As cyber threats continue to evolve and become more sophisticated, it is critical for security researchers and professionals to stay ahead of the curve. In this article, we will explore how ChatGPT assists in the analysis of malware, specifically the remote access trojan (RAT) AsyncRAT, and dive into ChatGPT’s capabilities, discussing how it can assist in identification by analyzing network traffic and revealing command and control (C2) infrastructure. Threat Indicators. But before continuing, a brief introduction to ChatGPT.
ChatGPT was developed byAI(AI) driven, prototype launched by OpenAI in November 2022, is designed to answer long, complex questions.ChatGPT is revolutionary in that it is trained to learn the meaning behind the questions. As a result, the answers reported are very similar to human responses. It is uncertain whether ChatGPT will support or pose a challenge in the fight against cybercrime, but for now let's focus on ChatGPT and itsMalware AnalysisAbility.
So, whether you are an experienced security professional or just starting out, this article will provide you with valuable insights into the use of high-level language models in malware analysis.
let's start!
In order to understand the capabilities and functionality of ChatGPT, we started analyzing AsyncRAT. We are curious how this cutting-edge AI technology can help reveal the inner workings of this malware and potentially assist in identifying threat indicators by analyzing network traffic and revealing command and control (C2) infrastructure.
As a result of our research, we found the following code snippet, which acts as a stage 1 loader for AsyncRAT, containing extensive obfuscation and a base64-encoded string. The code is written in Python and utilizes the common language runtime (CLR) library to interact with the .NET Framework to load and run a base64-encoded assembly.
On further research, we found that ChatGPT is very useful in analyzing malware such as AsyncRAT, but also found that it still has limitations in some areas. Nonetheless, we believe that the use of high-level language models such as ChatGPT is a promising development in combating cyber threats.
Here we decided to use this code as input to ChatGPT and take a closer look at it.
The provided code uses a base64-encoded string that ChatGPT cannot decode due to its string length limitations and restrictions on the operations it is allowed to perform. However, ChatGPT still provides an easy-to-understand explanation of the code's functionality and potential malicious intent. It is worth noting that ChatGPT is a powerful language model, but it should be used in conjunction with other methods and techniques and is not a panacea for all tasks related to malware analysis.
This is why we use Cyberchef to decode the base64 string, which turns out to be a second stage loader python script.
Let's use this code as input to ChatGPT again and see what it tells me,
Again, we have a long base64 encoded string that we have to decode using Cyberchef.
This string turned out to be a PE file. We can't pass PE files to ChatGPT, so it doesn't help from a PE file analysis perspective. But we decided to continue looking at the contents of the PE file.
We will use Dnspy to decompile this binary.
As you can see, the output of the base64 decoding function is passed as input to the decompression function.
The code above is a C# function that appears to be decompressing a byte array called "gzip". This function creates a new stream using the GZipStream class and passes it a MemoryStream object constructed using a "gzip" byte array. Then use GZipStream to read the compressed data in 4096-byte chunks and write it to a new MemoryStream object. The function then uses the MemoryStream object's ToArray method to return the decompressed data as a byte array.
In simple terms, this function takes a compressed byte array, decompresses it using the Gzip algorithm, and returns the decompressed data as a byte array. This function can be used to decompress data previously compressed using the Gzip algorithm.
Again we decided to use Cyberchef for decoding,
This is again a PE file, which at the time of analysis is a .NET assembly. We use Dnspy to analyze it.
This binary has a base64 encoded string, but if you look carefully at the last word, you'll know that the base64 string turns into a powershell script when decoded.
As you can see, powershell is very obscure, so we decided to check if ChatGPT can decode it for us. Below is the output.
When asked what the function of such a script is, the output received is as follows.
There is an additional base64 encoded string in the .NET assembly. It is first passed to a function called cipher whose parameter is the key of the cipher.
So we decided to see what the logic of the Cipher function is.
Now, we decide to use this code as input to ChatGPT and ask it to recognize the password.
This output surprised us.
We implemented the same logic in python to move to the next stage.
This is the output. Final PE file:
This is again a .NET file. When checking in Dnspy, this is what we get.
By looking at the functions, we have a clear understanding of the function of this file, namely its anti-analysis technology and registry functions, etc. We're curious to see if ChatGPT will understand the purpose of this code and identify what type of malware it is.
The key function in the code is the "Install" method, which appears to be responsible for installing and running the specified files on startup.
The "FileInfo" object is used to specify the file that the code is trying to install and run.
"Process.GetCurrentProcess().MainModule.FileName" and "fileInfo.FullName" are used to check whether the currently running process is the same as the specified file.
The "Process.GetProcesses()" method is used to get a list of all running processes and the code iterates through them to stop any process that has the same file path as the specified file.
The "Methods.IsAdmin()" method is used to check whether the user has administrator rights.
The "schtasks" command is used to create a scheduled task to run a specified file on login (if the user has administrator rights).
The "Registry.CurrentUser.OpenSubKey" method is used to open the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun key. The "registryKey.SetValue" method is used to set the key value to the specified file path file (if the user does not have administrator privileges).
The "File.Exists" method is used to check whether the specified file already exists, and the "File.Delete" method is used to delete it if it exists.
The "FileStream" object is used to create a new file under the specified file path and write the file contents of the currently running process into it.
Execute the "Methods.ClientOnExit()" method.
The "Path.GetTempFileName()" method is used to create a temporary .bat file and the "StreamWriter" object is used to write a series of commands to it.
The "Process.Start" method is used to start the .bat file, and the "Environment.Exit(0)" method is used to exit the current process.
It can be deduced from this code that the code attempts to install and run a specific file at startup, and it appears to be designed to ensure that the specified file is run at startup, and that it is run with administrative rights. The code also attempts to delete the original file and create a new one with the same name and content, which may indicate that it is trying to replace the original file with a malicious version. Using methods such as checking if the user has administrator rights, scheduled task creation, and registry key modifications indicate that it is trying to run the file on startup whenever possible. There are also various methods to hide the execution of files, such as creating a bat file, running it in hidden mode, and then deleting the bat file after execution.
It understands that the code is malicious and correctly identifies it as a remote access tool (RAT).
Through this training, we were able to better decrypt ChatGPT and understand how it assists malware analysis. While ChatGPT has demonstrated its basic capabilities, it currently cannot match human intelligence-driven malware analysis, which is more comprehensive. We will continue to monitor ChatGPT and share more updates in the future to enhance its capabilities and power.
Original article, author: Chief Security Officer, if reprinted, please indicate the source: https://cncso.com/en/asyncrat-analysis-with-chatgpt.html