OST: "Malware Reverse Engineering" Tools: BinText, PEiD (Kanal Plugin), Ida-Entropy, IDA Pro This static analysis pertains to APT1's WEBC2-CSON_sample. I. This sample was allegedly used in RSA's data breach by the Military Unit Cover Designator of a People's Liberation Army advanced persistent threat unit 61398 that has been alleged to be a source of Chinese computer hacking attacks. II. Static (Code) Analysis refers to any investigation of software without execution of it. This can be as simple as collecting meta-data (e.g. file size, file magic, md5 hash) for Triage or as detailed as analyzing every byte for its meaning. Pros
Deeper Analysis Execution does not guarantee that all code paths are followed as software may require a specific environment or inputs to leverage its capabilities. For example, a Bot may do nothing but open a listening socket if you execute it; but if you investigate the code within the executable, you'll find it can list files, execute commands, and send requests to remote hosts (perhaps for a Denial of Service attack). Such analysis requires a Disassembler, and though there are several available, IDA Pro is one of the most popular. III. APT1 WEBC2-CSON_sample Static Analysis Name: WEBC2-CSON_sample_A38A367D6696BA90B2E778A5A4BF98FD File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit Target machine: Intel 386 or later processors and compatible processors Compilation timestamp: 2011-04-21 07:51:21 Link date: 8:51 AM 4/21/2011 Entry Point: 0x0000244C Number of sections: 3 File Hashes Input MD5: A38A367D6696BA90B2E778A5A4BF98FD Input SHA256: 7b345dcc0dc2a441a00d56feb7a3d0058eb11eaa82f71f12309289f651c30924 File Size: 9.5 KB ( 9728 bytes ) Anti-Virus detection: 47 / 55 (with the exception of AegisLab, Alibaba, Bkav, F-Prot, Malwarebytes, Rising, SUPERAntiSpyware, Zoner) Packer detection: PEiD Armadillo v1.7 Finding Dependencies (Imports):
VirusTotal Report: https://www.virustotal.com/en/file/7b345dcc0dc2a441a00d56feb7a3d0058eb11eaa82f71f12309289f651c30924/analysis/ III. Noteworthy findings * This binary executable has no version. * It is not signed with a Digital Certificate. This APT1 sample uses Base64 to evade detection and, thereby, increase analysis complexity. Base64
We see this "ABCDEFGHIJKLMNOP” in IDA Pro's loaded sample analysis below in Exhibit B (address 00404310) Exhibit C: IDA shows entropy at address 00404310, which is Base64 algorithm in this case. Knowing the algorithm, we successfully write a program to decode malware static strings. Here is the Python 2.7 implementation of this decoder as Base64Decoder.py that was created to decode this malware strings: import string import base64 example_string = 'VGhpcyBpcyBhIHRlc3Qgc3RyaW5n' print base64.decodestring(example_string) Outcome: "cXVpdA==" == “quit” "dW5zdXBwb3J0" == "unsupport" "Y21k" == "cmd" "c2xlZXA=" == "sleep" Exhibit "D": IDA Pro encoded strings. Unique strings: "gT9BonhBk79LoSlPsQ4=" "/Default.aspx?INDEX=" "/Default.aspx?ID=" "65.114.195.226" "cmd.exe" [Analyst Note: 65.114.195.226 seems to be a hardcoded C2 IP that resolves to CenturyLink. Possible dynamic analysis of this sample could potentially support this statement.] Exhibit E: BinText string analysis shows hardcoded C2 IP.
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |