hippamsascom: 1cf56da3 — Mayer-Ondricka "CSS matrix" self-loading dropper

Executive Summary

Seventh confirmed sibling in the hippamsascom MSVC x64 self-loading dropper cluster. Masquerades as "CSS matrix Business Gateway" by Mayer - Ondricka. Carries fabricated Authenticode with a campaign-specific "Mayer - Ondricka Intermediate CA 3" cross-signed to DigiCert Assured ID Root CA. Identical build/RE fingerprint to prior siblings: zero IAT, PEB-walking API resolution via XXH32-like export hashing, anti-debug/sandbox gate at entry, custom stream-cipher payload decryption from .data, and full manual PE mapping into RWX memory. Static-only; no CAPE detonation available.

What It Is

How It Works

This sample follows the identical loader architecture documented for the hippamsascom cluster; see hippamsascom for the shared build analysis. Per-sample deltas below.

Masquerade identity: Version-info claims product "CSS matrix" version 5.11.4372.534, company "Mayer - Ondricka", comments "Optimized for Parallel computing performance". This is a new campaign identity distinct from the six prior siblings (Emard LLC, Hane Group, Littel LLC, Olson Group, Harvey - Abernathy, and the stripped variant 630202e6).

Certificate chain: Fabricated intermediate CA "Mayer - Ondricka Intermediate CA 3" under a fabricated root "Mayer - Ondricka Root CA", both claiming jurisdiction in Mississippi / West Sam under "Pagac - Nienow International / Technology Services". SANs include mayerondricka.com, *.mayerondricka.com, www.mayerondricka.com, mayerondricka-jonatan.solutions, mayerondricka-eunice.global, and mayerondricka-mozelle.digital. Cross-signed to DigiCert Assured ID Root CA and DigiCert Trusted Root G4, reusing the same pattern as all prior siblings ^[strings.txt:1477-1548], ^[binwalk.txt:7-12].

Export obfuscation: 451 named exports resolve to approximately 19 unique RVAs (e.g. 0x140021250, 0x140021260, 0x140021270) ^[pefile.txt:338-790]. Export names are semantically-plausible ML/networking jargon, identical style to prior siblings but a different generated set (e.g. AbortBroadcastText, AdapterArchiveMetric, BucketSignalConstraint, CredentialAnalyze, DispatcherScheduleInstance).

Static IAT: IMAGE_DIRECTORY_ENTRY_IMPORT VirtualAddress = 0x0, Size = 0x0 ^[pefile.txt:223]. All Win32 APIs are resolved at runtime.

Decompiled Behavior

Ghidra analysis recovered 16 functions. Entry point at 0x140021300 (entry) ^[ghidra:entry-140021300] follows the same three-stage gate → decrypt → map pattern observed in prior siblings.

Entry chain

entry() {
    FUN_14001eb84();        // opaque loop / delay
    v = FUN_1400218f0();  // anti-debug / sandbox gate
    if (v == 0) {
        FUN_14001eb84();
        if (FUN_140022060() == false) {   // timing gate
            FUN_14001eb84();
            FUN_14001eb84();
            FUN_14001eb84();
            FUN_1400219f0();  // decrypt & map payload
            return 0;
        }
    }
    return -1;
}

^[ghidra:entry-140021300]

Stage 1 — Anti-debug / sandbox gate (FUN_1400218f0)

Resolves NtQueryInformationProcess (hash 0x47568ea9) and GetCurrentProcess (hash 0x7500d95e) via peb-walking-api-resolution. Queries ProcessDebugPort (0x5a) and ProcessBreakOnTermination (0x59). Returned values are hashed with FUN_140021670 and compared against hardcoded hashes:

• 0x75d615be and 0x12927f6d (ProcessDebugPort branches)
• 0x1c0f2787 and 0x0bc5c956 (ProcessBreakOnTermination branches)

Also checks CPUID-equivalent values 0x419 and 0x423 (VMware detection) ^[ghidra:FUN_1400218f0].

Stage 2 — Timing gate (FUN_140022060)

Resolves GetTickCount (hash 0xdd04e408), loops comparing delta against a threshold of 1000 ms. Returns true if the elapsed tick delta is ≤ 50 ms (sandbox fast-forward indicator) ^[ghidra:FUN_140022060].

Stage 3 — Payload decryption (FUN_1400219f0)

Allocates 0x61e00 bytes via VirtualAlloc (hash 0x3f1799e), copies ciphertext from DAT_140027100, then calls FUN_1400203a0 to decrypt in-place using a 0x80-byte key at DAT_140027000. Decrypted payload is passed to the manual mapper ^[ghidra:FUN_1400219f0].

Stage 4 — Manual PE mapper (FUN_140021ab0)

This is the same full manual loader seen in prior siblings:

1. Validates MZ (0x5a4d) and PE (0x4550) signatures
2. Allocates destination image size with VirtualAlloc (hash 0x3f1799e, PAGE_EXECUTE_READWRITE)
3. Copies DOS / NT headers and section table
4. Iterates section table, copies raw data, zero-pads uninitialized regions
5. Processes base relocations (IMAGE_DIRECTORY_ENTRY_BASERELOC) — Type 0xA000 (IMAGE_REL_BASED_DIR64)
6. Resolves imports by hash via LoadLibraryA (0xf6e98217) and GetProcAddress (0x7c857997), writing resolved thunks into the allocated image
7. Processes TLS directory if present (RtlDecompressBuffer-like routine at hash 0xae3c84cf)
8. Handles .rsrc overlay allocation and Teb->Tib.SubSystemTib patching for manifests (seen in prior siblings)
9. Sets final section permissions via VirtualProtect (hash 0x560eff7d)
10. Enumerates TLS callbacks and calls each
11. Finally transfers execution to AddressOfEntryPoint ^[ghidra:FUN_140021ab0]

API hash resolution (FUN_1400215c0 / FUN_140021670)

FUN_140021500 walks the PEB InMemoryOrderModuleList (GS offset 0x60 → 0x18 → 0x20) to enumerate loaded modules. FUN_1400215c0 parses the PE export table and hashes each export name via FUN_140021670, which implements a 32-bit hash with AVX2 vectorized paths on modern CPUs. Constants include 0x165667b1, 0x61c8864f, 0x85ebca77, 0x24234428, 0x7a143589, 0x27d4eb2f — structurally resembling xxHash32 with campaign-specific seeding ^[ghidra:FUN_140021670].

C2 Infrastructure

No hardcoded C2 indicators recovered from static analysis. Network communication is expected to occur inside the decrypted and manually mapped payload, which is not extractable from the current corpus. The outer loader is strictly a delivery and execution mechanism.

Static network-related artifacts (certificate OCSP/CRL URLs) are part of the fabricated Authenticode chain and do not represent C2:

Interesting Tidbits

• New campaign branding: "CSS matrix" masquerades as a CSS/Business Gateway product. The use of CSSmatrix_*.exe suggests the actor is theming payloads to blend with web-development or enterprise software toolchains. ^[exiftool.json]
• Certificate geography: The fabricated cert places the organization in "West Sam, Mississippi" under "Pagac - Nienow International" — a name not reused from any prior sibling. SANs span .com, .solutions, .global, and .digital TLDs, all registered to the same fabricated issuer. ^[strings.txt:1490-1529]
• Export name style drifted: Unlike the heavy ML/networking jargon in earlier siblings, this set includes more generic DevOps-style names (PluginObject, PoolDownloadPage, QueueBundleContext, RegistryDeadlineBucket), suggesting the name generator is being tuned or replaced between campaigns. ^[pefile.txt:338-790]
• Embedded resource: 256×256 PNG icon in .rsrc at 0x92580, 0x28D3 bytes — present in the Olson Group sibling as well, likely a generic placeholder. ^[binwalk.txt:5]
• Capa failure: The sample was submitted to capa but signatures were missing; this is an environment issue, not a property of the binary. ^[capa.txt]
• FLOSS failure: Same — command-line parsing error in the triage wrapper, no decoded strings recovered. ^[floss.txt]

How To Mess With It (Homelab Replication)

Goal: Reproduce a PE with an empty IAT, semantic export obfuscation, and entry-gate behavior that matches this sample's capa fingerprint.

1. Toolchain: MSVC 14.50 (VS 2022), C, x64 Release.
2. Stub entry: Write a tiny C entry that walks PEB via GS:0x60, resolves NtQueryInformationProcess and GetTickCount by hashing export names, gates on debug/timing, allocates RWX memory, and decrypts a dummy PE from an embedded .data blob.
3. Export generator: Create 400+ C functions with CamelCase names (two or three semantically plausible words) that all resolve to the same 19 stub addresses.
4. Signing: For lab use, self-sign with an OpenSSL chain. Do not reproduce the fabricated intermediate CA externally.
5. Verification: capa reproducer.exe should hit Obfuscated Files or Information, Native API, and Code Signing capabilities (once capa signatures are installed).

What you'll learn: How PEB-walking export hash resolution works under the hood, and why a binary with zero IAT still needs kernel32.dll loaded by the OS loader (the PEB walk finds it).

Deployable Signatures

YARA rule

rule Hippamsascom_MayerOndricka_CSSMatrix
{
    meta:
        description = "hippamsascom cluster — Mayer-Ondricka CSS matrix variant"
        author = "pp-hermes"
        date = "2026-06-06"
        sha256 = "1cf56da38e5fe05fd2242ff49bafa4271c5ee0868887bf91dafb6f47d1e46ae9"
        family = "hippamsascom"
    strings:
        $a = "CSS matrix" wide ascii
        $b = "Mayer - Ondricka" wide ascii
        $c = "CSSmatrix_client.exe" wide ascii
        $d = "Mayer - Ondricka Intermediate CA 3" ascii
        $e = "mayerondricka.com" ascii
        $f = "mayerondricka-mozelle.digital" ascii
        $g = "Optimized for Parallel computing performance" wide
        $h = { 60 00 00 00 00 00 00 00 18 00 00 00 }  // PEB InMemoryOrderModuleList traversal hint
    condition:
        uint16(0) == 0x5A4D and
        uint32(uint32(0x3C)+4) == 0x8664 and
        uint32(uint32(0x3C)+0x160) == 0x0 and   // IMAGE_DIRECTORY_ENTRY_IMPORT VA = 0
        uint32(uint32(0x3C)+0x164) == 0x0 and   // IMAGE_DIRECTORY_ENTRY_IMPORT Size = 0
        3 of ($a,$b,$c,$d,$e,$f,$g,$h) and
        filesize < 900KB
}

Behavioral hunt query (Sigma-compatible)

title: Hippamsascom Self-Loader Execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'CSSmatrix'
    selection_mem:
        - ImageLoaded:
            - 'kernel32.dll'
        - CallTrace|contains:
            - 'VirtualAlloc'
            - 'VirtualProtect'
    selection_entropy:
        - Image: '*'
    condition: selection or (selection_mem and selection_entropy)
falsepositives:
    - Unknown
level: high

IOCs

Behavioral fingerprint

This binary is a 765 KB PE32+ x64 GUI executable with an empty import table (IMAGE_DIRECTORY_ENTRY_IMPORT VA = 0). At launch it resolves Win32 APIs by walking the PEB InMemoryOrderModuleList and matching export names against hardcoded 32-bit hashes. It gates execution by querying NtQueryInformationProcess(ProcessDebugPort) and measuring GetTickCount delta; if either check suggests a debugger or fast-forward sandbox, it exits with -1. Otherwise it allocates 0x61e00 bytes of RWX memory, decrypts an embedded PE from its .data section using a 128-byte key schedule, maps the decrypted image manually (fixing relocations, resolving imports by hash, setting section permissions), and transfers control to the payload's entry point. No disk write is observed. The version-info resource claims "CSS matrix Business Gateway" by "Mayer - Ondricka" and carries a fabricated Authenticode certificate chain with multiple SAN domains under the .com, .solutions, .global, and .digital TLDs, cross-signed to the genuine DigiCert Assured ID Root CA.

Detection Signatures

References

• SHA-256: 1cf56da38e5fe05fd2242ff49bafa4271c5ee0868887bf91dafb6f47d1e46ae9
• hippamsascom — cluster entity page
• semantic-jargon-export-obfuscation — technique page
• peb-walking-api-resolution — technique page

Provenance

• Static analysis: file, exiftool, pefile, strings, binwalk, radare2, Ghidra 12.1
• Binary: <sample 1cf56da38e5f.bin>
• capa: signatures not installed — error log only
• floss: command-line parsing error in triage wrapper
• Dynamic: CAPE skipped (no Windows guest available)