Suspicious Productivity Pyinstaller Compiled Applications



Hello World. I have looked at a few interesting samples earlier this month that appear to fall into the same realm as many of the EvilAI PDF converters which have been reported last year.  The difference in this one is that instead of being inno packed, or an electron app, or a .NET application like some of the variations observed so far, this one is a python compiled application.

The initial application observed was "PDFly", which, after some pivoting on other information led to the discovery Ziply, as well as PDFClick, and Rapidoc. These findings were shared on my X post as well.

The challenge with these is that I am unable to use pyinstxtractor/pyinstxtractor-ng, there seems to be some level of customized pyinstaller magic here that I just don't know enough about. What I do know is that when running these applications they do drop an AppData\Local\Temp\_MEIXXXX directory, common with PyInstaller, and there is an embedded resource zip file with another EXE of the same name.

Additionally, when running Process Hacker, I can see in-memory strings that show another Python file, for PDFly this is app.py, loading from that AppData\Local\Temp\_MEI folder, however that file does not seem to actually drop onto disk, or it drops quickly and loads into memory and is gone before I see it. 

The good news is that it seems like some of the "custom" magic lies in some of this packing being done as zlib chunks. That can be extracted: Screenshot from Malcat:










The unpacked PDFly.exe is very similar, a bunch of zlib structures with one of them unpacking as what appears to be the app.py. 



I do have a AI-assisted Python script that grabs all the zlib structures and attempts to unpack and disassemble them, this automates the process I just showed with Malcat. (Judge me if you must, but AI wrote that Python script in much shorter time than I ever could have, and time is precious to me.)

I have a YARA rules also for detecting these types of python compiled applications.

PDFly Info
Ziply Info
Rapidoc Info


Comments

Post a Comment

Popular posts from this blog

TamperedChef: Suspicious Recipe App is really Malware

Image
Hello World!  Let me introduce you to a new malware I'm calling TamperedChef .  Yesterday I came across the article Malvertising Alert: Recipe App Hijacks Credentials and Appears to Establish C&C Connection . This got me curious, so I decided to dig a bit deeper. I manually went to recipelister ( VirusTotal )  and downloaded recipelister.exe.  After reading the aforementioned blog, which observed the 7z-out folder, I figured why not use 7zip to extract recipelister.exe. Within the compressed file was app-64.7z, which I again extracted I extracted using 7zip.  At this point we have the main contents of what would appear in "AppData\Local\Temp\2w1rXpxZnwDUwuTeNvdD6FUkeI0".  Extracting app.asar: In order to extract app.asar to be easier to look at, I used this 7z asar plugin .  This is where things get interesting. When we start looking at main.js, all the while running Fiddler, we  observe a lot of suspicious code and activity.  The main.j...
Read more

EvilAI: Fake Online Speedtest Application

Image
Several Windows applications that present themselves as legitimate utilities—Internet speed testers, “manual reader” and “finder” tools, certain PDF utilities, and even some AI search frontends such as   justaskjacky   have been observed to drop a portable Node runtime folder alongside a heavily obfuscated JavaScript payload. The visible executable performs as expected to the users, however the installer also extracts the Node runtime, a scheduled task, and  an obfuscated *.js file that don’t appear necessary for the application's primary function. That JavaScript is executed by the dropped Node instance via a scheduled task (observed to run on roughly a 12-hour cycle). Its capabilities include encoded/obfuscated network communications and the potential to execute arbitrary code delivered by the server. Because the JS runs independently from the main executable and is persistent via scheduled tasks, it significantly increases the attack surface:...
Read more

Suspicious Converter: Obfuscated Strings, Silent Tasks, and a Covert Update Channel

Image
I've seen a lot of chatter on X about ConvertMate.exe So I took another look at it today. What it is This is another file conversion application. It is a .Net application that as the installer drops files into AppData\Local\ConvertMate and creates a scheduled task called ConvertMateTask. The files it unpacks and drops include a smaller file named Convert Mate.exe (with a space), and id.txt (unique identifier), some supporting dlls, an uninstaller.exe, and UpdateRetreiver.exe . Red Flags Contains reverse strings and simple obfuscation launces a PS1 file to create the scheduled task Uninstaller and Add/Remove Programs only removes desktop icon and reg key.  UpdateRetreiver checks in daily and if domain returns response it AES decrypts the response Interesting strings in ConvertMate installer this.logicManager.SendPixel("https://banifuri[.]com/pixel"); string text = this.rev("exe.emorhc\\noitacilppA\\emorhC\\elgooG\\)68x( seliF margorP\\:C"); string t...
Read more