{"id":9103,"date":"2024-10-07T12:05:10","date_gmt":"2024-10-07T12:05:10","guid":{"rendered":"\/cybersecurity-blog\/?p=9103"},"modified":"2024-10-08T10:35:39","modified_gmt":"2024-10-08T10:35:39","slug":"phantomloader-and-ssload-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/","title":{"rendered":"New PhantomLoader Malware Distributes SSLoad: Technical Analysis"},"content":{"rendered":"\n<p><em>Editor\u2019s note: The current article is authored by Mohamed Talaat, a cybersecurity researcher and malware analyst. You can find Mohamed on&nbsp;<a href=\"https:\/\/x.com\/BlueEye46572843\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/www.linkedin.com\/in\/mohamed-talaat-049349198\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>.<\/em><\/p>\n\n\n\n<p>In this malware analysis report, we take an in-depth look at how an undocumented loader called PhantomLoader has been used by attackers to distribute a rust-based malware known as <a href=\"https:\/\/any.run\/malware-trends\/ssload\" target=\"_blank\" rel=\"noreferrer noopener\">SSLoad<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Overview<\/h2>\n\n\n\n<p>The PhantomLoader usually masquerades as a legitimate 32-bit DLL written in C\/C++ for an antivirus software called 360 Security Total.<\/p>\n\n\n\n<p>However, in this case, it was found disguising itself as &#8220;PatchUp.exe,&#8221; which is still a legitimate module of 360 Total Security. This loader has been used in recent attacks to deliver a new rust-based malware called SSLoad.<\/p>\n\n\n\n<p>What makes PhantomLoader unique is that it was added to be part of a legitimate DLL or executable of a well-known software by binary patching the DLL or executable and adding a self-modifying technique. The latter decrypts an embedded code stub, which then decrypts and loads &#8220;SSLoad&#8221; into memory.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"548\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1a-1024x548.png\" alt=\"\" class=\"wp-image-9104\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1a-1024x548.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1a-300x161.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1a-768x411.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1a-370x198.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1a-270x145.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1a-740x396.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1a.png 1171w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>PatchUp.exe and legitimate module of 360 Total Security<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Technical<\/strong> <strong>analysis<\/strong><\/h2>\n\n\n\n<p>After analyzing the SSLoad sample in <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomloader&amp;utm_term=071024&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s sandbox<\/a>, we observed that one distribution method for this malware involves phishing emails containing malicious Office documents. These documents initiate the infection chain.<\/p>\n\n\n\n<p>The analysis session shows how the drop and execution of PhantomLoader occurs, after which it decrypts and runs SSLoad.<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/66ef2b58-4098-4bd8-9a94-4276c6bbd04b\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=phantomloader&amp;utm_term=071024&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View the analysis session<\/a><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"491\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18-1024x491.png\" alt=\"\" class=\"wp-image-9105\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18-1024x491.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18-300x144.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18-768x368.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18-370x177.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18-270x129.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18-740x355.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image18.png 1490w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The detection of SSLoad malware inside ANY.RUN\u2019s sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Execution of Malicious Word document<\/strong><\/h3>\n\n\n\n<p>After executing the malicious Word document, it became clear that a new process, &#8220;app.com,&#8221; was launched by &#8220;WINWORD.exe,&#8221; indicating that an embedded malicious macro had been executed. This resulted in the creation of the suspicious process.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"701\" height=\"153\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image19-1.png\" alt=\"\" class=\"wp-image-9106\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image19-1.png 701w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image19-1-300x65.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image19-1-370x81.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image19-1-270x59.png 270w\" sizes=\"(max-width: 701px) 100vw, 701px\" \/><figcaption class=\"wp-element-caption\"><em>Malicious Word document displayed in ANY.RUN\u2019s sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>To better understand the infection chain, the macro was extracted and analyzed further.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze malware and phishing threats <br>in ANY.RUN&#8217;s <span class=\"highlight\"> Interactive Sandbox<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=phantomloader&#038;utm_term=071024&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nTry it now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Execution of Decoded XML String<\/strong><\/h3>\n\n\n\n<p>In the ANY.RUN <a href=\"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/\" target=\"_blank\" rel=\"noreferrer noopener\">Script Tracer<\/a>, it was observed that the malware loads an encoded XML string, which appears to be obfuscated using JScript. This encoding is used to disguise the malicious intent, making it more difficult to detect.&nbsp;<\/p>\n\n\n\n<p>Once loaded, the XML string is executed, triggering the next stage in the malware&#8217;s infection process.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"629\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1b-1024x629.png\" alt=\"\" class=\"wp-image-9107\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1b-1024x629.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1b-300x184.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1b-768x472.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1b-370x227.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1b-270x166.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1b-740x455.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1b.png 1269w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>XML String load and execution demonstrated in ANY.RUN\u2019s sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Upon further investigation of the document\u2019s macros, an <strong>Autoclose macro<\/strong> was found that reads an XML string from an XML file named &#8220;UserForm1.&#8221;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"575\" height=\"97\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1e.png\" alt=\"\" class=\"wp-image-9126\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1e.png 575w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1e-300x51.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1e-370x62.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1e-270x46.png 270w\" sizes=\"(max-width: 575px) 100vw, 575px\" \/><figcaption class=\"wp-element-caption\"><em>Autoclose macro that reads XML string<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>After analyzing the referenced form file, it became clear that the loaded XML string is encoded in JavaScript. This encoding serves as a protection measure designed by Microsoft to prevent unauthorized copying or alteration of <a href=\"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/\" target=\"_blank\" rel=\"noreferrer noopener\">VBScript<\/a> or JavaScript code.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"139\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1f-1024x139.png\" alt=\"\" class=\"wp-image-9108\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1f-1024x139.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1f-300x41.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1f-768x105.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1f-1536x209.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1f-370x50.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1f-270x37.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1f-740x101.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1f.png 1828w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Javascript encoded as XML string<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Using <strong>CyberChef<\/strong>, the JavaScript was decoded, revealing the underlying code used by the malware to continue the infection process. This provides clear insights into the next steps of the attack.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"503\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1c-1024x503.png\" alt=\"\" class=\"wp-image-9109\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1c-1024x503.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1c-300x147.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1c-768x378.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1c-370x182.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1c-270x133.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1c-740x364.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image1c.png 1422w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Decoding process of Javascript with CyberChef<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The JavaScript code decodes the next stage, PhantomLoader, using base64. It then places the decoded file in the user&#8217;s %TEMP% directory with the name &#8220;app.com&#8221; and starts it.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"189\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21-1-1024x189.png\" alt=\"\" class=\"wp-image-9110\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21-1-1024x189.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21-1-300x55.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21-1-768x142.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21-1-1536x284.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21-1-370x68.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21-1-270x50.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21-1-740x137.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image21-1.png 1693w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Decoding of the next stage using Base64&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\"><strong>First Loader: PhantomLoader<\/strong><\/h2>\n\n\n\n<p>As noted, PhantomLoader in our case disguises itself as &#8220;PatchUp.exe,&#8221; a legitimate module for the antivirus software 360 Total Security. This tactic allows it to remain undetected by both the system and users.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"198\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image22-1024x198.png\" alt=\"\" class=\"wp-image-9111\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image22-1024x198.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image22-300x58.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image22-768x149.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image22-370x72.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image22-270x52.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image22-740x143.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image22.png 1522w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>360 Total Security damaged by PhantomLoader<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This is one of the rare cases where the malicious code runs before the main function is reached. This strongly suggests that the legitimate module has been modified. A malicious routine is inserted before the main function, along with an <a href=\"https:\/\/any.run\/cybersecurity-blog\/encryption-in-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">encrypted<\/a> stub.\u00a0<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"997\" height=\"289\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image23.png\" alt=\"\" class=\"wp-image-9112\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image23.png 997w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image23-300x87.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image23-768x223.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image23-370x107.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image23-270x78.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image23-740x215.png 740w\" sizes=\"(max-width: 997px) 100vw, 997px\" \/><figcaption class=\"wp-element-caption\"><em>Display of malicious subroutine<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The malicious routine embedded within the module first calculates the address of the encrypted code stub, which is hidden within the file. It then decrypts this stub using a XOR operation with a hardcoded key.<\/p>\n\n\n\n<p>The encrypted code is located in the .text section of the executable. It was disassembled by IDA, but the disassembled output appeared nonsensical, indicating that the code is indeed encrypted.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"713\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image24-1024x713.png\" alt=\"\" class=\"wp-image-9113\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image24-1024x713.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image24-300x209.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image24-768x535.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image24-370x258.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image24-270x188.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image24-740x515.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image24.png 1033w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>XOR decryption loop and encrypted code stub<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>To further analyze the encrypted code in IDA, an <a href=\"https:\/\/github.com\/Blu3Eye\/Malware-Analysis\/blob\/master\/PhantomLoader\/decrypt_code_phantomLoader.py\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">IDAPython<\/a> script was created to decrypt and patch the code in place.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"312\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image25-1024x312.png\" alt=\"\" class=\"wp-image-9114\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image25-1024x312.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image25-300x91.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image25-768x234.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image25-370x113.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image25-270x82.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image25-740x226.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image25.png 1282w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Implementation of IDAPython script<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The decrypted code stub begins by fetching the base address of <strong>&#8220;kernel32&#8221;<\/strong>, a core Windows system DLL that provides essential system functions. It then uses this base address to resolve the following function addresses by hash:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>VirtualAlloc<\/strong> &#8211; Responsible for memory allocation.<\/li>\n\n\n\n<li><strong>LoadLibraryA<\/strong> &#8211; Loads libraries (DLLs) into memory.<\/li>\n\n\n\n<li><strong>GetProcAddress<\/strong> &#8211; Retrieves the address of functions or variables from the loaded DLLs.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"334\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image26-1024x334.png\" alt=\"\" class=\"wp-image-9115\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image26-1024x334.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image26-300x98.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image26-768x251.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image26-370x121.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image26-270x88.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image26-740x241.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image26.png 1232w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Function addresses resolved by hash<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The resolved functions are then used to load the decrypted next-stage loader, <strong>SSLoad<\/strong>, directly into memory.<\/p>\n\n\n\n<p>Using the same key as before, it XOR decrypts the encrypted SSLoad, which is stored in the <strong>&#8220;.rsrc&#8221;<\/strong> section of the file. This method keeps the actual payload concealed until it&#8217;s ready to be executed.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"334\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image27-1024x334.png\" alt=\"\" class=\"wp-image-9116\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image27-1024x334.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image27-300x98.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image27-768x251.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image27-370x121.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image27-270x88.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image27-740x242.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image27.png 1274w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>XOR decryption loop of encrypted SSLoad stored in .rsrc<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Interestingly, it doesn&#8217;t use the common API sequence FindResourceA and LockResource to locate and extract the encrypted resource. Instead, an offset to the encrypted resource is passed to the function that points to the decrypted stub.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"466\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image28-1024x466.png\" alt=\"\" class=\"wp-image-9117\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image28-1024x466.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image28-300x136.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image28-768x349.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image28-370x168.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image28-270x123.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image28-740x337.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image28.png 1330w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Encrypted SSLoad<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\"><strong>Second Loader: SSLoad<\/strong><\/h2>\n\n\n\n<p>The final payload decrypted by <strong>PhantomLoader<\/strong> is <strong>SSLoad<\/strong>, a rust-based loader known for its evasive and stealthy nature. <\/p>\n\n\n\n<p>It employs various anti-analysis techniques, including <strong>anti-debugging<\/strong> and <strong>anti-emulation<\/strong> methods. SSLoad also uses multiple layers of string decryption to conceal its <strong>Command-and-Control (C2) URLs<\/strong> and <strong>IP addresses<\/strong>, making detection and analysis more challenging.<\/p>\n\n\n\n<p>When executed, SSLoad begins by creating a <strong>mutex object<\/strong> with a hardcoded name. This object ensures that only one instance of SSLoad can run on the host at any given time. This is a common technique used to avoid resource conflicts or redundant infections on a single host.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"854\" height=\"145\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image29.png\" alt=\"\" class=\"wp-image-9118\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image29.png 854w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image29-300x51.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image29-768x130.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image29-370x63.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image29-270x46.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image29-740x126.png 740w\" sizes=\"(max-width: 854px) 100vw, 854px\" \/><figcaption class=\"wp-element-caption\"><em>Mutex object created to ensure only one instance of SSLoad<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>It uses a common anti-debugging technique by inspecting the <strong>Process Environment Block (PEB)<\/strong>, specifically looking for the <strong>&#8220;BeingDebugged&#8221;<\/strong> flag. This flag is set to indicate whether the process is currently being debugged.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"41\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2a-1024x41.png\" alt=\"\" class=\"wp-image-9119\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2a-1024x41.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2a-300x12.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2a-768x31.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2a-370x15.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2a-270x11.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2a-740x30.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2a.png 1027w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Anti-debugging technique inspection<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>It is interesting to note that it uses an anti-emulation technique that was observed for the first time being used by <a href=\"https:\/\/any.run\/malware-trends\/raspberryrobin\" target=\"_blank\" rel=\"noreferrer noopener\">Raspberry Robin<\/a>. The technique involves attempting to retrieve the address of a function exported by kernel32 called \u201cMpVmp32Entry\u201d.&nbsp;<\/p>\n\n\n\n<p>However, when inspecting the exports of kernel32 for this function name, it cannot be found. This is because only modified versions of kernel32.dll used by emulators export that function.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"231\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2b-1024x231.png\" alt=\"\" class=\"wp-image-9120\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2b-1024x231.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2b-300x68.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2b-768x173.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2b-370x84.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2b-270x61.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2b-740x167.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2b.png 1307w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>MpVmp32Entry called by kernel32<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The developers of SSLoad may have either intentionally or accidentally failed to properly decrypt the library name Kernel32.dll. This would result in the DLL base address not being retrieved to check for the target export. As a result, the implemented trick might fail even on an emulated system.<\/p>\n\n\n\n<p>One of the system artifacts to check for is the presence of a directory with a randomly generated name under %APPDATA%\/Microsoft. This directory name is generated at runtime using the function <strong>SystemFunction036<\/strong> from the <strong>Advapi32.dll<\/strong> library, which is often used for cryptographic functions.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"492\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2c-1024x492.png\" alt=\"\" class=\"wp-image-9121\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2c-1024x492.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2c-300x144.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2c-768x369.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2c-370x178.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2c-270x130.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2c-740x356.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2c.png 1128w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Directory name generated with SystemFunction036 function<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>After completing its checks and decrypting the C2 URLs and IP addresses, <strong>SSLoad<\/strong> moves forward with fingerprinting the host it\u2019s running on. This process involves collecting various details about the system.<\/p>\n\n\n\n<p>This data is then stored in a <strong>JSON object<\/strong>, which will be sent later via POST request to the Command-and-Control (C2) server for further communication.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"692\" height=\"234\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2d.png\" alt=\"\" class=\"wp-image-9122\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2d.png 692w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2d-300x101.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2d-370x125.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2d-270x91.png 270w\" sizes=\"(max-width: 692px) 100vw, 692px\" \/><figcaption class=\"wp-element-caption\"><em>Fingerprinting process of the host<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The fingerprinted data collected by <strong>SSLoad<\/strong> includes crucial system information like the <strong>OS version<\/strong>, <strong>username<\/strong>, <strong>hostname<\/strong>, <strong>architecture (arch)<\/strong>, <strong>public IP address<\/strong>, and other system-specific details.<\/p>\n\n\n\n<p>The data will be sent to the server in preparation of C2 communication process.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"ANY.RUN cloud interactive sandbox interface\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to <span class=\"highlight\">analyze malware<\/span><\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nSee detailed guide to advanced malware and phishing analysis with ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span>.\n<br \/>\n<br \/>\n<b>Investigate any threat with ease<\/b>.\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">See the guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<p>If the connection was successful, the C2 server will return back response with a JSON object containing a \u201ckey\u201d and an \u201cID\u201d.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"689\" height=\"121\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2e.png\" alt=\"\" class=\"wp-image-9123\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2e.png 689w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2e-300x53.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2e-370x65.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2e-270x47.png 270w\" sizes=\"(max-width: 689px) 100vw, 689px\" \/><figcaption class=\"wp-element-caption\"><em>The key and ID displayed in ANY.RUN\u2019s sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The returned key is a base64 encoded RC4 key that will be used to secure further communication between the host and C2 server.&nbsp;<\/p>\n\n\n\n<p>In its turn, the ID is a unique identifier generated on the C2 side that will be used by the infected host to authenticate and identify itself to the C2 server.<em>&nbsp;<\/em><\/p>\n\n\n\n<p>In the later HTTP POST requests, no data is sent to the C2 server. Instead, the infected host sends <strong>empty HTTP POST requests<\/strong> that contain only the <strong>server-side generated &#8220;ID&#8221;<\/strong>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"870\" height=\"237\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2f.png\" alt=\"\" class=\"wp-image-9124\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2f.png 870w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2f-300x82.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2f-768x209.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2f-370x101.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2f-270x74.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image2f-740x202.png 740w\" sizes=\"(max-width: 870px) 100vw, 870px\" \/><figcaption class=\"wp-element-caption\"><em>HTTP POST requests inside ANY.RUN\u2019s sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Once SSLoad establishes a connection with the C2 server, it enters a <strong>beaconing loop<\/strong>, regularly checking in with the server for further instructions or tasks to execute.<\/p>\n\n\n\n<p>It seems that for the current sample the server hasn&#8217;t returned any tasks to the infected host. However, in another <a href=\"https:\/\/app.any.run\/tasks\/d4ae5245-fd3b-42e7-8eb2-45cc8550ef27\">SSLoad analysis sample<\/a>, the server did return a response containing an &#8220;ID&#8221; and a &#8220;Job&#8221;.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"692\" height=\"260\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image30.png\" alt=\"\" class=\"wp-image-9125\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image30.png 692w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image30-300x113.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image30-370x139.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/10\/image30-270x101.png 270w\" sizes=\"(max-width: 692px) 100vw, 692px\" \/><figcaption class=\"wp-element-caption\"><em>Server response containing ID and Job inside ANY.RUN\u2019s sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The &#8220;ID&#8221; returned by the server identifies a task for the infected host.<\/p>\n\n\n\n<p>The encoded structure contains two fields: &#8220;command&#8221; and &#8220;arguments.&#8221; Fishbein explained that when the <strong>&#8220;command&#8221;<\/strong> field is set to <strong>&#8220;exe&#8221;<\/strong> and the <strong>&#8220;arguments&#8221;<\/strong> field contains a URL, it indicates that the server is instructing the infected host to download and execute the next-stage malware payload from the given URL.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of Compromise (IOC)<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>File Paths and Names&nbsp;<\/strong><\/h3>\n\n\n\n<p>Incident_Harassment.doc<\/p>\n\n\n\n<p>%TEMP%\/app.com<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>File Hashes (MD5)<\/strong><\/h3>\n\n\n\n<p>EC7E26A81B6002C53854A1769AD427A6<\/p>\n\n\n\n<p>bd3231011448b2d6a335032d11c12cad<\/p>\n\n\n\n<p>E01DDD72BC81781FE86A68D3AD045548<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Related Domains, URLs, and IP addresses&nbsp;<\/strong><\/h3>\n\n\n\n<p>http:\/\/85[.]239[.]53[.]219&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">YARA Rule<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>rule crime_phantom_loader_dll\n\n{\n&nbsp; &nbsp; meta:\n&nbsp; &nbsp; &nbsp; &nbsp; description = \"Detects PhantomLoader C\/C++ DLL\"\n&nbsp; &nbsp; &nbsp; &nbsp; author = \"Mohamed Talaat\"\n&nbsp; &nbsp; &nbsp; &nbsp; date = \"2024-17-8\"\n&nbsp; &nbsp; &nbsp; &nbsp; type = \"crimeware\"\n&nbsp; &nbsp; &nbsp; &nbsp; hash1 = \"BD3231011448B2D6A335032D11C12CAD\"\n&nbsp; &nbsp; &nbsp; &nbsp; hash2 = \"CA303668B5420C022EF9C78CE1F2BFB7\"\n&nbsp; &nbsp; &nbsp; &nbsp; hash3 = \"1D8D71B4A0870C0DFA3468470FB28A28\"\n&nbsp; &nbsp; &nbsp; &nbsp; hash4 = \"B28A478EB5B99EFCDC7CAF428BFFB89A\"\n&nbsp; &nbsp; strings:\n&nbsp; &nbsp; &nbsp; &nbsp; $pdb_str = \"C:\\\\vmagent_new\\\\bin\\\\joblist\" ascii\n&nbsp; &nbsp; &nbsp; &nbsp; $iobit_str = \"IUForceDelete123\" ascii wide\n&nbsp; &nbsp; &nbsp; &nbsp; $mov_5F5E100 = { ( BF | 68 | C7 45 ?? ) 00 E1 F5 05 }\n&nbsp; &nbsp; &nbsp; &nbsp; $payload_size = { ( D0 | 6C ) 07 00 00 }\n&nbsp; &nbsp; &nbsp; &nbsp; $call_payload = { FF 55 ?? 68 &#91;4] FF &#91;-] 33 C0 ?? 8B E5 5D C3 }\n&nbsp; &nbsp; condition:\n&nbsp; &nbsp; &nbsp; &nbsp; (uint16(0) == 0x5A4D) and\n&nbsp; &nbsp; &nbsp; &nbsp; all of ($mov_5F5E100, $payload_size, $call_payload) and\n&nbsp; &nbsp; &nbsp; &nbsp; any of ($pdb_str, $iobit_str)\n}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note: The current article is authored by Mohamed Talaat, a cybersecurity researcher and malware analyst. You can find Mohamed on&nbsp;X&nbsp;and&nbsp;LinkedIn. In this malware analysis report, we take an in-depth look at how an undocumented loader called PhantomLoader has been used by attackers to distribute a rust-based malware known as SSLoad. Overview The PhantomLoader usually [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":9134,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,15,34,40],"class_list":["post-9103","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>New PhantomLoader Distributes SSLoad: Technical Analysis<\/title>\n<meta name=\"description\" content=\"See the detailed technical analysis of an attack using the new threat PhantomLoader to distribute the Rust-based malware SSLoad.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mohamed Talaat\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/\"},\"author\":{\"name\":\"Mohamed Talaat\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"New PhantomLoader Malware Distributes SSLoad: Technical Analysis\",\"datePublished\":\"2024-10-07T12:05:10+00:00\",\"dateModified\":\"2024-10-08T10:35:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/\"},\"wordCount\":1667,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/\",\"name\":\"New PhantomLoader Distributes SSLoad: Technical Analysis\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-10-07T12:05:10+00:00\",\"dateModified\":\"2024-10-08T10:35:39+00:00\",\"description\":\"See the detailed technical analysis of an attack using the new threat PhantomLoader to distribute the Rust-based malware SSLoad.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"New PhantomLoader Malware Distributes SSLoad: Technical Analysis\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Mohamed Talaat\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/mohamed.png.jpeg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/mohamed.png.jpeg\",\"caption\":\"Mohamed Talaat\"},\"description\":\"Mohamed Talaat is a Computer Engineer with a Bachelor in Computer Engineering from Suez Canal University (Ismailia, Egypt). Despite not having a strong cybersecurity background, he took it upon himself to establish a career in cybersecurity. \u041de found himself a better fit in Blue Teaming and malware analysis. Engaging in malware analysis and the development of TTPs, he also writes detection rules as part of his daily routine. Mohamed on LinkedIn.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New PhantomLoader Distributes SSLoad: Technical Analysis","description":"See the detailed technical analysis of an attack using the new threat PhantomLoader to distribute the Rust-based malware SSLoad.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/","twitter_misc":{"Written by":"Mohamed Talaat","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/"},"author":{"name":"Mohamed Talaat","@id":"https:\/\/any.run\/"},"headline":"New PhantomLoader Malware Distributes SSLoad: Technical Analysis","datePublished":"2024-10-07T12:05:10+00:00","dateModified":"2024-10-08T10:35:39+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/"},"wordCount":1667,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/","name":"New PhantomLoader Distributes SSLoad: Technical Analysis","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-10-07T12:05:10+00:00","dateModified":"2024-10-08T10:35:39+00:00","description":"See the detailed technical analysis of an attack using the new threat PhantomLoader to distribute the Rust-based malware SSLoad.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/phantomloader-and-ssload-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"New PhantomLoader Malware Distributes SSLoad: Technical Analysis"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Mohamed Talaat","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/mohamed.png.jpeg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/07\/mohamed.png.jpeg","caption":"Mohamed Talaat"},"description":"Mohamed Talaat is a Computer Engineer with a Bachelor in Computer Engineering from Suez Canal University (Ismailia, Egypt). Despite not having a strong cybersecurity background, he took it upon himself to establish a career in cybersecurity. \u041de found himself a better fit in Blue Teaming and malware analysis. Engaging in malware analysis and the development of TTPs, he also writes detection rules as part of his daily routine. Mohamed on LinkedIn.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/9103"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=9103"}],"version-history":[{"count":18,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/9103\/revisions"}],"predecessor-version":[{"id":9211,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/9103\/revisions\/9211"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/9134"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=9103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=9103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=9103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}