czwartek, 6 lipca 2017

Reading malware - Backdoor:Win32/Darkddoser

Thanks to Malekal’s page (just like before) I was able to „read” some (more) malware(s). Below you will find few details about the "new" (for me) one case (afaik dated to 2015) I had a chance to check…

According to VirusTotal, malware is already known (so this is not new example or "attack, I'm just trying to learn something new again about reversing apps like the one described below). So let's try it. ;]

First of all: link to our sample file you can find here. My first guess was to check unzipped file in PEiD:

Next I decided to open the file in PE Studio to grab some more details about it:

Let’s check those ‘Indicators’.

Probably this time I will be able to see more („indicators”) basing on imports than on indicators from PE-Studio We’ll see. Let’s open our malicious file in IdaPro now. Next step in our case will be to check mentioned Imports (View -> Open subviews -> Imports):

We should be somewhere here:

Below you will also find some interesting „strings”, for example:

As you can see our binary will use ReOpenKeyA as well as CreateFileA function. It's a good "indicator" that we should check the purpose of those functions… We will get back to it later. Now let’s switch to the Strings tab (press: Shift+F12, you should be here):

As you can see Ida was able to identify 289 lines. I will not copy/paste all found results here but you can already spot (on the screen above) some strings like „darkddoser”, „PASSWORDS”, PING/PONG as well as „STOPFLOOD” string or the one related to „CurrentVersion\\Run” from regedit.

Ok, let’s try to verify the behaviour of the program. First of all we will try to understand the meaning of lines 'mentioned' by the Strings(tab).

Let's start some reversing.

Those functions presented on the screen below looks the best for me to start reversing this malware:

(If you will use Ida’s „feature” – hit space – to change the view, you will get "easier" graph of that-some-kind-of-main() function of the bot.) See below:

In my case I renamed the sub_419808() function to looksLikeMainBot() name. Next.

Small graph (flow chart) looks like this:

So for now, it looks like we’re here:

After a while we should have some function „reversed” a little bit so now it’s time to get back to our Imports. We will try to focus on those group(s) of functions that are related to our „indicators” from the screens before.


The ‘most interesting’ indicators (in my opinion of course) are those listed below. Program is trying to:   

a) modify regedit values
b) communicate with other programs
c) stealing passwords
d) make a DoS attack or drop new malware
e) is trying to do something with the passwords ofthe browsers

Below I’ll try to find a way to verify that (but we will base rather on the Import Table than on „indicators” identified by the PE Studio – maybe we will learn something new again;)). Let’s go:

Our function(s) assuming that the malware:

a) modify regedit values

If we will sort our functions in the name order we will easily spot the collection like this one:

Purpose of each function you will find below:
  • RegSetValueExA - Sets the data and type of a specified value under a registry key
  • RegQueryValueExA –Retrieves the type and data for the specified value name associated with an open registry key
  • RegOpenKeyExA – Opens the specified registry key
  • RegEnumValueA –Enumerates the values for the specified open registry key
 …or here described by MSDN.
 b) communicate with other programs

(* below you will find links to only few of them, more you need to check by yourself at MSDN website.) For example:

  • CompareStringA - Compares two character strings, for a locale specified by identifier
  • CopyFileA - Copies an existing file to a new file.
  • CreateFileA - Creates or opens a file or I/O device
 ...and so on.

c) stealing passwords

For example here:

..or CredEnumerate function used in the code.

Another example, this time from Filezilla (afaik: main idea of the function is to grab credentials for „recent” used hosts). During the analysis, you should find it somewhere in sub_41A39C() – sorry but I already changed function names and forgot to make a screen before that ;) - anyway:

Part of the function below:

And one more:

 *(We will maybe try to verify it later during dynamic analysis…)

d) is trying to do something with the passwords ofthe browsers

In the middle of time I found (in „Xrefs to…”) some function (in my opinion) related to „profiling your browser”. Check here for more details:

Below another one, related to Firefox and sqlite files:

Let’s switch for a while to the „dynamic analysis”.

Chat with C&C

Just like before I decided to use FakeNet (and my edited hosts file) to try to chat with the malware.

Let’s run the sample again (restore the snapshot and run the new-fakenet.cfg with our malware installed on the box). As you can see we can spot some new strings comes from the malware


Let’s investigate it for a while. Changed config for now looks like this one presented on the screen below:

Now I will create new snapshot (it’s still „before the malware is started”) and then I will run malware again with FakeNet, to check if I’ll get any new results/response(s). Checking:

Let’s run the malware again to check for new connection(s – we are still on the same snapshot. In the middle of time we can see that the program is trying to verify if it’s opened in debugger. Also now you will find new key/value pair in the location in regedit.exe:

I decided to change my fakenet-wrapper and extend it for new commands (found during static analysis in Ida; shift+F12). Now it looks like this:

On the (right) screen above you will find few more „commands” I used to try to connect and talk to that malware. Checking again… and I couldn’t talk to malware at this stage. I decide to go back to static analysis and now the file is opened in OllyDbg:

As you can see there is an IP that we saw before when fakenet was running. Steping through the code you’ll see when new app is „generated” (or started – you name it):

Message from Olly was created after that CMP instruction. (By the way: when I was doing some modifications in fakenet’s configuration file I was wondering why I can not see „new results”.

Answer was simple: in FakeNet.cfg I had 2 settings (enabled): for „raw” port/listener and for using our „wrapper”. Let’s comment (or delete) the one prepared for „raw” connections (so enabled will be only the one prepared as our python-wrapper ;)).

Now we will run the malware again:

… and it looks like the idea worked. Checking again:

As you can see, we can go back now to our ‘list of available commands’ and check them all (as well as go back to Ida and check the asm code to verify the way of using „parameters” for commands available in the bot).

Here we go again:

Checking more commands:

And results from WEBSITE command below:

I see that DOWNLOAD command can be used to download (and execute) some more malware(s), check it out:

„Downloading” and „Executing” will continue in loop until finished. (In my case also Local folder appeared on the main screen;]).

At this stage I decide to restore the snapshot and sit back to Ida. I was wondering if I will be able to find some more commands to play with that bot.

To do that: open malware in Ida and click Shift+F12 (to get strings). There I found („potential”) „commands”. For example few of them are listed below:

In my opinion we can look at:


Next: again „DOWNLOAD” command (this time I used fake hostname just to verify command purpose, see below):

And one more:

As we discussed before – continues in loop. Sample log from Wireshark below:

…or follow TCP stream if you want:

Ok, next. I changed command to HTTP. Results you can observe below:

Crashed malware exec. ;] (I did not check if the crash occured because I tried to use it with „localhost” parameter or maybe there was some other bug – probably goes to my „todo list”…)

Next. Because malware seem to be dead now I restored my snapshot and started investigation again.

(To be honest I tested if this is replicable, and guess what:

It looks like it is. ;])

Anyway, (restarting our snapshot and) next: command described as PASSWORDS:

As you can see (in asm code too) after receiving this command (PASSWORDS) malware is trying to find passwords from few popular applications. Restoring snapshot and quick ride with Ida again…

Cheecking „pseudocode” tab in Ida looks like this:

For now our goal is to identify functionality of the code presented in graph form (below):

For now it looks like this:


Changing few more names/variables, and we are somewhere here:

Seems like those functions related to connect() are also ones – used during DoS attack(s). Good. Next. Checking other functions and references, for example:

In the middle of time somewhere between changing another function name, we can switch for a moment to Ida View, there will be some nice „picture” waiting for us:

I think that now the main "purpose" of the program is already known and it will be like:
- replicate && hide
- connect to C&C and wait for commands
- dropper functionality
- info stealing functionality
- backdoor functionality

According to RIPE - C&C server is located in UK.

As there are still some other functions ready to "reverse"... see you next time. ;)


Brak komentarzy:

Prześlij komentarz