Analysis of the CrunchyRoll malware

Posted on

Hello, recently CrunchyRoll was attacked with a DNS Hijack and a malware was delivered. The malware does some strange stuff that I can’t comprehend but here are just my notes from the little effort that I put into it.

Sample SHA1: 7F0C19EEC1913F193B236C59742E469E16CE4DE2

Opening the file up in IDA and traversing to WinMain, we see this:

The file performs startup persistence, and then allocate some memory, copy the shellcode there, and then execute it.

Opening the file up in OllyDbg, we break after the VirtualAlloc call and step into the shellcode (which is rather small).

First, it obtained EIP using the common call-pop method. Strangely however, unlike most malware, it doesn’t have a function that does something like this:
pop eax
push eax
but rater chose to do it via a jump and a call back to pop eax. I suppose this might also be a form of a

Next, it jumps into a bruteforce loop.

After it is complete, EBX’s value is 0xB2FB9B40, which is then flipped with a bswap instruction. We finally reach the self decryptor, having obtained our key:

After that it is a bunch of weird stuff happens that I didn’t really look at but anyways, if you want to continue reverse engineering now you have a little more information I guess.

It seems like the malware receives a shellcode from the CnC and then performs a jmp to it, nothing more.


Regarding reddit, people tends to become stupid and post false information (hurr durr russian ip hurr durr ransomware), please disregard them, thanks. No, it was not hosted in Russia, the CnC is @ an OVH server in France. (145.239.41 dot 131).


Oh and here’s the dumped shellcode for your viewing pleasure.

Download: (password: infected)



bartblaze wrote another nice article regarding this malware, you might want to look into it.

Comments ( 3 )

  1. Niklas
    Hi, did some further analysis: the dropped svchost.exe has no complex functionality of its own, only tries to download a chunk of code from the C&C and ret there. If you wanna see this for yourself, break on kernelbase.LoadLibraryExW (the implementation, not the thunk) - the ws2_32 load is the one issued by the shellcode, which has decrypted itself by that point. It then performs a bunch of obfuscated winsock calls - break on shellcode+B9 to watch them. Substitute the returned error codes (because the C&C is down) and you'll see it just retrieves sz, allocates buf[sz], downloads code until sz is filled, and then returns, &buf being the current return address.
  2. fefe
    Fefe likes crunchy things, veri gud article Mr. Krabs
  3. codefuser suck me papi
    codefuser suck me papi better pls, I watch furry porn in ur lap