# Malware Analysis Report

## Summary

**File**: `9da5191c78e49b46e479cdfe20004a9d76ccc4a545deeb83e3c07f83db9cf736` (#AID=190#)
**Type**: PE x64 executable, 395,304 bytes
**Entropy**: 59 (moderate)
**Compiler**: Zig/LLVM (identifiable from strings: "Zig WinHTTP Client", "zig-childprocess--", and Zig runtime error patterns)
**Code Signing**: Signed with a valid DigiCert certificate issued to **NVIDIA Corporation** (valid 2023-01-13 to 2026-01-16, serial `0997c56caa59055394d9a9cdb8beeb56`)

## Inferred Behavior

This executable is a **dropper/loader** that performs the following workflow:

1. **Environment Fingerprinting & Anti-Analysis**: Reads Windows event logs (`OpenEventLogW("System")`) and checks the number of event log records (>200) as a system maturity/uptime heuristic to avoid executing in sandboxes or freshly-booted analysis VMs. Also checks available system memory via `GlobalMemoryStatusEx`.

2. **Download**: Downloads a ZIP archive (`python3.zip`) from `https://down.temp-xy.com/update/python3.zip` using the Windows HTTP API (WinHTTP). The DLL `winhttp.dll` is loaded dynamically via `LoadLibraryW` to avoid static import detection.

3. **Extraction**: Extracts the downloaded ZIP to a randomly-named directory (10 alphanumeric characters) under `%LOCALAPPDATA%` (falling back to `C:\Users\Public`). A CRC32 implementation is used for integrity verification during ZIP processing (Zlib inflate decompression is embedded).

4. **Execution**: Constructs a command line using `cmd.exe /d /e:ON /v:OFF /c "..."` to execute a downloaded binary (`svpy.exe`) with a Python script (`maintaindown.py`). The child process is monitored via named pipes (`\\.\pipe\zig-childprocess--`).

5. **Monitoring**: The main loop monitors the child process using `WaitForMultipleObjects`, manages I/O redirection via named pipes, and handles graceful/forced termination.

## Sub-files

| File | Details |
|------|---------|
| **PNG** at EA 142144 (#AID=190#) | 57 bytes, likely a minimal embedded image |
| **PKCS7** at EA 406536 (#AID=190#) | 9,755 bytes — code signature data in the overlay |

No virtual files were found.

## Key Detections / IOCs

### IOCs
| Type | Value |
|------|-------|
| **URL** | `https://down.temp-xy.com/update/python3.zip` |
| **Domain** | `down.temp-xy.com` |
| **Downloaded Binary** | `svpy.exe` |
| **Downloaded Script** | `maintaindown.py` |
| **Local Path** | `tmp\python3.zip` |
| **Process** | `cmd.exe /d /e:ON /v:OFF /c "` |
| **Named Pipe Pattern** | `\\.\pipe\zig-childprocess--` |
| **Signing Cert Serial** | `0997c56caa59055394d9a9cdb8beeb56` |

### YARA Matches
| Rule | Category | Description |
|------|----------|-------------|
| `MSVC_2015_linker` | compiler | Linker info detection (note: file is Zig-compiled, this may be a false artifact) |
| `Zlib` | library | Uses Zlib decompression (for ZIP extraction) |
| `DownloadUsingWinHttp` | network | Downloads files using WinHTTP API |
| `RunShell` | lateral movement | Starts a shell (cmd.exe) |

### Anomalies
| Anomaly | Severity | Detail |
|---------|----------|--------|
| `TimeDateStampInTheFuture` | **High** | PE timestamp set to year 2090 |
| `DebugTimeDateStampInTheFuture` | **High** | Debug timestamp also set to 2090 |
| `XorInLoop` | Medium | 19 occurrences — XOR-based operations in loops (ZIP decoding + possible string handling) |
| `HighXrefLoopingFunction` | Low | 4 functions with high cross-references and loops (string decryption candidates) |
| `SpaghettiFunction` | Low | 2 functions with complex control flow |
| `NoChecksum` | Low | PE header checksum not set |
| `SectionNameUnknown` | Medium | `.buildid` section is non-standard |
| `ManyHighValueImmediates` | Medium | 1 function with many high-value immediates (possible obfuscation) |

### Kesakode Verdict
- **StxRATLoader** — Confidence: **0/100** (very low, effectively a weak match)

## Evidence

### 1. Download + Execution Chain
The function `sub_140014363` (#AID=190#, EA 79715) is the main entry point. It:
- Calls `sub_140010791` (EA 64401) which performs the full download → save → extract → prepare-for-execution workflow
- The download URL `https://down.temp-xy.com/update/python3.zip` is referenced at EA 65510 inside this function
- Dynamically resolves all WinHTTP functions (`WinHttpOpen`, `WinHttpConnect`, `WinHttpOpenRequest`, `WinHttpSendRequest`, `WinHttpReceiveResponse`, `WinHttpReadData`, `WinHttpCloseHandle`) via `GetProcAddress`
- Saves the ZIP as `tmp\python3.zip` and extracts it to a random directory

### 2. cmd.exe Command Construction
`sub_14001c971` (#AID=190#, EA 114033) builds a `cmd.exe /d /e:ON /v:OFF /c "..."` command line by:
- Appending the program path (with proper quoting and escaping)
- Adding command-line arguments
- This is the standard pattern for launching child processes from Zig's stdlib

### 3. Random Directory Generation
In `sub_140010791` (EA 64401), the program generates a 10-character random alphanumeric directory name using `SystemFunction036` (RtlGenRandom) as a PRNG seed, then creates this directory under `LOCALAPPDATA` or `C:\Users\Public`.

### 4. Anti-Sandbox Check
`sub_140014363` (EA 79715) reads the Windows System event log:
- `OpenEventLogW(0, "System")` then `GetNumberOfEventLogRecords`
- If fewer than 200 records exist, the download is skipped — this detects fresh VMs/sandboxes

### 5. Process Monitoring via Named Pipes
The binary creates and monitors child processes through named pipes matching the pattern `\\.\pipe\zig-childprocess--`, using `WaitForMultipleObjects` for I/O multiplexing.

## Counter-Arguments

1. **Valid NVIDIA Certificate**: The file is signed with a legitimate NVIDIA code signing certificate. This could indicate a compromised or stolen certificate, or it could be a legitimate (but unusual) NVIDIA tool. However, NVIDIA typically uses C/C++ with MSVC, not Zig — this mismatch is suspicious.

2. **Download-and-Execute Pattern**: While this pattern is characteristic of malware droppers, it also matches legitimate auto-updater behavior. The domain `down.temp-xy.com` is generic enough that it could be a development/testing domain for legitimate software.

3. **Kesakode Confidence = 0**: The automated classifier matched "StxRATLoader" at 0% confidence, indicating very weak pattern similarity — essentially no match.

4. **Clean Code Structure**: The code is well-structured Zig output with proper error handling, which could indicate legitimate software engineering rather than typical malware development.

5. **Environment Checks**: The event log check could be legitimate startup validation rather than pure anti-analysis (though combined with other factors it's suspicious).

## Verdict

**VERDICT: MALICIOUS — Confidence: 85%**

This binary exhibits a clear dropper/loader pattern: it downloads an archive from a remote server, extracts it, and executes the contents (`svpy.exe` + `maintaindown.py`) via cmd.exe. Key red flags include:

- **Dynamic API resolution** (loading winhttp.dll via LoadLibraryW to evade static detection)
- **Randomized directory names** to evade detection/forensics
- **Anti-analysis environment checks** (event log count heuristic)
- **Future-dated PE timestamps** (2090) — a deliberate evasion technique to confuse timeline analysis
- **Suspicious domain** (`down.temp-xy.com`) inconsistent with legitimate NVIDIA infrastructure
- **Zig compilation** while carrying an NVIDIA certificate — an unusual combination that suggests the certificate may be stolen or misused

The combination of download-execute behavior, anti-analysis techniques, timestamp manipulation, and the execution of unknown remote payloads (`svpy.exe`) constitutes strong evidence of malicious intent.