OST: "Malware Reverse Engineering" Malware Family: Spyware, Backdoor Static Analysis Tools: pestudio, IDA Pro, IDC Script, CFF Explorer, PEID, BinText Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark Reports: (1) Malwr: https://malwr.com/analysis/MzQ0YWVjNzQwNDgzNDIyZWIyMmMyZjg5NGMzZDU1YWY/# (2) VirusTotal: https://www.virustotal.com/en/file/d00c8c0b19dbe5d3c9eef1623730543417fa9c256c70c4e566c2214a15c85445/analysis/ Walkthrough:
I. Static Analysis: Backdoor.Win32.DarkShell Name: 4a29d41dfda9cfcbcde4d42b4bbb00aa.exe Original Name svchost.exe Internal Name svchost.exe File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) File Type: PE32 executable (GUI) Intel 80386, for MS Windows Target Machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2008-05-20 05:44:57 Link Date: 6:44 AM 5/20/2008 Entry Point: 0x00013000 Number of sections: 5 File Hashes Input MD5: 4a29d41dfda9cfcbcde4d42b4bbb00aa Input SHA256: d00c8c0b19dbe5d3c9eef1623730543417fa9c256c70c4e566c2214a15c85445 File Size: 67584 bytes (68.0 KB) Anti-Virus detection: 52/55 (with the exception of AegisLab, Alibaba, ByteHero) Finding Dependencies (Imports):
Here are some interesting strings exported from this binary: The language is set to "Chinese Simplified" in the binary exif data section. Red Flags: (1) The binary uses various obfuscation techniques that makes analysis more complicated. (2) It uses memory management functions. (3) The file is svchost.exe, a fake Microsoft service. (4) The binary contains self-modifying code. (5) It is not signed with a Digital Certificate. (6) The last file section (name: “saber”) is executable. Here are the results of PEID Krypto Analysis: Here is the IPC Script (written in C) that is used to identify the obfuscation techniques in the binary: #include <idc.idc> static main(void) { auto slotidx; slotidx = 1; MarkPosition(0x00408A0C, 0, 0, 0, slotidx + 0, "ADLER32"); MakeComm(PrevNotTail(0x00408A0D), "ADLER32\nAdler32 checksum (unsigned 32-bit integer, BASE value); used by ZLIB compression library"); MarkPosition(0x00408AE1, 0, 0, 0, slotidx + 1, "ADLER32"); MakeComm(PrevNotTail(0x00408AE2), "ADLER32\nAdler32 checksum (unsigned 32-bit integer, BASE value); used by ZLIB compression library"); MarkPosition(0x0040B2C8, 0, 0, 0, slotidx + 2, "BLOWFISH [sbox]"); MakeComm(PrevNotTail(0x0040B2C9), "BLOWFISH [sbox]\nBLOWFISH: Sbox 1"); MarkPosition(0x0040CE28, 0, 0, 0, slotidx + 3, "CRC32"); MakeComm(PrevNotTail(0x0040CE29), "CRC32\nCRC32 precomputed table for byte transform"); MarkPosition(0x0040B280, 0, 0, 0, slotidx + 4, "PI fraction (NIMBUS / BLOWFISH)"); MakeComm(PrevNotTail(0x0040B281), "PI fraction (NIMBUS / BLOWFISH)\nFractional part of PI number - 640 bits. Used e.g. in BLOWFISH (pbox & sbox) or NIMBUS (fixed key)."); } Here are the results of the IDA Entropy analysis of DarkShell with the specific memory addresses: Identified Five (5) Obfuscation Techniques at DarkShell’s Memory Addresses: 1. ZLIB Compression: Memory Address 00408A0C 2. ZLIB Compression: Memory Address 00408AE1 3. Blowfish Encryption: Memory Address 0040B2C8 4. CRC32 Compression: Memory Address 0040CE28 5. Nimbus/Blowfish Encryption: Memory Address 0040B280 II. Dynamic Analysis: Backdoor.Win32.DarkShell (1) This executable starts a windows service svchost.exe. (2) Opens the following files: C:\WINDOWS\system32\drivers\beep.sys \\.\Re1986SDTDOS C:\d00c8c0b19dbe5d3c9eef1623730543417fa9c256c70c4e566c2214a15c85445 C:\WINDOWS\system32\cmd.exe (3) Writes the following files: C:\WINDOWS\system32\drivers\beep.sys [MD5 Hash: 0e1d8c703b0b083560b95cd93b45c146] \\.\Re1986SDTDOS (4) Copies the following files: Source: C:\d00c8c0b19dbe5d3c9eef1623730543417fa9c256c70c4e566c2214a15c85445 DST: C:\WINDOWS\system32\regedit32.exe (5) Deletes the following file: C:\WINDOWS\system32\drivers\beep.sys (6) Creates the following processes: C:\WINDOWS\system32\regedit32.exe C:\WINDOWS\system32\cmd.exe /c del C:\D00C8C~1 > nul (7) Communicates via DNS requests (see the attached PCAP file): artmeis.3322.org (8) Modifies the following registry keys: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceCurrent HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups Verdict: Darkshell contains 5 interesting crypto obfuscation techniques identified by Krypto Analyzer. Subsequently, the IDC script helped highlight specific memory addresses of this binary that reference encryption the above-referenced obfuscation entropies. Overall, this binary launches a fake Window service svchost.exe, contains Chinese Simplified language metadata artifacts, and communicates via DNS to artmeis.3322.org. Sourcefire Rule: alert udp $HOME_NET any -> any 53 (msg: " Backdoor_Win32_DarkShell ALERT"; content: “\\i386\\ReSSDT.sys”;"GetUrlCacheEntryInfoA”; "artmeis.3322.org"; “BackGround Switch Disktop Control”; noncase; flow:to_server,established; classtype: Trojan-activity) Yara Signature: rule Backdoor_Win32_DarkShell : BDR { meta: author = "Vitali Kremez" date = "2015-12-10" description = "Detects samples of Backdoor DarkShell" hash0 = "4a29d41dfda9cfcbcde4d42b4bbb00aa" sample_filetype = "exe" strings: $service_name = “svchost.exe” $string1 = "BackGround Switch Disktop Control" $string2 = "GetUrlCacheEntryInfoA" $string3 = "Ze2Zh@" $string4 = "ts9_ tn9_$ti" $string5 = "Microsoft? Windows? Operating System" wide $string6 = "CreateProcessInternalA" $string7 = "SpecialBuild" wide $string8 = "\\\\.\\Re1986SDTDOS" $string9 = "Private520" $string10 = " > nul" $string11 = "svchost.exe" wide $string12 = "Shell32.dll" $string13 = ".\\i386\\ReSSDT.sys" $string14 = "Possibly KiServiceLimit" $string15 = "InternetReadFile" $string16 = "Windows2003" $string17 = "KeServiceDescriptorTable" condition: 4 of them and filesize < 70KB
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |