DoubleLoader

This malware leverages syscalls such as NtOpenProcess, NtWriteVirtualMemory, NtCreateThreadEx launching unbacked code within the Windows desktop/file manager (explorer.exe).

These techniques include control flow flattening, instruction mutation, constant unfolding, LEA constant hiding, anti-disassembly tricks and entrypoint obfuscation. | LEA (Load Effective Address) obfuscation is focused on obscuring the immediate values associated with LEA instructions. An arithmetic calculation with subtraction will follow directly behind the LEA instruction to compute the original intended value. | By enabling entrypoint obfuscation, ALCATRAZ moves the entrypoint then includes additional code with an algorithm to calculate the new entrypoint of the program. | This obfuscation technique is prevalent throughout the DOUBLELOADER sample... These immediate values are replaced with multiple bitwise operations masking these constant values, thus disrupting any context and the analyst’s flow. | ALCATRAZ implements one form of this technique by modifying any instructions starting with the 0xFF byte by adding a short jump instruction (0xEB) in front. | One common technique used by obfuscators is instruction mutation, where instructions are transformed in a way that preserves their original behavior, but makes the code harder to understand. | One interesting attribute of DOUBLELOADER is that it is protected with an open-source obfuscator, ALCATRAZ... These techniques include control flow flattening, instruction mutation, constant unfolding, LEA constant hiding, anti-disassembly tricks and entrypoint obfuscation.

This malware leverages syscalls such as NtOpenProcess, NtWriteVirtualMemory, NtCreateThreadEx launching unbacked code within the Windows desktop/file manager (explorer.exe).

The malware collects host information, requests an updated version of itself and starts beaconing to a hardcoded IP (185.147.125.81) stored within the binary.