poniedziałek, 14 sierpnia 2017

Reading malware - Backdoor.SpyNet

According to few other examples I finally had a chance to sit back to some malware sample I found here (big thanks again!) Below few details about the file (md5:ff35edacb8c847e85a6494e7858ecada).

I started from PEiD again:

Looks similar to the last one. My next step was to open sample file in IdaPro. When file was ready I used Shift+F12 to open strings. Results below:

While reading the strings we can start our analysis. Let's say that we're here:

As we can see there are CALL's to 'registry functions'.

I assumed that the program is trying to add some values to Windows registry. After I renamed the function I tried to identify any relation(s) with other function(s). I used "Xrefs grahp to..." from right-click:


Ok, let's check function named sub_40b118():

Ok... After checking available flow-chart, we can say that the "plan" for today looks like this:

We will try to check each function to finally find the purpose of our sample file. We will start 'from the left':

We should be here:

As you probably saw, there are few lines like "\\\\.\\NTICE". More information about them you can find for example here.

So - now we now that our sample is trying to verify if we are running it in debugger. Nice. I decided to rename the function like it is presented below:

In a very similar way we can 'idenfity' the purpose of the function above:

When I was looking for some resources available online I found a book where it is described:

So, malware is trying to idenfity some debuggers. Next:



In the few next steps we will check for libraries used by popular 'debugging tools', example:

When you will google the name of the file, you should find something like this:

When we will check this page we will see that:

As we can see, malware is also looking for PBK-files:

When in one of the lines I found "L$_RasDefaultCredentials#0" I decided to google it too :)

I found some source code at github, I think the "functionallity" will be similar in our case:

Next. Let's skip to this part:

Flowchart should looks similar to the one below:

Next function I decided to check was named previously as "f_createMutexToOwnDevice()" but for testing purpose I renamed it to "f_createMutexToDoAction()". Some pseudocode below:

For now we should be in the function related to collecting information about the user:

After I renamed the function, our flowchart for now should look like the one below:

As we can see there is a lot to do ;)

We are here:

...and here:

After a while with the code of the function, we should be here:

...and here:

After a while we should be here:

Malware is looking for new passwords as well as for more information about the infected machine. For now I'm here:

Program is also using few CryptHash-family functions:

We will try to verify next steps in next few functions...

After a while we should see actuall flowchart (similar to the one below):


Below approximate results (starting from the right this time):

2nd part of the screen:

...and one more:

I think that at this stage we can already be sure that the program is in fact a malicious sample.

This sample is already known so more details about it you will find for example here.


Brak komentarzy:

Prześlij komentarz