wtorek, 20 czerwca 2017

Reading malware


During the weekend I started playing with few malware examples. All (malicious) ‘resources’ described in this text you can find online (here or here). Let’s go.




To check sample malware I found online I prepared 2 VM’s (VirtualBox) – Kali and Windows7. As you can see most of files prepared in „MALW” directory was named by the result of md5sum so it will be easy to find them online. For example:



Checking first file and we can see that this is PE32 executable:



Below few output lines from tool called „strings”:



Few more lines:



At this stage my next step was to switch to Windows7 machine. I was reading about this malware a little bit and AFAIK bot was created in 2010 (probably first version). As you will see on the screens below, we will try to analyze bot version 3.1.


*(Please note that this malware is old enough to be already known and probably is also already reversed. Source code is also available online. In this post I’ll just try to summarize few basic „techniques” to idenfity and understand potentially malicious software found on the machine or somewhere on the net.)

Let’s get to work!

(On the forum you will also find some other tools and posts, but maybe we will get to it later.) When I was reading that forum, I tried to translate it (via translate.google.com) and that’s how I found few messages similar to the one below:



I also remember that I found some other „string in not-english-language” when I was reading output from the strings command. I think it’s a good time to translate it too:



Ok. Anyway. ;]

I copied sample file to „copy_of_[md5sum].exe”. My next step was to check this EXE in PEiD. It looks like this:


I opened the file in PEview to get some more details about it:


Below you will find the screen from .rdata section. You will also find Import Address Table where the names of imported functions are presented. This will help us to identify the main purpose of the program. Let’s try it out: 


Does it look like a bot (or not)?

We will try to figure it out by pointing few „groups” of functions found in the binary (and according to the „indicators” from the screen below too). 

One of the tools I used to verify few information about the file was PEStudio 8.60. Few results you will find on the screenshots below:


Interesting thing I saw in the tool was so called 'indicators'. Let’s find out what does it mean:


We will try to verify some of those „functionality” (indicators) during our analysis. For now we will have the „indicators” that the malware-file:


a) Modifies the registry:

Because of used: 

- RegCreateKeyExA – to open registry key;
- RegDeleteValueA - removes a named value from the specified registry key
- RegOpenKeyExA - opens the specified registry key
- RegQueryValueExA - retrieves the type and data for the specified value name associated with an open registry key
- RegSetValueExA - sets the data and type of a specified value under a registry key.   
- RegCloseKey - closes a handle to the specified registry key.

 b) References the clipboard

Because of used:
- CloseClipboard - closes the clipboard.
- SetClipboardData  - places data on the clipboard in a specified clipboard format.
- EmptyClipboard - empties the clipboard
- OpenClipboard - opens the clipboard
- VkKeyScanA - translates a character to the corresponding virtual-key code and shift state for the current keyboard
- keybd_event - synthesizes a keystroke


c) Enumerates the list of running processes/modules/threads

Because of used:
- GetCurrentProcess – retrives a pseudo handle for the current proces
- CreateThread - creates a thread to execute within the virtual address space of the calling process.
- ShellExecuteA - performs an operation on a specified file.
- TerminateThread - terminates a thread.
- TerminateProcess - terminates the specified process and all of its threads.
- WriteProcessMemory - writes data to an area of memory in a specified process
- CreateProcessA - creates a new process and its primary thread
- OpenProcess - opens an existing local process object.
- ReadProcessMemory - reads data from an area of memory in a specified process

 d) References the main (MAPI) library

Because of used:
- MAPILogon - begins a Simple MAPI session, loading the default message store and address book providers
- MAPIFindNext - retrieves the next/first message identifier of a specified type of incoming message
- MAPIReadMail – retrieves a message for reading
- MAPISendMail - Sends an ANSI message
- MAPILogoff - ends a session with the messaging system

e) Enumerate files

Because of used:
- FindFirstFileA – to find a directory or file
- DeleteFileA - deletes an existing file.
- SetFileAttributesA - sets the attributes for a file or directory.
- GetModuleFileNameA - retrieves the fully qualified path for the file that contains the specified module
- GetModuleHandleA - retrieves a module handle for the specified module
- CopyFileA - copies an existing file to a new file.
- GetFileAttributesA - retrieves file system attributes for a specified file or directory
- GetTempPathA - retrieves the path of the directory designated for temporary files.
- WriteFile - writes data to the specified file or input/output (I/O) device.
- CreateFileA - creates or opens a file or I/O device
- CreateDirectoryA - creates a new directory

According to the list of used functions we can assume that the binary is taking advantage of the vulnerable system. 

PEStudio can also reveal some other information like compiler stamp for example:


When you will open the (our malware) file in Ida Pro your window with the „graph overview” should look like the one presented on the screen below:


Below I’ll try to present few more details and proofs that this program is indeed a piece of malicious software.

Let’s get to work.

The main goal is to verity the behaviour of the malicious file so (again) let’s open it in IdaPro now. After a while we should be somewhere here:


My point now was to idenfity (or better „understand”) the goal of each function I found inside the malware. Below you will find few notes about it.
Main identified functions (at this stage):
  • Kill AV
  • Create browser cache
  • Verify OS name and version
  • Replicate itself
  • DDoS attacks
  • Changes in Windows registry
  • Changes in FW rules
From the Ida perspective, now it looks like this:


I downloaded FakeNet.exe and reconfigure it a little bit to add new port for listen of incomming connections (more precisely to check if malware will try to connect to 6667/tcp port). Now we are able to see some communications from the malware:


After a while, there will be another (2nd) connection (to p2c.travestin.net but the domain seems to be down now). You can also observe that the malware is trying to join to the IRC server with „new” nick:


I assumed that the malware replicated itself and is trying to connect again to the malicious IRC server to wait for commands. To verify that I prepared a small script in python (based on original sampleSMTP.py from FakeNet). Source code is available below:


Last edit in fakenet.cfg file:


…and we are ready to run the binary again. Looking at the ASM code, we can spot the hostname from FakeNet output log, remember?


I found SOA for the address above:


Now we will try to „spoof” our hostname to the C&C hostname. Maybe malware will do something else. Our etc\hosts file right now looks lilke this:


Running again (but unfortunately I was not able to communicate with the bot this time. I believe that we need to insert some answers-schema to our „IRC-server-script”.). Let’s skip it now and let’s go to another function.

This time it looks like we’ve found some kind of a clipboard-copy functionality (probably keylogger):


If you don’t know what is the purpose of this function or the other, feel free to study MSDN webpage (or go back to the beginning of this post). You will find a lot of useful information there!

After launching the malware, we will see that the program is trying to create few files. In my case it was:
  • C:\Users\win7re\AppData\Roaming\msconfig.exe   
  • C:\Users\win7re\AppData\Local\Temp\google_cache2.tmp
  • C:\Pliki\dropped_files_2\google_cache2.tmp   
  • C:\Users\win7re\Desktop\__rar_0.391   
  • C:\Users\win7re\Desktop\__rar_0.234   
In the middle of time, it's trying to modify few other files, for example:
  • C:\Windows\AppCompat\Programs\RecentFileCache.bcf   
  • C:\Users\win7re\AppData\Local\Temp\google_cache2.tmp   
  • C:\System Volume Information\Syscache.hve.LOG1   
  • C:\Windows\System32\config\SYSTEM   
  • C:\Pliki\dropped_files_2\google_cache2.tmp   
  • C:\Windows\System32\config\SOFTWARE.LOG1   
  • C:\Windows\System32\config\SOFTWARE   
  • C:\Users\win7re\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1   
  • C:\Users\win7re\AppData\Local\Microsoft\Windows\UsrClass.dat   
  • C:\Users\win7re\ntuser.dat.LOG1   
  • C:\Users\win7re\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db   
  • C:\Users\win7re\Desktop   
  • C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0   
  • C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0   
  • C:\System Volume Information\Syscache.hve   
  • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log   
  • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log   
  • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk   
  • C:\Windows\System32\config\DEFAULT.LOG1   
  • C:\Windows\System32\config\DEFAULT   
  • C:\Users\win7re\Desktop\__rar_0.234   
Malware also modifies some registry values. One of them (already modified by the malware) is presented on the screen below:


After you will run this malware, you should see few new/modified key-values pairs in your registry. In my case it was:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run – key: WindowsUpdate with the value „C:\Users\<user>\AppData\Roaming\msconfig.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run – key WindowsUpdate with the value „C:\Users\<user>\AppData\Roaming\msconfig.exe”
Other changes you will find in those locations:
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverUpdate
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverManager

There are multiple references to executable files inside the malware, for example:


Strings found during the analysis are pointing to the (mainly) DDoS-purpose of this tool:


Some strings from function related to „flood attacks”:


Bot also tries to kill some Windows security features, check it out:





We can probably still go deeper but I will leave it to you as an exercise. ;]

Comments/questions?

Cheers


Brak komentarzy:

Prześlij komentarz