ChatGPT<\/a> was introduced in November 2022 by OpenAI as a prototype programmed to answer long form, complex questions. What is revolutionary about ChatGPT is that it is trained to learn about the meaning behind questing being asked. As a result of which, the responses reported are distinctly human-like. At this point, it remains debatable whether ChatGPT is going to support or pose as a challenge in the fight against cyber-crime, but for now, let us focus on ChatGPT and its malware analyzing capabilities.<\/p>\nSo, whether you’re a seasoned security professional or just getting started in the field, this post will provide valuable insights into the use of advanced language models in malware analysis.<\/p>\n
Let\u2019s get started!<\/p>\n
In order to understand the power and capabilities of ChatGPT, we began with analyzing AsyncRAT.\u00a0 We were curious to see how this cutting-edge AI technology could aid in uncovering the inner workings of this malware, and potentially assist in identifying indicators of compromise, by analyzing network traffic, and uncovering command and control (C2) infrastructure.
\nAs a result of our research, we came across the following code snippet which acts as a stage 1 loader for AsyncRAT and contains a lot of obfuscation and a base64 encoded string. The code is written in Python and utilizes the Common Language Runtime (CLR) library to interact with the .NET Framework, loading and running an assembly encoded in base64.
\nFurther into the research, we discovered that ChatGPT could be incredibly useful in analyzing malware such as AsyncRAT, but also found that it still has limitations in certain areas. Nonetheless, we feel that the use of advanced language models like ChatGPT in malware analysis is a promising development in the fight against cyber threats.<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/1-300x115.png\")
<\/p>\n
Here, we have decided to give this code as an input to ChatGPT and get some insight about the code.<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/2-300x187.png\")
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/3-300x217.png\")
<\/p>\n
The code provided, uses a base64 encoded string that ChatGPT was unable to decode due to its string length limit and limitations on the actions it is allowed to perform. However, ChatGPT was still able to provide a simplified and understandable explanation of the code’s functionality and potential malicious intent. It is important to note that ChatGPT is a powerful language model but it should be used in conjunction with other methods and techniques and is not a silver bullet for all tasks related to malware analysis.<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/4-300x144.png\")
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/5-300x152.png\")
<\/p>\n
That is why we have used Cyberchef to decode the base64 string, which turns out to be stage two loader python script.<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/6-300x159.png\")
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/7-300x257.png\")
<\/p>\n
<\/p>\n
We gave this code as an input to ChatGPT again to see what it can tell me about it,<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/8-300x153.png\")
<\/p>\n
Again,we have a long base64 encoded string which we had to decode using Cyberchef.<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/9-300x159.png\")
<\/p>\n
This string turns out to be a PE file. We cannot pass the PE file to ChatGPT so there was no help as such from the PE file analysis perspective. But we decided to go ahead and see what the PE file has in it.<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/10-245x300.png\")
<\/p>\n
<\/p>\n
We will use Dnspy to decompile this binary.<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/11-300x138.png\")
<\/p>\n
As you can see, the output of the base64 decode function is passed as an input to a Decompress function.<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/12-300x187.png\")
<\/p>\n
The above code is a C# function that appears to be decompressing a byte array called “gzip”. The function uses the GZipStream class to create a new stream and pass it a MemoryStream object that is constructed with the “gzip” byte array. The GZipStream is then used to read the compressed data in 4096 byte chunks and write it to a new MemoryStream object. The function then returns the decompressed data as a byte array using the ToArray method of the MemoryStream object.<\/p>\n
In simpler terms, this function takes in a compressed byte array, decompresses it using Gzip algorithm, and returns the decompressed data as a byte array. This function can be used to decompress data that has been previously compressed using Gzip algorithm.<\/p>\n
We again decided to use Cyberchef to decode this thing,<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/13-300x140.png\")
<\/p>\n
<\/p>\n
Which again was a PE file, which when analyzed was a .NET assembly. We used Dnspy to analyze it.<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/14-300x72.png\")
<\/p>\n
<\/p>\n
This binary has base64 encoded string, but if you see the last word carefully, you\u2019ll get an idea that the base64 string will turn out to be a powershell script when decoded.<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/15-300x122.png\")
<\/p>\n
<\/p>\n
As you can see, the powershell is very much obfuscated, so we decided to check if ChatGPT can decode it for us. Below is the output.<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/16-300x213.png\")
<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/17-300x222.png\")
<\/p>\n
<\/p>\n
When asked what could be the functionality of such a script, the output received is as shown below.<\/p>\n
<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/18-300x193.png\")
<\/p>\n
There is one more base64 encoded string in the .NET assembly. Which is first passed to a function called cipher with a parameter that is a key to the cipher.<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/19-300x13.png\")
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/20-300x34.png\")
<\/p>\n
<\/p>\n
So we decided to take a look at what was the logic of Cipher function.<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/21-300x236.png\")
<\/p>\n
<\/p>\n
Now, we decided to give this code as an input to ChatGPT and asked it to identify the cipher.
\nThis output surprised us.<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/22-300x186.png\")
<\/p>\n
<\/p>\n
We implemented the same logic in python, in order to get the next stage.
\nThis was the output. A final PE file:-<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/23-300x142.png\")
<\/p>\n
This again is a .NET file. When checked in Dnspy, here is what we get.<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/24-300x243.png\")
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/25-300x252.png\")
<\/p>\n
<\/p>\n
By looking at the function we get a fair idea of the functionality of this file, which is its Anti-analysis techniques and registry functions and stuff like that. We were curious to know if ChatGPT would understand the purpose of this code and identify what type of malware it was.<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/26-300x234.png\")
<\/p>\n
<\/p>\n
The key function in the code is the “Install” method which appears to be responsible for installing and running the specified file on startup.
\nThe “FileInfo” object is used to specify the file that the code is trying to install and run.
\nThe “Process.GetCurrentProcess().MainModule.FileName” and “fileInfo.FullName” are used to check if the currently running process is the same as the specified file.
\nThe “Process.GetProcesses()” method is used to get a list of all running processes and the code iterates through them to stop any processes that has the same file path as the specified file.
\nThe “Methods.IsAdmin()” method is used to check if the user has admin privileges.
\nThe “schtasks” command is used to create a scheduled task to run the specified file on logon (if the user has admin privileges).
\nThe “Registry.CurrentUser.OpenSubKey” method is used to open the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key and the “registryKey.SetValue” method is used to set the value of the key to the file path of the specified file (if the user does not have admin privileges).
\nThe “File.Exists” method is used to check if the specified file already exists and the “File.Delete” method is used to delete it if it does.
\nThe “FileStream” object is used to create a new file at the specified file path and write the contents of the current running process’s file to it.
\nThe “Methods.ClientOnExit()” method is executed.
\nThe “Path.GetTempFileName()” method is used to create a temporary .bat file and the “StreamWriter” object is used to write a series of commands to it.
\nThe “Process.Start” method is used to start the .bat file and the “Environment.Exit(0)” method is used to exit the current process.<\/p>\n
From this code, it can be inferred that the code is trying to install and run a specific file on startup, and it seems to be designed to make sure that the specified file is running on startup and that it is running with administrative privileges. The code also tries to delete the original file and create a new one with the same name and content, which might indicate that it’s trying to replace the original file with a malicious version. The use of methods to check if the user has admin privileges, scheduled task creation and registry key modification indicates that it is trying to run the file on startup in any scenario possible. Also, the use of various methods to hide the execution of the file, such as creating a bat file, running it in hidden mode, and deleting the bat file after execution, indicates that the code is hiding its execution from the end user.<\/p>\n
<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2023\/01\/Last-269x300.png\")
<\/p>\n
<\/p>\n
It was able to understand the code is malicious and was correctly able to identify it as a RAT.<\/p>\n
By this exercise, we were able to decipher ChatGPT much better and understand how it can assist in malware analysis. While ChatGPT has demonstrated it\u2019s basic capabilities on this front, at this time it is no match for the human intelligence driven malware analysis \u2013 which is much more capable and holistic. We would continue to keep an eye on the ChatGPT and would share further updates as it augments it\u2019s capabilities and powers in times to come.<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
As cyber threats continue to evolve and become more sophisticated, it’s crucial for security researchers and professionals to stay ahead of the curve. In this post, \u2981 We will explore how ChatGPT can assist in the analysis of malware, specifically the Remote Access Trojan (RAT) known as AsyncRAT and, \u2981 We will also delve […]<\/p>\n","protected":false},"author":103,"featured_media":91277,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1952,1951,1953,1954,1955,1362,534,58,49,50],"class_list":["post-91276","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-asyncrat","tag-chatgpt","tag-malwareattack","tag-quickhealsolutions","tag-securityupdate","tag-cybercrime","tag-cybersecurity","tag-hacking","tag-malware","tag-ransomware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91276"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/103"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=91276"}],"version-history":[{"count":6,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91276\/revisions"}],"predecessor-version":[{"id":91366,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91276\/revisions\/91366"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/91277"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=91276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=91276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=91276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}