Source: "Malware Reverse Engineering"
Malware Family: Backdoor, Keylogger Static Analysis Tools: pestudio, IDA Pro, CFF Explorer, PEID, BinText Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autorun, Wireshark Walkthrough:
Reports: (1) Malwr: https://malwr.com/analysis/YTNlZWI4Nzg1NGRhNDMzMGFhYjkwY2EwMzQzMDU1M2M/ (2) VirusTotal: https://www.virustotal.com/en/file/255c26611cd8fe190d1cba2ed92ac4e744049d0841e082b542e87bac286481e2/analysis/1449809684/ I. Static Analysis: bserver.exe Name: bserver.ex_ File Type: PE32 executable (GUI) Intel 80386, for MS Windows Target Machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2006-06-05 22:46:55 Link Date: 6:44 AM 5/20/2008 Entry Point: 0x0002DCD1 Number of sections: 3
0 Comments
Binary Source: OST on "Malware Reverse Engineering"
Problem: Often, malware writers employ various encoding and encryption techniques to avoid detection and complicate malware analysis. Solution: The below-referenced Python programs decode standard and custom Base64 encoded strings. Implementation: I. Sample Python 2.7 Standard Base64 Decoder (see analysis of APT1 WEBC2-CSON) #!/usr/bin/env python # -*- coding: iso-8859-15 -*- # created by Vitali Kremez import string import base64 encoded_string = raw_input("Enter your standard Base64 encoded string: ") print base64.decodestring(encoded_string) II. Sample Python 2.7 Custom Base64 Decoder #!/usr/bin/env python # -*- coding: iso-8859-15 -*- # created by Vitali Kremez import string import base64 temp_string = "" # string custom_b64 = "9ZABCDEFGHIJKLMNOPQRSTUVWXYabcdefghijklmnopqrstuvwxyz012345678+/" # Example of custom Base64 algorithm above Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" cipher = raw_input("Enter your custom Base64 encoded string: ") for ch in cipher: if (ch in Base64): temp_string = temp_string + Base64[string.find(custom_b64, str(ch))] elif (ch == "="): temp_string += "=" decoded_string = base64.decodestring(temp_string) print(decoded_string) Preferred Usage: (1) Create a .py file using the above-referenced source code (2) Make this Python file executable in terminal: $ chmod +x [file path] (3) Edit any custom Base64 algorithm set in custom_b64 string variable (4) Run the file as an executable Source: OST "Malware Reverse Engineering"
Payload Launch Vehicles I. Droppers: Droppers very often copy themselves to another location and behave differently once in their expected location (e.g. C:\Windows\system32). Other possibilities are:
II. Downloaders: Downloads may use a variety of network functions and protocols to retrieve their payloads, and may even use encryption or chunk modification/reordering to fool Intrusion Detection Systems (IDS). Some common Network libraries and functions used are:
III.Injectors: Malicious processes can stick out like a sore thumb. Even the cleverly named processed like scvhost.exe are noticeable to the well trained analyst. DLL Injection is less noticeable, and shellcode injection is even more stealthy, though the calls to perform it may raise alarms as it is unusual behavior. They include:
Source: OST "Malware Reverse Engineering"
Goal: To study and walkthrough this tutorial very diligently (and loop over this process to infinity and beyond) Background: • Packers were first created at a time when network bandwidth was expensive • UPX was a cheap way to obscure identifiable strings from Anti-Virus • As an added bonus, it increased the complexity of analysis Packing Process: • Packers progressed to Executable Protectors which use additional Anti-Analysis tricks
The Unpacking Stub: • The code and data are decoded
OST: "Malware Reverse Engineering"
Malware Family: Spyware, Backdoor Static Analysis Tools: pestudio, IDA Pro, IDC Script, CFF Explorer, PEID, BinText Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark Reports: (1) Malwr: https://malwr.com/analysis/MzQ0YWVjNzQwNDgzNDIyZWIyMmMyZjg5NGMzZDU1YWY/# (2) VirusTotal: https://www.virustotal.com/en/file/d00c8c0b19dbe5d3c9eef1623730543417fa9c256c70c4e566c2214a15c85445/analysis/ Walkthrough:
I. Static Analysis: Backdoor.Win32.DarkShell Name: 4a29d41dfda9cfcbcde4d42b4bbb00aa.exe Original Name svchost.exe Internal Name svchost.exe File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) File Type: PE32 executable (GUI) Intel 80386, for MS Windows Target Machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2008-05-20 05:44:57 Link Date: 6:44 AM 5/20/2008 Entry Point: 0x00013000 Goal: Write actionable Sourcefire rule and Yara signature for this specific WEBC2-CSON APT1 binary based on the static analysis performed in the previous post.
Sourcefire Rule: alert tcp $HOME_NET any -> 65.114.195.226 80 (msg: "WEBC2-CSON APT1 DOWNLOADER ALERT"; content:"/Default.aspx?INDEX="; "/Default.aspx?ID="; "User Agent: Mozilla/4.o (compatible; MSIE 8.0; Win32)"; pcre:"/\/Default.aspx?INDEX=[A-Z]{1,10}/"; "/\/Default.aspx?ID=[A-Z]{1,10}/"; noncase; flow: to_server; seq: 8192; classtype: Trojan-activity) Yara Signature: rule Win_Downloader_APT1_WEBC2_CSON : APT { meta: author = "Vitali Kremez" date = "2015-12-07" description = "APT1 Downloader WebC2-CSON" hash0 = "a38a367d6696ba90b2e778a5a4bf98fd" sample_filetype = "exe" strings: $string0 = "OpenRequset Failed" $string1 = "ReadFile Failed" $string2 = "Getfile failed" $string3 = "/Default.aspx?INDEX=" $string4 = "jPhX@@" $string5 = "cXVpdA" $string6 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" $string7 = "/Default.aspx?ID=" $string8 = "cXVpdAdW5zdXBwb3J0" $string9 = "Google.exe" $string10 = "3@YAXPAX@Z" $string11 = "Open Web Failed" $string12 = "Content-Type: application/x-www-form-urlencoded" $string13 = "dW5zdXBwb3J0" $string14 = "2@YAPAXI@Z" $string15 = "y21k" $string16 = "Mozilla/4.o (compatible; MSIE 8.0;Win32)" $string17 = "65.114.195.226" condition: 4 of them and filesize < 10KB } Testing Yara Signature with yara -rg: $ yara -rg Win_Downloader_APT1_WEBC2-CSON.yar ~/Desktop/malware_analysis_all_materials_2014-09-08_1/labs Win_Downloader_APT1_WEBC2_CSON [APT] /Users/_____/Desktop/malware_analysis_all_materials_2014-09-08_1/labs/1/WEBC2-CSON_sample_A38A367D6696BA90B2E778A5A4BF98FD Outcome: 100% hits on test binary 100% true negatives on clean binaries OST: "Malware Reverse Engineering"
Static Analysis Tools: BinText, PEiD (Kanal Plugin), IDA Pro, pestudio Dynamic Analysis Tools: PsExplorer, ProcMon, RegShot, Autoruns, Wireshark, Sandboxie, Anubis Reports: (1) VirusTotal: https://www.virustotal.com/en/file/c62de4a72361cf1db38ba8c4f59d386f0e1c02f190cf6c8698ae3a14295bcb04/analysis/1449634964/ (2) Malwr: https://malwr.com/analysis/ZDgyZDQ3OTkwZGQyNGQ4YmFjZGQxZGRiYjhhNzg2MzQ/# APT1 WEBC2-CLOVER is a second malware that was analyzed as part of the APT1 Comment Crew, the alleged Chinese state-sponsored cyber espionage hacking group. This malware was first referenced in Mandiant's APT1 report. I. Static Analysis Name: WEBC2-CLOVER_sample_065E63AFDFA539727F63AF7530B22D2F File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit Target machine: Intel 386 or later processors and compatible processors Compilation timestamp: 2011-03-22 12:59:55 Entry Point: 0x00009981 Number of sections: 4 Signature: Microsoft Visual C++ v6.0 File Hashes: Input MD5: 065e63afdfa539727f63af7530b22d2f Input SHA256: c62de4a72361cf1db38ba8c4f59d386f0e1c02f190cf6c8698ae3a14295bcb04 File Size: 52.0 KB (53248 bytes) Anti-Virus detection: 45 / 55 (with the exception of AegisLab, Alibaba, ByteHero, CMC, Bkav, F-Prot, Malwarebytes, Rising, SUPERAntiSpyware, Zoner) Packer detection: PEiD Armadillo v1.71 Finding Dependencies (Imports):
Here are some interesting strings detected during the static analysis of this sample: OST: "Malware Reverse Engineering" Tools: SysInternals: PsExplorer, ProcMon, RegShot, Autoruns, Wireshark I. Dynamic Analysis Generally used as a first pass attempt to understand a piece of software, Dynamic Analysis uses an Execute and Monitor approach to understand observable behavior, and in the case of malware, the Initial Indicators of Compromise. Limitations: Dynamic Analysis is a task that is repeatable and is often automated to perform unattended analysis when the analysis resources are limited and volume of malware to analyze is high. In such cases, outcomes can be limited because the software being analyzed :
II. Dynamic Analysis of APT1 WEBC2_CSON This Downloader malware tries to "phone home" to IP 65.114.1995:80 by sending SYN packets (Exhibit A: Process Explorer Profess TPC/IP). Moreover, APT1 WEBC2_CSON attempts to re-connect to the CNC every 5 seconds as it is evident in Exhibit B: ProcMon Filter on APT1 WEBC2_CSON's Process Identifier.
OST: "Malware Reverse Engineering"
Tools: BinText, PEiD (Kanal Plugin), Ida-Entropy, IDA Pro This static analysis pertains to APT1's WEBC2-CSON_sample. I. This sample was allegedly used in RSA's data breach by the Military Unit Cover Designator of a People's Liberation Army advanced persistent threat unit 61398 that has been alleged to be a source of Chinese computer hacking attacks. II. Static (Code) Analysis refers to any investigation of software without execution of it. This can be as simple as collecting meta-data (e.g. file size, file magic, md5 hash) for Triage or as detailed as analyzing every byte for its meaning. Pros
Deeper Analysis Execution does not guarantee that all code paths are followed as software may require a specific environment or inputs to leverage its capabilities. For example, a Bot may do nothing but open a listening socket if you execute it; but if you investigate the code within the executable, you'll find it can list files, execute commands, and send requests to remote hosts (perhaps for a Denial of Service attack). Such analysis requires a Disassembler, and though there are several available, IDA Pro is one of the most popular. III. APT1 WEBC2-CSON_sample Static Analysis Name: WEBC2-CSON_sample_A38A367D6696BA90B2E778A5A4BF98FD File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit Target machine: Intel 386 or later processors and compatible processors Compilation timestamp: 2011-04-21 07:51:21 Link date: 8:51 AM 4/21/2011 Entry Point: 0x0000244C Number of sections: 3 File Hashes Input MD5: A38A367D6696BA90B2E778A5A4BF98FD Input SHA256: 7b345dcc0dc2a441a00d56feb7a3d0058eb11eaa82f71f12309289f651c30924 File Size: 9.5 KB ( 9728 bytes ) Anti-Virus detection: 47 / 55 (with the exception of AegisLab, Alibaba, Bkav, F-Prot, Malwarebytes, Rising, SUPERAntiSpyware, Zoner) Packer detection: PEiD Armadillo v1.7 Finding Dependencies (Imports):
I. Static Analysis:
III. Development
IV. Tool Proficiency
|
AuthorVitali Kremez Archives
September 2016
Categories |