poniedziałek, 14 sierpnia 2017

Reading malware - Backdoor.SpyNet

According to few other examples I finally had a chance to sit back to some malware sample I found here (big thanks again!) Below few details about the file (md5:ff35edacb8c847e85a6494e7858ecada).

I started from PEiD again:



Looks similar to the last one. My next step was to open sample file in IdaPro. When file was ready I used Shift+F12 to open strings. Results below:


While reading the strings we can start our analysis. Let's say that we're here:


As we can see there are CALL's to 'registry functions'.

I assumed that the program is trying to add some values to Windows registry. After I renamed the function I tried to identify any relation(s) with other function(s). I used "Xrefs grahp to..." from right-click:


Checking:

Ok, let's check function named sub_40b118():


Ok... After checking available flow-chart, we can say that the "plan" for today looks like this:

We will try to check each function to finally find the purpose of our sample file. We will start 'from the left':

We should be here:

As you probably saw, there are few lines like "\\\\.\\NTICE". More information about them you can find for example here.



So - now we now that our sample is trying to verify if we are running it in debugger. Nice. I decided to rename the function like it is presented below:


In a very similar way we can 'idenfity' the purpose of the function above:


When I was looking for some resources available online I found a book where it is described:

So, malware is trying to idenfity some debuggers. Next:

Next:


Next:

In the few next steps we will check for libraries used by popular 'debugging tools', example:


When you will google the name of the file, you should find something like this:


When we will check this page we will see that:


As we can see, malware is also looking for PBK-files:


When in one of the lines I found "L$_RasDefaultCredentials#0" I decided to google it too :)

I found some source code at github, I think the "functionallity" will be similar in our case:


Next. Let's skip to this part:


Flowchart should looks similar to the one below:



Next function I decided to check was named previously as "f_createMutexToOwnDevice()" but for testing purpose I renamed it to "f_createMutexToDoAction()". Some pseudocode below:


For now we should be in the function related to collecting information about the user:




After I renamed the function, our flowchart for now should look like the one below:




As we can see there is a lot to do ;)


We are here:


...and here:

After a while with the code of the function, we should be here:




...and here:



After a while we should be here:




Malware is looking for new passwords as well as for more information about the infected machine. For now I'm here:



Program is also using few CryptHash-family functions:




We will try to verify next steps in next few functions...



After a while we should see actuall flowchart (similar to the one below):



Good. 

Below approximate results (starting from the right this time):



2nd part of the screen:



...and one more:



I think that at this stage we can already be sure that the program is in fact a malicious sample.

This sample is already known so more details about it you will find for example here.


Cheers










Brak komentarzy:

Prześlij komentarz