Reversing of malware sample with some creative messages found by nullcookies. Spoiler: it's Kardon Loader.


Following the link we get to a pretty fancy website with some spooky music by Naked City.


The sample is a .NET PE32 binary.


I opened it in JetBrain dotPeek and started to follow the execution path.

Main calls vvrtOmoHa.cotHrhSnFmXZz() which calls FUNC5.
FUNC5 returns MethodInfo class which gives us access to the methods of some object.

It gets "EntryPoint" of whatever CLASS2.RTAPYsHWnCcXOGrS((object) vvrtOmoHa.OfYKMuQsCWD()) returns.

First let's look into vvrtOmoHa.OfYKMuQsCWD():

Define Rfc2898DeriveBytes with

key = 0x0c, 0x81, 0x61, 0x25, 0x19, 0x5f, 0xea, 0x3a, 0x67, 0x13, 0xc5, 0x78, 0x00, 0x4b, 0x6c, 0xf8
salt = 0x25, 0x0d, 0x87, 0x41, 0xad, 0x73, 0xc0, 0x57
iterations = 1000

and sets up RijndaelManaged with the following:

  • KeySize = 256
  • BlockSize = 128
  • Key = Rfc2898DeriveBytes.GetBytes(KeySize / 8)
  • IV = Rfc2898DeriveBytes.GetBytes(BlockSize / 8)
  • Mode = CipherMode.CBC

Then it creates a new CryptoStream with RijndaelManaged.createDecryptor as a ICryptoTransform.

With that decryptor, it decoeds whatever is returned by UqRiWgZlDb() which is this:

numArray = 
(byte[]) new ResourceManager(
    typeof (vvrtOmoHa).Assembly

Sanpei replaces "X" to "OJRx". VNC replaces "J" with "eDNgz". Essentially what it says is open OJRx.res and return eDNgz:


The contents of the file are being decoded and returned back.

Now we are in public static object RTAPYsHWnCcXOGrS(object data) with data being our decoded resource.

I have created a quick and dirty decryptor in C-Sharp and got back another exe.

using System;
using System.IO;
using System.Security.Cryptography;

namespace decryptor
    class MainClass
        public static byte[] PasswordBytes =
            (byte) 12,
            (byte) 189,
            (byte) 97,
            (byte) 37,
            (byte) 25,
            (byte) 95,
            (byte) 234,
            (byte) 58,
            (byte) 103,
            (byte) 19,
            (byte) 197,
            (byte) 120,
            (byte) 0,
            (byte) 75,
            (byte) 108,
            (byte) 248
        public static byte[] salt =
          (byte) 37,
          (byte) 13,
          (byte) 135,
          (byte) 65,
          (byte) 173,
          (byte) 115,
          (byte) 192,
          (byte) 87

        public static void Main(string[] args)
            Rfc2898DeriveBytes key = new Rfc2898DeriveBytes(PasswordBytes, 
            RijndaelManaged rijAlg = new RijndaelManaged();
            rijAlg.KeySize = 256;
            rijAlg.BlockSize = 128;
            rijAlg.Mode = CipherMode.CBC;
            rijAlg.Key = key.GetBytes(256 / 8);
            rijAlg.IV = key.GetBytes(128 / 8);
            String line;
            using (StreamReader sr = new StreamReader("res.txt"))
                // Read the stream to a string, and write the string to the console.
                line = sr.ReadToEnd();
            byte[] data = Convert.FromBase64String(line);
            ICryptoTransform decryptor = rijAlg.CreateDecryptor(rijAlg.Key, rijAlg.IV);
            byte[] plainText2 = null;
            using (MemoryStream ms = new MemoryStream())
                using (CryptoStream cs = new CryptoStream(ms, decryptor, CryptoStreamMode.Write))
                    cs.Write(data, 0, data.Length);
                plainText2 = ms.ToArray();

            File.WriteAllBytes("obj.bin", plainText2);


Inside, there are essentially presitance mechanisms which unpack another exe. Notable findings: more creepy names functions like "antichrist" and a kill switch:

this.PT = Process.GetCurrentProcess().MainModule.FileName.Replace(Path.GetFileName(Process.GetCurrentProcess().MainModule.FileName), "");
private void SafeDisable()
    if (!File.Exists(this.PT + "stop.txt"))


Let's decrypt the 3rd payload and see what's inside:

It's not a .NET app so now we have to work in IDA.

The file was compiled with debug information:

which we of course don't have, but we see where the author had its project.

Malware communicated with its C2 at hxxp://

Screen-Shot-2018-06-23-at-11.59.14-AM which is a Kardon Loader.

Basically this Malware creates a botnet and can be used to install any other tools. All files related to this reverse are on my github.