Source: "Malware Reverse Engineering" Malware Family: Backdoor, Keylogger Static Analysis Tools: pestudio, IDA Pro, CFF Explorer, PEID, BinText Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autorun, Wireshark Walkthrough:
Reports: (1) Malwr: https://malwr.com/analysis/YTNlZWI4Nzg1NGRhNDMzMGFhYjkwY2EwMzQzMDU1M2M/ (2) VirusTotal: https://www.virustotal.com/en/file/255c26611cd8fe190d1cba2ed92ac4e744049d0841e082b542e87bac286481e2/analysis/1449809684/ I. Static Analysis: bserver.exe Name: bserver.ex_ File Type: PE32 executable (GUI) Intel 80386, for MS Windows Target Machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2006-06-05 22:46:55 Link Date: 6:44 AM 5/20/2008 Entry Point: 0x0002DCD1 Number of sections: 3 File Hashes Input MD5: 927cb3d9a33cbb814401b724c7cc9196 Input SHA256: 255c26611cd8fe190d1cba2ed92ac4e744049d0841e082b542e87bac286481e2 File Size: 79718 bytes Anti-Virus detection: 49/55 (with the exception of Malwarebytes, SuperAntiSpyware, Alibaba, AegisLab, ByteHero, Zoner) Finding Dependencies (Imports): (1) ADVAPI32.dll (2) KERNEL32.dll *LoadLibrary *ExitProcess *GetProcAddress (3) SHELL32.dll (4) USER32.dll Packer Detection Indicators:
Red Flags: (1) The file embeds a file (Type: Executable, MD5: E65B67DEB881167103F4B333837D11ED). (2) The file contains self-modifying code. (3) The file is resource-less. (4) The file has no Version. (5) The file is not signed with a Digital Certificate. Here is one interesting ASCII string that references “vcr.exe,” “beta.what3va.org” and “Bersek” at Section 0x1366F: According to PEiD analysis, no packer was identified during the malware analysis preview: Performed PEiD’s Deep Scan analysis and identified that the malware was packed using UPX: Found Object Entry Point (OEP) at Memory Address 00403420. IDA Pro Warning tells us that this binary could be potentially packed. Finally, we see a tail jump to 403420, which is an OEP that was an indicator of packer that was identified by PEiD. We have a popa function (“pops all variables from the stack”) above as well! Toggled a breakpoint at the address below 42DDEB, ran a program execution, and stepped into this process in OllyDbg: Outcome: Decoded Code Using OllyDump plugin, dumped the debugged process: Outcome bserver_unpacked.ex_: 1. Revealed imports: 2. Added new section named “.newIID”: 3. Unpacked 205 lines of function code as opposed to 6 lines of function code initially. III. Static Analysis: bserver_unpacked.ex_ Target machine Intel 386 or later processors and compatible processors Compilation timestamp 2006-06-05 22:46:55 Entry Point 0x00003420 Number of sections 4 PEiD InstallShield 2000 FileType: Win32 EXE File size: 190.0 KB (194560 bytes) Anti-Virus Detection Ratio: 24/55 Report:
2. VirusTotal: https://www.virustotal.com/en/file/8fe3c738772908ad1351abb62f1169ef3828dc4c1c1023c342507dbf6b6c4b28/analysis/1449967771/ Red Flags: *The file modifies the registry. *The file contains self-modifying code. *The file checksum (0x00000000) is invalid. *The file has no Version. *The file is not signed with a Digital Certificate. *The file sets up Autorun registry keys. Here are some interesting strings: IV. Dynamic Analysis: bserver.ex_ (1) Creates the following processes and files: Executable: [ C:\WINDOWS\system32\vcr.exe ], Command Line: ["C:\WINDOWS\system32\vcr.exe" ] C:\DOCUME~1\User\LOCALS~1\Temp\bserver.ex_ C:\WINDOWS\system32\berzk.dll [ C:\Program Files\Internet explorer\iexplore.exe ], Remote Thread Created [ C:\WINDOWS\system32\vcr.exe ] Analysis Reason: Started by bserver.exe (2) iexplore.exe Processes Created: Executable: [ C:\Program Files\Internet explorer\iexplore.exe ], File Name: [ C:\Program Files\Internet explorer\iedw.exe ] (3) iexplore.exe - File Activities C:\WINDOWS\Registration\R00000000000b.clb ] C:\WINDOWS\system32\shdocvw.dll ] C:\WINDOWS\system32\stdole2.tlb ] C:\WINDOWS\system32\vcr.exe PIPE\lsarpc ] (4) iexplore.exe - Network Activities beta.what3va.org:53 via DNS -> UDP www.microsoft.com:80 via HTTP 23.75.15.164 -> TCP home.microsoft.com:80 via HTTP 23.101.196.141 -> TCP www.msn.com:80 via HTTP 204.79.197.203 -> TCP (5) iexplore.exe - Other Activities Mutexes Created: Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500 MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ Iexplore.XPExceptionFilter ] Mutex: [ Shell.CMruPidlList ] Mutex: [ _SHuassist.mtx ] Additional Information *The file uses the IsDebuggerPresent Windows API function in order to see whether it is being debugged. Here is the Yara signature developed by Nick Hoffman that helps identify the malware debug checking capabilities: rule Check_Debugger { meta: Author = "Nick Hoffman, revised by Vitali Kremez" Description = "Looks for evidence of possible Anti-Debugger" condition: pe.imports("kernel32.dll","CheckRemoteDebuggerPresent") or pe.imports("kernel32.dll","IsDebuggerPresent") or pe.imports("kernel32.dll","OutputDebugString") or pe.imports("ntdll.dll","NtQueryInformationProcess") } In addition, this bserver.ex_ uses custom Dynamic Link Library (DLL) file called BERZK.DLL.
Unpacking the Dropped DLL
Uncheck "File is a DLL," click OK, and save
Analysis of the Unpacked DLL Our dump should maintain the DLL "unsetting" we did for the packed DLL so if clean dump, we can execute it
Outcome: Sourcefire Rule: alert tcp $HOME_NET any -> any 53 (msg: "BACKDOOR BERSERK ALERT"; content:"beta.what3va.org"; "MUID=121AAB31755E6EFF1B43ADF5715E6C85"; "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"; noncase; classtype: Trojan-activity) Yara Signature: rule Win_Downloader_Backdoor_Berserk: BAC { meta: author = "Vitali Kremez" date = "2015-12-13" description = "Detects samples of Backdoor Berserk" hash0 = "55d469ee4409bfc50a861d0b15236589" sample_filetype = "exe" strings: $service_name_short = "vcr.exe" $service_name_short = "iedw.exe" $string0 = "Bersek Use" $string1 = "vcr4eva" $string2 = "c6RzD-4V" $string3 = "dqP5h0" $string4 = "/v0ij6" $string5 = "beta.what3va.org" $string6 = "SP was" $string7 = "stplg]Inicia i(ala" $string8 = "4IE5>E" $string9 = "MNewg_80[" $string10 = "RQ9L2l" $string11 = "Ofe1OEMCP" $string12 = "RLSHIFTAB_Capf" $string13 = ",IlAXZ" $string14 = "aks0To" $string15 = "Ui'gGbP" $string16 = "Win32 only" condition: 4 of them or all of ($service*) and filesize < 80KB }
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
September 2016
Categories |