I started from PEiD again:
Looks similar to the last one. My next step was to open sample file in IdaPro. When file was ready I used Shift+F12 to open strings. Results below:
While reading the strings we can start our analysis. Let's say that we're here:
As we can see there are CALL's to 'registry functions'.
I assumed that the program is trying to add some values to Windows registry. After I renamed the function I tried to identify any relation(s) with other function(s). I used "Xrefs grahp to..." from right-click:
Checking:
Ok... After checking available flow-chart, we can say that the "plan" for today looks like this:
We will try to check each function to finally find the purpose of our sample file. We will start 'from the left':
As you probably saw, there are few lines like "\\\\.\\NTICE". More information about them you can find for example here.
So - now we now that our sample is trying to verify if we are running it in debugger. Nice. I decided to rename the function like it is presented below:
In a very similar way we can 'idenfity' the purpose of the function above:
When I was looking for some resources available online I found a book where it is described:
So, malware is trying to idenfity some debuggers. Next:
In a very similar way we can 'idenfity' the purpose of the function above:
When I was looking for some resources available online I found a book where it is described:
Next:
Next:
In the few next steps we will check for libraries used by popular 'debugging tools', example:
When you will google the name of the file, you should find something like this:
When we will check this page we will see that:
As we can see, malware is also looking for PBK-files:
When in one of the lines I found "L$_RasDefaultCredentials#0" I decided to google it too :)
I found some source code at github, I think the "functionallity" will be similar in our case:
Next. Let's skip to this part:
Flowchart should looks similar to the one below:
Next function I decided to check was named previously as "f_createMutexToOwnDevice()" but for testing purpose I renamed it to "f_createMutexToDoAction()". Some pseudocode below:
For now we should be in the function related to collecting information about the user:
After I renamed the function, our flowchart for now should look like the one below:
As we can see there is a lot to do ;)
We are here:
...and here:
After a while with the code of the function, we should be here:
...and here:
After a while we should be here:
Malware is looking for new passwords as well as for more information about the infected machine. For now I'm here:
Program is also using few CryptHash-family functions:
We will try to verify next steps in next few functions...
After a while we should see actuall flowchart (similar to the one below):
Good.
Below approximate results (starting from the right this time):
2nd part of the screen:
...and one more:
I think that at this stage we can already be sure that the program is in fact a malicious sample.
This sample is already known so more details about it you will find for example here.
Cheers
I found some source code at github, I think the "functionallity" will be similar in our case:
Next. Let's skip to this part:
Next function I decided to check was named previously as "f_createMutexToOwnDevice()" but for testing purpose I renamed it to "f_createMutexToDoAction()". Some pseudocode below:
For now we should be in the function related to collecting information about the user:
After I renamed the function, our flowchart for now should look like the one below:
As we can see there is a lot to do ;)
We are here:
...and here:
...and here:
After a while we should be here:
Malware is looking for new passwords as well as for more information about the infected machine. For now I'm here:
Program is also using few CryptHash-family functions:
We will try to verify next steps in next few functions...
After a while we should see actuall flowchart (similar to the one below):
Good.
Below approximate results (starting from the right this time):
2nd part of the screen:
...and one more:
I think that at this stage we can already be sure that the program is in fact a malicious sample.
This sample is already known so more details about it you will find for example here.
Cheers
Brak komentarzy:
Prześlij komentarz