NOTE: See the updated Rat King Parser - the spiritual successor to this parser - here:    • Coding The Rat King: A Multi-Family Malwar...  

Whether you’re just getting started in malware analysis or a seasoned pro looking to learn some new techniques, join me in this “mini-course” as we build a malware configuration parser for ASyncRAT in 3 ways - including writing an automated parser completely from scratch - exploring dnSpy, CyberChef, Python 3 along the way, and all in a haze of caffeinated mania. It will be a lot of work, but together, we’ll make it happen, and learn a ton about malware analysis and scripting in the process.

Thanks so much for your patience during my hiatus this past year - it feels good to finally publish some new content, and I truly appreciate all of the kind words about my first video and all of the support. I hope this was worth the wait.

Let me know what you would like to see in future videos!


Please leave feedback and questions here as comments, or DM me on Twitter.

Please leave bugs as comments, DMs on Twitter, or Issues/PRs on GitHub.

Check this description for any updates or corrections to the video.


Project Homepage: github.com/jeFF0Falltrades/Tutorials/tree/master/a…

YARA Rule for Hunting: github.com/jeFF0Falltrades/YARA-Signatures/blob/ma…

Twitter: twitter.com/jeFF0Falltrades

Corrections: See comments

Timestamps:
00:00:00 - Intro
00:03:11 - Important Notes
00:04:53 - Downloading/Exploring ASyncRAT
00:15:35 - Introducing dnSpy
00:24:34 - Extracting Configuration Values with dnSpy
00:36:29 - Configuration Parsing with CyberChef
00:37:56 - Replicating the ASyncRAT AES256 Decryption Routine
01:17:55 - Recap and Saving Our CyberChef Recipe
01:23:48 - Preview of Our Finished Python Parser
01:25:48 - Creating Our Python Parser Runner Program
01:45:26 - Detour: Class vs Instance Variables
01:52:59 - Feeding Data to Our Parser
02:03:23 - In-Depth Analysis of ASyncRAT’s Configuration
02:12:10 - Detour: Endianness
02:15:08 - Detour: RVAs vs VAs vs Offsets
02:37:11 - Review/Pseudocoding Our Parser’s Functionality
02:40:38 - Building an Address Map of the Config
03:00:43 - Helper Function: get_string_from_offset()
03:15:15 - Reconstructing the Table Map
03:19:22 - Extracting the “m_maskvalid” Value
03:25:24 - Helper Function: get_stream_start()
03:10:43 - Helper Function: bytes_to_int()
03:28:08 - Helper Function: get_metadata_header_offset()
03:36:40 - Calculating Table Row Size and Number of Rows
03:49:32 - Extracting the Field Table
03:56:12 - Helper Function: get_table_start()
04:11:31 - Translating Config Addresses to Values
04:15:04 - Helper Function: strings_rva_to_strings_val()
04:20:00 - Helper Function: us_rva_to_us_val()
04:33:32 - Creating an AES Decryptor Class
04:36:49 - Helper Function: get_aes_metadata_flag()
04:46:01 - Extracting the AES Key and Block Size
04:53:56 - Extracting the AES Iterations Value
04:58:04 - Extracting the AES Salt Value
04:58:50 - Detour: FieldRVA Table and Static Arrays
05:04:41 - Detour: String-Derived AES Salt Values
05:22:09 - Helper Function: decode_bytes()
05:27:26 - Helper Function: get_aes_salt_ldtoken_method()
05:32:33 - Helper Function: field_id_to_field_rva()
05:39:01 - Helper Function: field_rva_to_offset()
05:49:35 - Deriving the AES Key
06:04:56 - Implementing AES256 Decryption
06:09:52 - Decrypting the Configuration
06:17:34 - Reporting the Parsed Config in JSON
06:19:46 - Troubleshooting/Lots of Suspense
06:22:38 - Great Success
06:23:22 - ASyncRAT YARA Rule for Hunting
06:23:48 - Parsing Multiple Samples
06:25:10 - Great Job and Thank You!

Resources and References:
ASyncRAT Source and Release: github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
ASyncRAT Malpedia Page: malpedia.caad.fkie.fraunhofer.de/details/win.async…
dnSpy: github.com/dnSpy/dnSpy
CyberChef: gchq.github.io/CyberChef/
.NET File Format Info: www.codeproject.com/Articles/12585/The-NET-File-Fo…
.NET File Format Info: www.red-gate.com/simple-talk/blogs/anatomy-of-a-ne…
C# Wiki: en.wikipedia.org/wiki/C_Sharp_(programming_languag…)
PBKDF2 Wiki: en.wikipedia.org/wiki/PBKDF2
AES Wiki: en.wikipedia.org/wiki/Advanced_Encryption_Standard
dnfile: github.com/malwarefrank/dnfile
RVAs vs VAs vs Offsets: tech-zealots.com/malware-analysis/understanding-co…
List of CIL instructions: en.wikipedia.org/wiki/List_of_CIL_instructions
YARA Rules: www.varonis.com/blog/yara-rules

Thumbnail Attribution:
Rat - Chanut is Industries: thenounproject.com/icon/rat-1304593/
CyberChef - GCHQ: gchq.github.io/CyberChef/
dnSpy: github.com/dnSpy/dnSpy
Python Icon - Brett Croft: www.freepngimg.com/png/14704-python-logo-free-down…