span>
</code></pre></div></div>
<p>That second branch is especially interesting because creating a minidump of its own process appears deliberate and can capture sensitive runtime state. At this stage, I considered a few plausible motivations:</p>
<ul>
<li><strong>Self-debugging:</strong> Generate a dump that can be pulled later to debug failures on victim systems.</li>
<li><strong>Anti-analysis gating:</strong> Only produce artifacts when not under a debugger (to avoid handing analysts decrypted state during interactive reversing).</li>
<li><strong>Noise injection / disruption</strong>: Dumping can pollute disk with artifacts, trigger alerts, or waste analyst time depending on how it is used operationally.</li>
</ul>
<h3 id="62-analysing-the-self-dump-flow-exception-triggered">6.2 Analysing the Self-dump Flow (Exception-Triggered)</h3>
<h4 id="621-loading-dbghelpdll">6.2.1 Loading <code class="language-plaintext highlighter-rouge">DbgHelp.dll</code></h4>
<p>The dump path begins by dynamically loading <code class="language-plaintext highlighter-rouge">DbgHelp.dll</code>:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">LEA</span> <span class="n">RCX</span><span class="p">,[</span><span class="n">u_DbgHelp</span><span class="p">.</span><span class="n">dll</span><span class="p">]</span>
<span class="n">CALL</span> <span class="p">[</span><span class="n">KERNEL32</span><span class="p">.</span><span class="n">LoadLibraryW</span><span class="p">]</span>
</code></pre></div></div>
<p>This avoids a static import of DbgHelp in the PE import table. Static imports are analyst-friendly, allowing us to eyeball the IAT and immediately know what the binary wants. Dynamic resolution reduces that visibility and also makes the dumping APIs conditional, as they only appear if/when the branch executes.</p>
<h4 id="622-resolving-and-calling-minidumpwritedump">6.2.2 Resolving and Calling <code class="language-plaintext highlighter-rouge">MiniDumpWriteDump</code></h4>
<p>After loading <code class="language-plaintext highlighter-rouge">DbgHelp.dll</code>, the implant resolves <code class="language-plaintext highlighter-rouge">MiniDumpWriteDump</code> by name via <code class="language-plaintext highlighter-rouge">GetProcAddress</code>:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">GetProcAddress</span><span class="p">(</span><span class="n">hDbgHelp</span><span class="p">,</span> <span class="s">"MiniDumpWriteDump"</span><span class="p">)</span>
</code></pre></div></div>
<p>It then performs a programmatic self-dump of the current process. The typical supporting calls in this pattern are:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">GetCurrentProcessId()</code></li>
<li><code class="language-plaintext highlighter-rouge">GetCurrentProcess()</code></li>
<li>Create/open a file handle for the dump output (<code class="language-plaintext highlighter-rouge">CreateFileW</code>)</li>
<li><code class="language-plaintext highlighter-rouge">MiniDumpWriteDump(processHandle, pid, fileHandle, dumpType, …)</code></li>
</ul>
<p>The key point is that this is not an OS-generated crash dump created by WerFault. This is an intentional dump created by the implant itself, and it can include:</p>
<ul>
<li>Decrypted configuration (in memory),</li>
<li>Decrypted or unpacked modules that never touch disk,</li>
<li>Runtime-resolved function pointers and state,</li>
<li>Potentially keys/tokens/parameters used later in execution.</li>
</ul>
<p>This behavior may help operators debug, but it can also leak the implant’s secrets to defenders if the dump is recovered.</p>
<h4 id="623-dump-filename-format">6.2.3 Dump Filename Format</h4>
<p>The filename is constructed using <code class="language-plaintext highlighter-rouge">GetLocalTime</code> and <code class="language-plaintext highlighter-rouge">wsprintfW</code>, with the timestamp format string:</p>
<div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>"%s-%04d%02d%02d-%02d%02d%02d.dmp"
</code></pre></div></div>
<p>This produces a timestamped dump name:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">PREFIX-YYYYMMDD-HHMMSS.dmp</code></li>
</ul>
<p>The exact value for <code class="language-plaintext highlighter-rouge">%s</code> depends on what the caller passes at the callsite. In the disassembly we saw a string <code class="language-plaintext highlighter-rouge">u"!analyze -v"</code>, which is suspicious as a prefix candidate and may be a decoy or debug artifact. Regardless, the timestamp structure is clear: it is designed to be unique per run.</p>
<h2 id="7-c2-configuration-storage-and-parsing">7. C2 Configuration Storage and Parsing</h2>
<p>After initialization and anti-analysis staging, the implant starts to look like an actual C2 client. This logic is reached via <code class="language-plaintext highlighter-rouge">FUN_1400073d0</code> (invoked during setup), which then leads into the main configuration parser <code class="language-plaintext highlighter-rouge">FUN_1400073e4</code>. The parser operates on a compact delimited configuration string, extracts values into runtime globals, and supports a registry-based override to “retask” without patching the binary.</p>
<h3 id="71-recovered-config-string">7.1 Recovered Config String</h3>
<p>Early in the parser we saw:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="mi">14000740</span><span class="n">e</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">b</span> <span class="n">cd</span> <span class="n">MOV</span> <span class="n">RCX</span><span class="o">=></span><span class="n">DAT_14001f440</span><span class="p">,</span><span class="n">RBP</span>
<span class="mi">140007411</span> <span class="n">e8</span> <span class="n">a6</span> <span class="mi">24</span> <span class="n">CALL</span> <span class="n">_wcsrev</span>
</code></pre></div></div>
<p>This tells us that the string at <code class="language-plaintext highlighter-rouge">&DAT_14001f440</code> is stored in reverse. Static string extraction sees nonsense, while at runtime, <code class="language-plaintext highlighter-rouge">_wcsrev</code> flips it back just before parsing.</p>
<p>Once reversed, the configuration appears as a delimiter-separated table:</p>
<div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>|p1:maaahao.vip|o1:8081|t1:1
|p2:maaahao.vip|o2:8888|t2:1
|p3:maaahao.vip|o3:80|t3:1
|dd:1|cl:1|fz:|bb:1.0|bz:2025.11.7|jp:0|bh:0|ll:0|dl:0|sh:0|kl:0|bd:
</code></pre></div></div>
<p>We can see a structural detail here: the string begins with a leading <code class="language-plaintext highlighter-rouge">|</code>. That makes parsing simpler and safer because every entry is boundary-delimited, reducing the risk of accidental substring matches inside values. Even if the implementation searches for <code class="language-plaintext highlighter-rouge">p1:</code> rather than <code class="language-plaintext highlighter-rouge">|p1:</code>, this layout still reflects a deliberate “flat table” grammar.</p>
<p>At a glance, the grammar is intentionally minimal:</p>
<ul>
<li>Entries are separated by <code class="language-plaintext highlighter-rouge">|</code></li>
<li>Each entry is a <code class="language-plaintext highlighter-rouge">key:value</code> pair</li>
<li>Keys are short (2 chars + optional index), values are either strings or single-digit toggles</li>
</ul>
<p>The first cluster (<code class="language-plaintext highlighter-rouge">p1/o1/t1</code>, <code class="language-plaintext highlighter-rouge">p2/o2/t2</code>, <code class="language-plaintext highlighter-rouge">p3/o3/t3</code>) reads like a list of C2 endpoints with enable flags. The later flags (<code class="language-plaintext highlighter-rouge">dd</code>, <code class="language-plaintext highlighter-rouge">cl</code>, <code class="language-plaintext highlighter-rouge">jp</code>, <code class="language-plaintext highlighter-rouge">bh</code>, <code class="language-plaintext highlighter-rouge">ll</code>, <code class="language-plaintext highlighter-rouge">dl</code>, <code class="language-plaintext highlighter-rouge">sh</code>, <code class="language-plaintext highlighter-rouge">kl</code>, <code class="language-plaintext highlighter-rouge">bd</code>) behave like feature toggles, versioning markers, and behavior parameters.</p>
<p>The intent here is clear: the implant wants a compact, easily replaceable config that can be parsed without heavy dependencies.</p>
<h3 id="72-parsing-helper-key-extractor">7.2 Parsing Helper: Key Extractor</h3>
<p><code class="language-plaintext highlighter-rouge">FUN_1400072a0</code> was determined to be the implant’s mini “config getter.” Its behavior is consistent across repeated calls:</p>
<ul>
<li>Search the config buffer (<code class="language-plaintext highlighter-rouge">DAT_14001f440</code>) for a key prefix like <code class="language-plaintext highlighter-rouge">L"p1:"</code>.</li>
<li>Once found, advance past the prefix.</li>
<li>Copy characters until the next delimiter <code class="language-plaintext highlighter-rouge">|</code>.</li>
<li>Write the extracted value into a destination buffer, or set a boolean if the destination is <code class="language-plaintext highlighter-rouge">NULL</code>.</li>
</ul>
<p>This helper explains why the main parser (<code class="language-plaintext highlighter-rouge">FUN_1400073d0</code>) repeatedly calls it for keys:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">p1</code>, <code class="language-plaintext highlighter-rouge">o1</code>, <code class="language-plaintext highlighter-rouge">p2</code>, <code class="language-plaintext highlighter-rouge">o2</code>, <code class="language-plaintext highlighter-rouge">p3</code>, <code class="language-plaintext highlighter-rouge">o3</code> copied into buffers</li>
<li><code class="language-plaintext highlighter-rouge">t1</code>, <code class="language-plaintext highlighter-rouge">t2</code>, <code class="language-plaintext highlighter-rouge">t3</code> handled as booleans (or via direct <code class="language-plaintext highlighter-rouge">1</code> checks)</li>
<li>Additional keys extracted into other globals</li>
</ul>
<p>Once extracted, other code never has to parse the raw string again. It simply reads from the populated runtime globals (e.g., host buffers, port buffers, and enable flags). This is why <code class="language-plaintext highlighter-rouge">FUN_1400080e0</code> looks like it selects between pre-parsed tables rather than interpreting the string directly.</p>
<h3 id="73-boolean-toggles">7.3 Boolean Toggles</h3>
<p>The toggle logic is consistent: if the character after the colon is <code class="language-plaintext highlighter-rouge">'1'</code> (<code class="language-plaintext highlighter-rouge">0x31</code>), set a corresponding global to <code class="language-plaintext highlighter-rouge">1</code>.</p>
<p>We saw this pattern for:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">t1</code>, <code class="language-plaintext highlighter-rouge">t2</code>, <code class="language-plaintext highlighter-rouge">t3</code> -> endpoint enable flags</li>
<li>And this is likely for other switches (<code class="language-plaintext highlighter-rouge">jp</code>, <code class="language-plaintext highlighter-rouge">bh</code>, <code class="language-plaintext highlighter-rouge">ll</code>, <code class="language-plaintext highlighter-rouge">dl</code>, <code class="language-plaintext highlighter-rouge">sh</code>, <code class="language-plaintext highlighter-rouge">kl</code>) depending on how the implant uses them later in execution.</li>
</ul>
<h3 id="74-config-override-via-hkcuconsoleipdate">7.4 Config Override via <code class="language-plaintext highlighter-rouge">HKCU\Console\IpDate</code></h3>
<p>The most operationally interesting detail is a registry-based override. The parser checks:</p>
<div class="language-text highlighter-rouge"><div class="highlight"><pre class="highlight"><code>HKCU\Console\IpDate
</code></pre></div></div>
<p>It first opens the <code class="language-plaintext highlighter-rouge">Console</code> key under <code class="language-plaintext highlighter-rouge">HKCU</code>:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="mi">140007</span><span class="n">d4d</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">84</span> <span class="n">LEA</span> <span class="n">RAX</span><span class="o">=></span><span class="n">local_res18</span><span class="p">,[</span><span class="n">RSP</span> <span class="o">+</span> <span class="mh">0x80</span><span class="p">]</span>
<span class="mi">140007</span><span class="n">d55</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">15</span> <span class="n">LEA</span> <span class="n">RDX</span><span class="p">,[</span><span class="n">u_Console_14001ab48</span><span class="p">]</span>
<span class="mi">140007</span><span class="n">d5c</span> <span class="mi">41</span> <span class="n">b9</span> <span class="mi">19</span> <span class="n">MOV</span> <span class="n">R9D</span><span class="p">,</span><span class="mh">0x20019</span>
<span class="mi">140007</span><span class="n">d62</span> <span class="mi">45</span> <span class="mi">33</span> <span class="n">c0</span> <span class="n">XOR</span> <span class="n">R8D</span><span class="p">,</span><span class="n">R8D</span>
<span class="mi">140007</span><span class="n">d65</span> <span class="mi">48</span> <span class="n">c7</span> <span class="n">c1</span> <span class="n">MOV</span> <span class="n">RCX</span><span class="p">,</span><span class="o">-</span><span class="mh">0x7fffffff</span>
<span class="mi">140007</span><span class="n">d6c</span> <span class="n">c7</span> <span class="mi">44</span> <span class="mi">24</span> <span class="n">MOV</span> <span class="n">dword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_res10</span><span class="p">],</span><span class="mh">0x3</span>
<span class="mi">140007</span><span class="n">d74</span> <span class="mi">48</span> <span class="mi">89</span> <span class="mi">44</span> <span class="n">MOV</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_48</span><span class="p">],</span><span class="n">RAX</span>
<span class="mi">140007</span><span class="n">d79</span> <span class="n">c7</span> <span class="mi">44</span> <span class="mi">24</span> <span class="n">MOV</span> <span class="n">dword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_res8</span><span class="p">],</span><span class="mh">0x0</span>
<span class="mi">140007</span><span class="n">d81</span> <span class="n">ff</span> <span class="mi">15</span> <span class="mi">81</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">ADVAPI32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">RegOpenKeyExW</span><span class="p">]</span>
</code></pre></div></div>
<p>Then it queries the <code class="language-plaintext highlighter-rouge">HKCU\Console\IpDate</code> value.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="mi">140007</span><span class="n">d8b</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">b</span> <span class="mi">8</span><span class="n">c</span> <span class="n">MOV</span> <span class="n">RCX</span><span class="p">,</span><span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_res18</span><span class="p">]</span>
<span class="mi">140007</span><span class="n">d93</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">44</span> <span class="n">LEA</span> <span class="n">RAX</span><span class="o">=></span><span class="n">local_res8</span><span class="p">,[</span><span class="n">RSP</span> <span class="o">+</span> <span class="mh">0x70</span><span class="p">]</span>
<span class="mi">140007</span><span class="n">d98</span> <span class="mi">4</span><span class="n">c</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">4</span><span class="n">c</span> <span class="n">LEA</span> <span class="n">R9</span><span class="o">=></span><span class="n">local_res10</span><span class="p">,[</span><span class="n">RSP</span> <span class="o">+</span> <span class="mh">0x78</span><span class="p">]</span>
<span class="mi">140007</span><span class="n">d9d</span> <span class="mi">48</span> <span class="mi">89</span> <span class="mi">44</span> <span class="n">MOV</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_40</span><span class="p">],</span><span class="n">RAX</span>
<span class="mi">140007</span><span class="n">da2</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">15</span> <span class="n">LEA</span> <span class="n">RDX</span><span class="p">,[</span><span class="n">u_IpDate_14001ab58</span><span class="p">]</span>
<span class="mi">140007</span><span class="n">da9</span> <span class="mi">45</span> <span class="mi">33</span> <span class="n">c0</span> <span class="n">XOR</span> <span class="n">R8D</span><span class="p">,</span><span class="n">R8D</span>
<span class="mi">140007</span><span class="n">dac</span> <span class="mi">48</span> <span class="n">c7</span> <span class="mi">44</span> <span class="n">MOV</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_48</span><span class="p">],</span><span class="mh">0x0</span>
<span class="mi">140007</span><span class="n">db5</span> <span class="n">ff</span> <span class="mi">15</span> <span class="mi">5</span><span class="n">d</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">ADVAPI32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">RegQueryValueExW</span><span class="p">]</span>
</code></pre></div></div>
<p>Importantly, it uses the common two-step query pattern:</p>
<ul>
<li>Query with a null data pointer to retrieve the required size.</li>
<li>If the size passes a sanity check (in this case <code class="language-plaintext highlighter-rouge">> 10</code>), clear the config buffer and query again to fetch the actual bytes.</li>
</ul>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="mi">140007</span><span class="n">dbb</span> <span class="mi">83</span> <span class="mi">7</span><span class="n">c</span> <span class="mi">24</span> <span class="n">CMP</span> <span class="n">dword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_res8</span><span class="p">],</span><span class="mh">0xa</span>
<span class="mi">140007</span><span class="n">dc0</span> <span class="mi">0</span><span class="n">f</span> <span class="mi">86</span> <span class="n">e3</span> <span class="n">JBE</span> <span class="n">LAB_1400080a9</span>
<span class="mi">140007</span><span class="n">dc6</span> <span class="mi">33</span> <span class="n">d2</span> <span class="n">XOR</span> <span class="n">EDX</span><span class="p">,</span><span class="n">EDX</span>
<span class="mi">140007</span><span class="n">dc8</span> <span class="mi">41</span> <span class="n">b8</span> <span class="n">d0</span> <span class="n">MOV</span> <span class="n">R8D</span><span class="p">,</span><span class="mh">0x7d0</span>
<span class="mi">140007</span><span class="n">dce</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">b</span> <span class="n">cd</span> <span class="n">MOV</span> <span class="n">RCX</span><span class="o">=></span><span class="n">DAT_14001f440</span><span class="p">,</span><span class="n">RBP</span>
<span class="mi">140007</span><span class="n">dd1</span> <span class="n">e8</span> <span class="n">ea</span> <span class="mi">39</span> <span class="n">CALL</span> <span class="n">FUN_14000b7c0</span>
<span class="mi">140007</span><span class="n">dd6</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">b</span> <span class="mi">8</span><span class="n">c</span> <span class="n">MOV</span> <span class="n">RCX</span><span class="p">,</span><span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_res18</span><span class="p">]</span>
<span class="mi">140007</span><span class="n">dde</span> <span class="mi">4</span><span class="n">c</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">5</span><span class="n">c</span> <span class="n">LEA</span> <span class="n">R11</span><span class="o">=></span><span class="n">local_res8</span><span class="p">,[</span><span class="n">RSP</span> <span class="o">+</span> <span class="mh">0x70</span><span class="p">]</span>
<span class="mi">140007</span><span class="n">de3</span> <span class="mi">4</span><span class="n">c</span> <span class="mi">89</span> <span class="mi">5</span><span class="n">c</span> <span class="n">MOV</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_40</span><span class="p">],</span><span class="n">R11</span>
<span class="mi">140007</span><span class="n">de8</span> <span class="mi">4</span><span class="n">c</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">4</span><span class="n">c</span> <span class="n">LEA</span> <span class="n">R9</span><span class="o">=></span><span class="n">local_res10</span><span class="p">,[</span><span class="n">RSP</span> <span class="o">+</span> <span class="mh">0x78</span><span class="p">]</span>
<span class="mi">140007</span><span class="n">ded</span> <span class="mi">48</span> <span class="mi">8</span><span class="n">d</span> <span class="mi">15</span> <span class="n">LEA</span> <span class="n">RDX</span><span class="p">,[</span><span class="n">u_IpDate_14001ab58</span><span class="p">]</span>
<span class="mi">140007</span><span class="n">df4</span> <span class="mi">45</span> <span class="mi">33</span> <span class="n">c0</span> <span class="n">XOR</span> <span class="n">R8D</span><span class="p">,</span><span class="n">R8D</span>
<span class="mi">140007</span><span class="n">df7</span> <span class="mi">48</span> <span class="mi">89</span> <span class="mi">6</span><span class="n">c</span> <span class="n">MOV</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="n">RSP</span> <span class="o">+</span> <span class="n">local_48</span><span class="p">],</span><span class="n">RBP</span><span class="o">=></span><span class="n">DAT_14001f440</span>
<span class="mi">140007</span><span class="n">dfc</span> <span class="n">ff</span> <span class="mi">15</span> <span class="mi">16</span> <span class="n">CALL</span> <span class="n">qword</span> <span class="n">ptr</span> <span class="p">[</span><span class="o">-></span><span class="n">ADVAPI32</span><span class="p">.</span><span class="n">DLL</span><span class="o">::</span><span class="n">RegQueryValueExW</span><span class="p">]</span>
</code></pre></div></div>
<p>We interpret this as a post-deployment control channel:</p>
<ul>
<li>Operators can change C2 host/ports and toggles without recompiling.</li>
<li>The implant can be “retasked” locally by updating a registry value.</li>
<li>The key path is intentionally boring-looking (“Console” settings) which helps it blend in compared to something obviously malicious.</li>
</ul>
<p>The end result is that configuration is effectively <strong>baked-in but replaceable</strong>. Static config provides defaults, while the registry override provides agility.</p>
<h2 id="8-where-static-analysis-stops-and-part-2-starts">8. Where Static Analysis Stops (and Part 2 Starts)</h2>
<p>At the end of static analysis, this is what we know:</p>
<ol>
<li><strong>Stage-0 Go loader</strong>
<ul>
<li>Resolves its own path</li>
<li>Persists via <code class="language-plaintext highlighter-rouge">HKCU\...\Run</code> as <code class="language-plaintext highlighter-rouge">CalculatorApp_AutoStart</code></li>
<li>Decrypts an embedded blob (<code class="language-plaintext highlighter-rouge">0x25660</code> bytes) using AES-ECB with key <code class="language-plaintext highlighter-rouge">1ws12uuu11j*p5fr</code></li>
<li>Executes the decrypted buffer in-memory via <code class="language-plaintext highlighter-rouge">VirtualAlloc</code> / <code class="language-plaintext highlighter-rouge">RtlMoveMemory</code> / <code class="language-plaintext highlighter-rouge">CreateThread</code></li>
</ul>
</li>
<li><strong>Embedded blob</strong>
<ul>
<li>Donut shellcode container</li>
<li>Unwraps into a native <code class="language-plaintext highlighter-rouge">x64</code> PE implant</li>
</ul>
</li>
<li><strong>Native implant</strong>
<ul>
<li>CRT + heap setup (<code class="language-plaintext highlighter-rouge">HeapCreate</code>, <code class="language-plaintext highlighter-rouge">HeapAlloc</code>)</li>
<li>Environment/version checks (<code class="language-plaintext highlighter-rouge">GetVersion</code>)</li>
<li>Setup hub (<code class="language-plaintext highlighter-rouge">FUN_140008580</code>) that installs an exception filter, hides UI, and starts the operational thread</li>
<li>Debugger gate + self-process dumping (<code class="language-plaintext highlighter-rouge">DbgHelp.dll</code> + <code class="language-plaintext highlighter-rouge">MiniDumpWriteDump</code>) with timestamped <code class="language-plaintext highlighter-rouge">.dmp</code> naming</li>
<li>Reversed-string config storage + runtime parsing</li>
<li>Registry-based config override via <code class="language-plaintext highlighter-rouge">HKCU\Console\IpDate</code></li>
</ul>
</li>
</ol>
<p>In Part 2 we’ll treat the C2 configuration as an active protocol, recover message framing, capture and emulate the exchange, and build a minimal server that keeps the implant talking long enough to expose its full behavior.</p>
<h2 id="references">References</h2>
<div class="footnotes" role="doc-endnotes">
<ol>
<li id="fn:1" role="doc-endnote">
<p><a href="https://attack.mitre.org/techniques/T1547/001/">MITRE ATT&CK T1547.001 - Registry Run Keys / Startup Folder</a> <a href="#fnref:1" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:3" role="doc-endnote">
<p><a href="https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/exploring-process-environment-block">Exploring Process Environment Block</a> <a href="#fnref:3" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:4" role="doc-endnote">
<p><a href="https://isc.sans.edu/diary/24058">Using <code class="language-plaintext highlighter-rouge">scdbg</code> to Analyze Shellcode</a> <a href="#fnref:4" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:2" role="doc-endnote">
<p><a href="https://www.hackercoolmagazine.com/donut-shellcode-generator-beginners-guide/">Donut Shellcode Generator: Beginner’s Guide</a> <a href="#fnref:2" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
<li id="fn:5" role="doc-endnote">
<p><a href="https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-showwindow">ShowWindow Function (winuser.h)</a> <a href="#fnref:5" class="reversefootnote" role="doc-backlink">↩</a></p>
</li>
</ol>
</div>
Understanding the Why2025-04-01T00:00:00+00:00https://lehasas.github.io/understanding-the-why<p>Security gets sold as certainty: dashboards, metrics, “visibility.” The work that keeps pulling me in is the opposite. It’s the part where you do not get to assume the system is telling the truth, and you have to earn every claim by taking something apart.</p>
<p>Malware analysis sits right in that gap. It is a forced audit of reality: what the binary actually does, what the network trace actually contains, what the OS actually guarantees, and how quickly a neat theory collapses when a single assumption is wrong.</p>
<p>I still remember the first time I opened a binary in Ghidra and stared at the decompiler like it was an alien language. What hooked me was not the tool. It was the feeling that there was a coherent story in there, and the only way to get it was to build the model yourself.</p>
<h2 id="why-i-study-malware">Why I Study Malware</h2>
<p>I am interested in security broadly, but malware analysis is where my curiosity becomes mechanical. You do not get to hand-wave. You either explain an artifact or you do not.</p>
<p>The part I enjoy most is the transition from vague suspicion to a crisp narrative:</p>
<ul>
<li>What is the stage layout?</li>
<li>Where is configuration stored, and how is it protected?</li>
<li>What does persistence actually change on disk/registry/service state?</li>
<li>What is the operator supposed to be able to control after deployment?</li>
</ul>
<p>And if the answer is “I am not sure yet,” I want to be able to say exactly what would remove the uncertainty.</p>
<h2 id="what-drew-me-in">What Drew Me In</h2>
<p>There is a kind of poetry in malware, but it is the poetry of constraints. Malware has to execute in hostile environments, operate under partial visibility, and keep functioning when defenders and sandboxes interfere.</p>
<p>I am drawn less to the destruction and more to the design:</p>
<ul>
<li>the weird tradeoffs (noise vs reliability vs stealth)</li>
<li>the tiny implementation mistakes that change everything</li>
<li>the subtle ways systems fail when their assumptions are stressed</li>
</ul>
<p>Malware is a sharp lens for studying how software is built, and how it breaks.</p>
<h2 id="how-i-work-and-what-i-show">How I Work (And What I Show)</h2>
<p>When I write a post here, I am not trying to produce a perfect tutorial. I am documenting investigation:</p>
<ul>
<li>the initial hypotheses from triage</li>
<li>how I proved or disproved them</li>
<li>where the evidence was solid vs where it was suggestive</li>
<li>the dead ends (when they’re instructive)</li>
</ul>
<p>Some posts will be clean and conclusive. Some will be explicitly marked as work-in-progress. Either way, I want the reader to be able to track the chain of reasoning.</p>
<h2 id="what-youll-find-here">What You’ll Find Here</h2>
<p>This blog is a long-form notebook. I am optimizing for slow reading and replayable understanding, not for engagement.</p>
<p>You will find:</p>
<ul>
<li>narrative-driven malware write-ups (static, dynamic, and sometimes protocol work)</li>
<li>reverse engineering notes (how I recognized patterns, how I named things, what I missed at first)</li>
<li>tooling experiments (small scripts, helpers, lab notes)</li>
<li>occasional reflective pieces on how security is practiced vs how it is marketed</li>
</ul>
<p>If a post is part of a longer investigation, it will be labeled as a series/part so you can follow it end-to-end.</p>
<h2 id="the-why-that-keeps-me-going">The Why That Keeps Me Going</h2>
<p>I keep coming back to this work for a simple reason: the fastest way to understand a system is to watch it fail and then explain why it failed.</p>
<p>If you like that kind of thinking, you are in the right place.</p>