Thanks to Malekal’s page (just like before) I was able to „read” some (more) malware(s). Below you will find few details about the "new" (for me) one case (afaik dated to 2015) I had a chance to check…
According to VirusTotal, malware is already known (so this is not new example or "attack, I'm just trying to learn something new again about reversing apps like the one described below). So let's try it. ;]
First of all: link to our sample file you can find here. My first guess was to check unzipped file in PEiD:
Next I
decided to open the file in PE Studio to grab some more details about it:
Let’s check those ‘Indicators’.
Probably
this time I will be able to see more („indicators”) basing on imports than on indicators from PE-Studio…
We’ll see. Let’s open our malicious file in IdaPro now. Next step in our case
will be to check mentioned Imports (View -> Open subviews -> Imports):
We should
be somewhere here:
Below you
will also find some interesting „strings”, for example:
As you can
see our binary will use ReOpenKeyA as well as CreateFileA
function. It's a good "indicator" that we should check the purpose of those functions… We will get back to
it later. Now let’s switch to the Strings
tab (press: Shift+F12, you should be here):
As you can
see Ida was able to identify 289 lines. I will not copy/paste all found results
here but you can already spot (on the screen above) some strings like
„darkddoser”, „PASSWORDS”, PING/PONG as well as „STOPFLOOD” string or the one
related to „CurrentVersion\\Run” from
regedit.
Ok,
let’s try to verify the behaviour of the program. First of all we will try to understand the meaning of lines 'mentioned' by the Strings(tab).
Let's start some reversing.
Those
functions presented on the screen below looks the best for me to start
reversing this malware:
(If
you will use Ida’s „feature” – hit space – to change the view, you will get "easier" graph of that-some-kind-of-main() function of the bot.) See below:
In my case
I renamed the sub_419808() function
to looksLikeMainBot() name. Next.
Small graph (flow chart) looks like this:
So for now,
it looks like we’re here:
After a
while we should have some function „reversed” a little bit so now it’s time to
get back to our Imports. We will try
to focus on those group(s) of functions that are related to our „indicators” from the screens before.
Indicators
The ‘most interesting’ indicators (in my opinion of course) are those listed below. Program is trying to:
a) modify regedit values
b) communicate with other programs
c) stealing passwords
d) make a DoS attack or drop new malware
e) is trying to do something with the passwords ofthe browsers
Below I’ll try to find a way to verify that (but we will base rather on the Import Table than on „indicators” identified by the PE Studio – maybe we will learn something new again;)). Let’s go:
Our
function(s) assuming that the malware:
a) modify regedit values
If we will sort our functions in the name order we will easily spot the collection like this one:
Purpose of each function you will find below:
- RegSetValueExA - Sets the data and type of a specified value under a registry key
- RegQueryValueExA –Retrieves the type and data for the specified value name associated with an open registry key
- RegOpenKeyExA – Opens the specified registry key
- RegEnumValueA –Enumerates the values for the specified open registry key
b) communicate with other programs
(* below you will find links to only few of them, more you need to check by yourself at MSDN website.) For example:
c) stealing passwords
For example here:
..or CredEnumerate function used in the code.
Another example, this time from Filezilla (afaik: main idea of the function is to grab credentials for „recent” used hosts). During the analysis, you should find it somewhere in sub_41A39C() – sorry but I already changed function names and forgot to make a screen before that ;) - anyway:
(* below you will find links to only few of them, more you need to check by yourself at MSDN website.) For example:
- CompareStringA - Compares two character strings, for a locale specified by identifier
- CopyFileA - Copies an existing file to a new file.
- CreateFileA - Creates or opens a file or I/O device
c) stealing passwords
For example here:
..or CredEnumerate function used in the code.
Another example, this time from Filezilla (afaik: main idea of the function is to grab credentials for „recent” used hosts). During the analysis, you should find it somewhere in sub_41A39C() – sorry but I already changed function names and forgot to make a screen before that ;) - anyway:
And one more:
d) is trying to do something with the passwords ofthe browsers
In the middle of time I found (in „Xrefs to…”) some function (in my opinion) related to „profiling your browser”. Check here for more details:
Below another one, related to Firefox and sqlite files:
Let’s
switch for a while to the „dynamic analysis”.
Chat with C&C
Just like before I decided to use FakeNet (and my edited hosts file) to try to chat with the malware.
Let’s run the sample again (restore the snapshot and run the new-fakenet.cfg with our malware installed on the box). As you can see we can spot some new strings comes from the malware
and:
and:
Let’s investigate it for a while. Changed config for now looks like this one presented on the screen below:
Let’s run the malware again to check for new connection(s – we are still on the same snapshot. In the middle of time we can see that the program is trying to verify if it’s opened in debugger. Also now you will find new key/value pair in the location in regedit.exe:
I decided to change my fakenet-wrapper and extend it for new commands (found during static analysis in Ida; shift+F12). Now it looks like this:
On the (right) screen above you will find few more „commands” I used to try to connect and talk to that malware. Checking again… and I couldn’t talk to malware at this stage. I decide to go back to static analysis and now the file is opened in OllyDbg:
As you can see there is an IP that we saw before when fakenet was running. Steping through the code you’ll see when new app is „generated” (or started – you name it):
Message from Olly was created after that CMP instruction. (By the way: when I was doing some modifications in fakenet’s configuration file I was wondering why I can not see „new results”.
Answer was simple: in FakeNet.cfg I had 2 settings (enabled): for „raw” port/listener and for using our „wrapper”. Let’s comment (or delete) the one prepared for „raw” connections (so enabled will be only the one prepared as our python-wrapper ;)).
Now we will run the malware again:
… and it looks like the idea worked. Checking again:
As you can see, we can go back now to our ‘list of available commands’ and check them all (as well as go back to Ida and check the asm code to verify the way of using „parameters” for commands available in the bot).
Here we go again:
Checking more commands:
And results from WEBSITE command below:
I see that DOWNLOAD command can be used to download (and execute) some more malware(s), check it out:
„Downloading” and „Executing” will continue in loop until finished. (In my case also Local folder appeared on the main screen;]).
At this stage I decide to restore the snapshot and sit back to Ida. I was wondering if I will be able to find some more commands to play with that bot.
To do that: open malware in Ida and click Shift+F12 (to get strings). There I found („potential”) „commands”. For example few of them are listed below:
Verifying:
Next: again „DOWNLOAD” command (this time I used fake hostname just to verify command purpose, see below):
Crashed malware exec. ;] (I did not check if the crash occured because I tried to use it with „localhost” parameter or maybe there was some other bug – probably goes to my „todo list”…)
Next. Because malware seem to be dead now I restored my snapshot and started investigation again.
(To be honest I tested if this is replicable, and guess what:
It looks like it is. ;])
Anyway, (restarting our snapshot and) next: command described as PASSWORDS:
According to RIPE - C&C server is located in UK.
As there are still some other functions ready to "reverse"... see you next time. ;)
I see that DOWNLOAD command can be used to download (and execute) some more malware(s), check it out:
„Downloading” and „Executing” will continue in loop until finished. (In my case also Local folder appeared on the main screen;]).
At this stage I decide to restore the snapshot and sit back to Ida. I was wondering if I will be able to find some more commands to play with that bot.
To do that: open malware in Ida and click Shift+F12 (to get strings). There I found („potential”) „commands”. For example few of them are listed below:
In my
opinion we can look at:
Next: again „DOWNLOAD” command (this time I used fake hostname just to verify command purpose, see below):
And one more:
As we
discussed before – continues in loop. Sample log from Wireshark below:
…or follow
TCP stream if you want:
Ok, next. I
changed command to HTTP. Results you
can observe below:
Crashed malware exec. ;] (I did not check if the crash occured because I tried to use it with „localhost” parameter or maybe there was some other bug – probably goes to my „todo list”…)
Next. Because malware seem to be dead now I restored my snapshot and started investigation again.
(To be honest I tested if this is replicable, and guess what:
It looks like it is. ;])
Anyway, (restarting our snapshot and) next: command described as PASSWORDS:
As you can
see (in asm code too) after receiving this command (PASSWORDS) malware is trying to find passwords from few popular
applications. Restoring snapshot and quick ride with Ida again…
Cheecking
„pseudocode” tab in Ida looks like this:
For now our
goal is to identify functionality of the code presented in graph form (below):
For now it
looks like this:
Changing
few more names/variables, and we are somewhere here:
Seems like
those functions related to connect() are
also ones – used during DoS attack(s). Good. Next. Checking other
functions and references, for example:
In the
middle of time somewhere between changing another function name, we can switch
for a moment to Ida View, there will be some nice „picture” waiting for us:
I think that now the main "purpose" of the program is already known and it will be like:
- replicate && hide
- connect to C&C and wait for commands
- dropper functionality
- info stealing functionality
- connect to C&C and wait for commands
- dropper functionality
- info stealing functionality
- backdoor functionality
According to RIPE - C&C server is located in UK.
As there are still some other functions ready to "reverse"... see you next time. ;)
Cheers
Brak komentarzy:
Prześlij komentarz