Run MRU - UnGarbling Python & PowerShell

## **Overview of RunMRU** RunMRU malware or otherwise known as copy-paste malware, is often delivered via hijacked sites or malicious advertisements. End users are presented with a pop-up specifying to open the run dialog box or file explorer in some cases and Ctrl + V; and then press enter. Prepopulating the users clipboard with the initial payload, users are often blind to what they're entering on the system. ### **Code Delivery** The initial command in this case was an obfuscated curl command ![[Pasted image 20251026135542.png]] When cleaning up the command, the payload can be grabbed from the initial site. ![[Pasted image 20251026210454.png]] ### **Initial Payload** Upon curl a PS script is downloaded and executed in memory. ![[Pasted image 20251026205025.png]] The numbers in the script are ascii characters that are converted to chars. Removing the 'powershell -c iex' and assigning to a variable in PowerShell, the script can safely be decrypted. ![[Pasted image 20251026140418.png]] This unveils a base64 command which can be decrypted using CyberChef ![[Pasted image 20251026140445.png]] Decoded Output ![[Pasted image 20251026205120.png]] Downloading this new script 'main.ps1' ![[Pasted image 20251026140526.png]] The start of many obfuscated PowerShell scripts. The script contains a mess of obfuscated PowerShell, most of which is benign to hide the actual malicious code. ![[Pasted image 20251026140544.png]] Sifting through the PowerShell there is an iex command calling a variable. ![[Pasted image 20251026140607.png]] Printing the variable before the iex call shows an additional, but very similar obfuscated PowerShell script. ![[Pasted image 20251026140625.png]] Continuing the same process as the script above this is repeated three more times until the next main stage of the payload is deobfuscated. ![[Pasted image 20251026205159.png]] Most notably here is anti-debug checks being made looking for specific software. If any of these processes are found, the script will exit before downloading the next stage. The script appears to differentiate between domain and non-domain joined computers by specifying a different post message. Making a curl request to the 'domain joined' endpoint we get an obfuscated PowerShell script that looks all to familiar to the previous obfuscated PowerShell scripts. ![[Pasted image 20251026205359.png]] To speed up the analysis process, an additional three PowerShell scripts similar to what had been done previously were deobfuscated before finally getting to the final script of the PowerShell stager. ![[Pasted image 20251026141112.png]] Navigating to the URL within $archiveUrl, the payload is able to be downloaded and unzipped revealing a python executable and a collection of libraries, scripts, and DLL's. Of particular interest is the rn.exe and the pyw files. ![[Pasted image 20251026141129.png]] ### **Reversing rn.exe** The Hash Should have been looked up for the rn.exe file initially, which would have revealed this is actually just a renamed pythonw.exe (Python Signed Executable to Run Windowless Scripts). Either way this is the first time I've seen WARP markup which was cool to see the direction Binja is taking for some of it's automated code analysis). There isn't much of a need to reverse rn.exe as the pyw files can be examined to find the Python scripts. Just for fun though, the file can be dropped into Binary Ninja for analysis. Binary Ninja does a good job of marking up much of the python code via WARP denoted by the globe icon and the naming convention of '__scrt_function name' ![[Pasted image 20251026141942.png]] Analyzing for any unusual strings, there is references to hex code within the .rsrc section. This is nothing more than .PNG files which when using Malcat to file carve shows python images. ![[Pasted image 20251026142047.png]] ### **Ungarbling Python PYW Files** Starting with the rn.pyw file, the python script is opened to reveal obfuscated python code. Changing the evals to print statements we can get the next stage of the python malware. The next stage contains heavily obfuscated code using a combination of base64 encoding, hex conversions, zlib decompression, and python dictionary lookups. ![[Pasted image 20251026142136.png]] After deobfusating and cleaning up the python script, there was a combination of b85 encoded data and use of zlib compression revealing a very similar anti-debug script as seen in the earlier PowerShell loader. ![[Pasted image 20251026205438.png]] Of particular interest is the detection of debug tools and the calling of the data.pyw file. Looking back within the zip file downloaded from the server, there is also a data.pyw file that can be examined. Flow is indicative of rn.exe being supplied the argument of rn.pyw. The rn.pyw appears to be looking for debug tools, and checking if pythonw.exe is running. If successful, data.pyw is opened, which we can presume is going to be the main python payload. Upon opening the data.pyw file we are presented with a very similar python script as before. Using similar debug techniques of replacing the eval statements with print statements, there is once again a heavily obfuscated python script. ![[Pasted image 20251026142347.png]] After renaming some of the variables and prettifying it, the last variable appeared to be an exec() function, which after changing to a print will show what is being executed. ![[Pasted image 20251026142404.png]] Once again, we are met with another massive blob of lambda functions and obfuscation. ![[Pasted image 20251026142421.png]] Placing a debug breakpoint at the end of the script above, the variables can be seen within the debugger as the code is stepped through. ![[Pasted image 20251026142435.png]] Here we are met with a Pickled Python AST (Abstract Syntax Tree) within one of the '_______' variables. Due to the large amount of code within the AST, I deferred to Gemini to reconstruct a Python Script below from the Abstract Tree. Based on the imports that were missing when debugging and the reference to variables in the previous script, it's safe to assume this is likely on the right path of what this next stage python script looks like. It's likely to assume at this point this is the stager that reaches out to decrypt the final payload. ![[Pasted image 20251026210122.png]] There was some initial issues in trying to trying to get the decryption routine to work correctly. This is likely due to slightly different code within the except block. When running dynamically, the final web request was able to be intercepted revealing a GET request being made to a telegra.ph site. Observing in Wireshark we can see multiple packets over HTTPS. ![[Pasted image 20251026142552.png]] Proxying the Python requests through Fiddler, we can see the HTTPS request that is being made to the telegra.ph site. ![[Pasted image 20251026142603.png]] This is likely the Key used in the AES decryption algorithm. ### **IOC's** _______________ ###### **IP Addresses** `144.31.221.84` `149.154.164.13` ###### **FQDN** `telegra.ph/3657468-10-13` ###### **Files Dropped** `$env:APPDATA\DATA\rn.exe` `$env:APPDATA\DATA\rn.pyw` `$env:APPDATA\DATA\data.pyw` ###### **Windows Security Event Log** `EventID: 4698 AND TaskName: "WindowsUDP"` ___________