Test Report from Malcat MCP with Claude on YAPA binary

The following is a test run of using Malcat with MCP. Malware Analysis Report — xchanger.exe

Malware Analysis Report

File: xchanger.exe  |  Analyzed: 2026-03-12  |  Tool: Malcat + .NET Disassembly
MALICIOUS — Trojanized Installer / C2 Dropper

File Metadata

Filename
xchanger.exe
File Size
1,779,416 bytes (~1.7 MB)
Type
PE / .NET (DOTNET)
Version
2.0.20.403
Internal Name
XChanger.exe
Copyright
XChanger Copyright © 2026
SHA-256
356ca46f39b480d0ab523535f98e64ae0ec58fe1fdbb8ffc02f54b814445e9d0

Hardcoded XOR Key

NetworkManager — Scramble / Unscramble
Xt7Kp2Lm9Qw4Rv8Y-x1729583156
Length: 29 characters  |  Found at EA: 0xE771, 0xFB1A
// Rolling XOR per character, then Base64-encoded for transmission
byte lambda(char c, int i) {
    return (byte)(c ^ "Xt7Kp2Lm9Qw4Rv8Y-x1729583156"[i % 29]);
}
// Called by: PostPayloadAsync, SendConfigNotificationAsync,
//            TransmitProfileReportAsync, BeginSessionAsync

Network Indicators — Domains & URLs

URLDomainClassificationPurpose
https://rol.chanleil.com/custom chanleil.com C2 / Suspicious Custom config check-in
https://rol.chanleil.com/XR chanleil.com C2 / Suspicious Unknown — short path beacon
https://rol.chanleil.com/XU chanleil.com C2 / Suspicious Likely update/upload endpoint
https://rol.chanleil.com/X chanleil.com C2 / Suspicious Unknown — short path beacon
https://white.chanleil.com/XIn chanleil.com C2 / Suspicious Likely initial check-in (XIn = XChanger Init?)
https://white.chanleil.com/XRT chanleil.com C2 / Suspicious Likely report transmission
https://white.chanleil.com/XSC chanleil.com C2 / Suspicious Likely send config
https://white.chanleil.com/XRF chanleil.com C2 / Suspicious Likely report/refresh
https://www.xchangerapp.com/xch-welcome xchangerapp.com Decoy / Legit-looking Welcome page (cover)
https://www.xchangerapp.com/xch-terms xchangerapp.com Decoy / Legit-looking Terms of service (cover)
https://www.xchangerapp.com/xch-privacy xchangerapp.com Decoy / Legit-looking Privacy policy (cover)

Registry Activity

Key PathAccess TypePurpose
SOFTWARE\Microsoft\Cryptography Read Reads MachineGuid — unique host fingerprinting
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ Read / Write Registers as installed software (persistence/legitimacy cover); also used to enumerate installed programs

Behavioral Analysis

BehaviorSeverityEvidence
Embedded Executable Dropper Critical Contains a second PE binary in a high-entropy resource; loaded via .NET reflection at runtime
C2 Communication Critical NetworkManager class — BeginSessionAsync, PostPayloadAsync, TransmitProfileReportAsync, SendConfigNotificationAsync
XOR + Base64 Traffic Obfuscation Critical Scramble / Unscramble methods apply rolling XOR with hardcoded key, then Base64-encode all outbound data
Host Fingerprinting High Reads MachineGuid from registry; BuildSidString, EvaluateProfiles, ComposeStatusDetails methods compile system profile
Dynamic Code Loading High Uses Assembly.Load / Reflection (2 hits) to load and execute embedded payload at runtime — evades static analysis
HTTP Form Data Exfiltration High YARA: PostHttpForm — posts data as application/x-www-form-urlencoded
Installed Software Enumeration Medium YARA: FingerprintSoftware — reads Uninstall registry hive to enumerate all installed programs
Installer Masquerading Medium Drops files, creates Start Menu entry, registers in Add/Remove Programs — presents as legitimate XChanger installer
Auto-Update / Download Mechanism Medium DownloadUpdateZip with retry logic — can pull and execute updated payloads
PE Timestamp Manipulation Medium TimeDateStamp set in the future — anti-forensics / evades time-based sandbox detection

Static Anomalies

AnomalyLevelDescription
TimeDateStampInTheFuture4 / CriticalPE header timestamp is set in the future
NoImportTable4 / CriticalNo valid Import Table — all imports resolved via .NET runtime
DotnetDynamicLoadingApiUsage3 / HighUses Assembly.Load / Reflection for runtime code execution (2 hits)
EmbeddedProgram3 / HighA second executable is embedded inside the file
BigResourceHighEntropy2 / MediumLarge non-image resource with high entropy — likely encrypted payload
WeirdFileAlignment2 / MediumFileAlignment is non-standard

NetworkManager Class — Identified Methods

MethodRole
ScrambleXOR-encodes plaintext with hardcoded key, returns Base64 string
UnscrambleReverses Scramble — decodes Base64, XOR-decodes inbound data
PostPayloadAsyncHTTP POST of XOR+Base64 encoded payload
BeginSessionAsyncInitial C2 check-in, likely sends MachineGuid + profile
SendConfigNotificationAsyncTransmits local config data to C2
TransmitProfileReportAsyncSends collected host profile to C2
EvaluateProfilesEnumerates and scores local profiles
ComposeStatusDetailsBuilds status/environment info string
ComposeProfileOverviewCompiles full host profile for exfiltration
BuildSidStringRetrieves user/machine SID for identification
UrlEncode / ToBase64Encoding helpers for HTTP transmission
Generated by Claude Code  |  Analysis target: C:\Users\user\Desktop\yapa\xchanger.exe  |  Date: 2026-03-12

Thoughts:

This assists with some basic analysis, but I still had to know a bit about analysis to get it to give me more. What I found is that I had to have claude disassemble the .NET to extract the various namespace, classes, methodes etc... This was required to get the hard-coded XOR key. I noticed after the report that I don't have the certificate signer, so I asked it to use certutil to dump the cert on the binary and get that information.

Comments

Post a Comment

Popular posts from this blog

Beware of Fake 7zip Installer: upStage Proxy

Image
Over the past couple weeks analysts have been looking at a suspicious 7zip installer which turns the host into a residential proxy (proxyware). I'm playfully calling this upStage Proxy (with a heroquest boardgame theme). More on the name will become clear in this article. The installer comes from 7zip[.]com, which, while looking professional, and having been around for quite some time, is in fact not the official site for the 7zip tool. The official site is 7-zip.org . *Update February 10, 2026: At this time the download link is now pointing to the official 7-zip.org download. The installer is signed by (now revoked) certificate:  "JOZEAL NETWORK TECHNOLOGY CO., LIMITED". The installer drops a version of 7zfm.exe that is also signed with this signer.  This version of 7zfm.exe differs from the official build in an important way, it has embedded within it 3 files ( upHreo.exe , hero.exe , and hero.dll ).  Analysis of this has been interesting, the main payloads are Go com...
Read more

TamperedChef: Suspicious Recipe App is really Malware

Image
Hello World!  Let me introduce you to a new malware I'm calling TamperedChef .  Yesterday I came across the article Malvertising Alert: Recipe App Hijacks Credentials and Appears to Establish C&C Connection . This got me curious, so I decided to dig a bit deeper. I manually went to recipelister ( VirusTotal )  and downloaded recipelister.exe.  After reading the aforementioned blog, which observed the 7z-out folder, I figured why not use 7zip to extract recipelister.exe. Within the compressed file was app-64.7z, which I again extracted I extracted using 7zip.  At this point we have the main contents of what would appear in "AppData\Local\Temp\2w1rXpxZnwDUwuTeNvdD6FUkeI0".  Extracting app.asar: In order to extract app.asar to be easier to look at, I used this 7z asar plugin .  This is where things get interesting. When we start looking at main.js, all the while running Fiddler, we  observe a lot of suspicious code and activity.  The main.j...
Read more

EvilAI: Fake Online Speedtest Application

Image
Several Windows applications that present themselves as legitimate utilities—Internet speed testers, “manual reader” and “finder” tools, certain PDF utilities, and even some AI search frontends such as   justaskjacky   have been observed to drop a portable Node runtime folder alongside a heavily obfuscated JavaScript payload. The visible executable performs as expected to the users, however the installer also extracts the Node runtime, a scheduled task, and  an obfuscated *.js file that don’t appear necessary for the application's primary function. That JavaScript is executed by the dropped Node instance via a scheduled task (observed to run on roughly a 12-hour cycle). Its capabilities include encoded/obfuscated network communications and the potential to execute arbitrary code delivered by the server. Because the JS runs independently from the main executable and is persistent via scheduled tasks, it significantly increases the attack surface:...
Read more