Malware Family: InfoStealer Zeus
Static Analysis Tools: pestudio, Immunity Debugger, CFF Explorer, PEID, BinText Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, ApateDNS, NetworkMiner, Cuckoo Reports: (1) Malwr: https://malwr.com/analysis/Mjc4ODYzNjVmNjQ2NGIzN2IyOWI4Y2U2M2JlZWJjM2E/ (2) VirusTotal: https://www.virustotal.com/en/file/ff59e8731f22ed5049ca534be4dd58f307d313979eadca5eb3804394581e9782/analysis/ I . Static Analysis: bot.exe Name: bot.exe File Type: DOS EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2014-06-09 20:38:53 Entry Point: 0x00005DC9 Number of Sections: 4 MD5: 8b1f16fd00aeba6e1ee50a84b564e882 SHA256: ff59e8731f22ed5049ca534be4dd58f307d313979eadca5eb3804394581e9782 File size: 22.5 KB Anti-Virus Detection Ratio: 42 / 55 Finding Dependencies (Imports): [1] KERNEL32.dll *GetProcAddress *InterlockedIncrement *LoadLibraryA [2] USER32.dll Red Flags: The file embeds a file (Type: Unknown, MD5: EA829505EEC49A100DFCBE84C8D2C736). The file references the Event Log. The file ignores Address Space Layout Randomization (ASLR) as mitigation technique. The file is resource-less. The file has no Version. The file ignores cookies on the stack (GS) as mitigation technique. The file is not signed with a Digital Certificate. The file contains 3 crypto signatures.
0 Comments
Source: VirusShare
Malware Family: Ransomware Trojan, TeslaCrypt 2.2.2 Static Analysis Tools: pestudio, Immunity Debugger, CFF Explorer, PEID, BinText, IDA Pro Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie, ApateDNS, netcat, VMWare (Windows XP SP1) Reports: (1) TotalHash: https://totalhash.cymru.com/analysis/?a8c986ae2083e8510429be9c3a7cf8c98a5ec8d0 (2) VirusTotal: https://www.virustotal.com/en/file/6b3ffc56dc48dd4e0878e2c741666ce5df5de92210cb28709b6b468afe27a27e/analysis/1450551677/ I . Static Analysis: d62c66750363a910542c39b2d726c656.exe Name: d62c66750363a910542c39b2d726c656.exe File Type: Win32 EXE Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2015-12-08 16:11:48 Entry Point: 0x0000881C Number of Sections: 5 MD5: d62c66750363a910542c39b2d726c656 SHA256: 6b3ffc56dc48dd4e0878e2c741666ce5df5de92210cb28709b6b468afe27a27e Source: "Malware Reverse Engineering"
Malware Family: PDF Shell Code Exploit Analysis Tools: PDFStreamDumper, pestudio, IDA Pro, CFF Explorer, PEID, BinText Reports: (1) Malwr: https://malwr.com/analysis/YmMzZDEwYzVhNDg4NDFmOTg0MDQxM2RjOGMyOWViZGE/ (2) VirusTotal: https://www.virustotal.com/en/file/a6bde95330c830646945f2564c5bec27802bcbb117316bdda2520a11a4dbead9/analysis/1450231420/ I.Malware Analysis: CVE-2007-5659_PDF__9BC1735453963E33EA1857CC25AA5A19_SurveyOnObama... File Type: PDF File Hashes Input MD5: 9bc1735453963e33ea1857cc25aa5a19 Input SHA256: a6bde95330c830646945f2564c5bec27802bcbb117316bdda2520a11a4dbead9 File Size: 72.2 KB (73896 bytes) Anti-Virus detection: 40 / 55 (with the exception of Malwarebytes, SuperAntiSpyware, Alibaba, AegisLab, ByteHero, Bkav) OST: "Malware Reverse Engineering"
Malware Family: Dropper Static Analysis Tools: pestudio, Immunity Debugger, CFF Explorer, PEID, BinText Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autoruns, Wireshark, Sandboxie Reports: (1) Malwr: https://malwr.com/analysis/Mzg2NWQ5ZDg5YmZmNGU4YTg3YzhmMWJiYjFiMjg3NTg/ (2) VirusTotal: https://www.virustotal.com/en/file/94f690dec48f9080eb0ba00e823e26a59c1b7dabe695ed954f9715afc313a730/analysis/1450185879/ I . Static Analysis: dropper.ex_ Name: dropper.ex_ File Type: PE32 executable (console) Intel 80386, for MS Windows Target machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2011-05-03 16:55:49 Entry Point: 0x0000900D Number of Sections: 6 MD5: cb905889c03593359262e25b80021dfd SHA256: 94f690dec48f9080eb0ba00e823e26a59c1b7dabe695ed954f9715afc313a730 File size: 22.5 KB (23040 bytes) Packer: Polycrypt Anti-Virus Detection Ratio: 30/55 Finding Dependencies (Imports): -KERNEL32.DLL * GetProcAddress Here are some interesting strings: Source: "Malware Reverse Engineering"
Malware Family: Donwloader. Backdoor Implant Static Analysis Tools: pestudio, IDA Pro, CFF Explorer, PEID, BinText Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autorun, Wireshark, Sandboxie Reports: (1) Malwr: https://malwr.com/analysis/ZWZkNGE4MWM5M2ZkNDYxMmFjZjJjNTcwOTExNDdlYTA/ (2) VirusTotal: https://www.virustotal.com/en/file/a627a4c74a4b092287e91cf6fbfd086c1355e1eb0160e55f8c9b568aca1c73c4/analysis/1450093133/ I. Static Analysis: nba_implant.ex_ Name: nba_implant.ex_ File Type: PE32 executable (GUI) Intel 80386 32-bit Target Machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2007-03-13 11:26:26 Entry Point: 0x00006801 PEiD: Armadillo v1.71 Number of sections: 3 File Hashes Input MD5: bd3c75e238b1b6074bcf56e7e9aa183b Input SHA256: a627a4c74a4b092287e91cf6fbfd086c1355e1eb0160e55f8c9b568aca1c73c4 File Size: 84.0 KB ( 86016 bytes ) Anti-Virus detection: 37/43 (with the exception of Malwarebytes, SuperAntiSpyware, Alibaba, AegisLab, ByteHero, Bkav) [Analyst's Note: 12 AVs did not evaluate this binary.] Finding Dependencies (Imports): (1) WS2_32.dll (Windows Networking API) Here are this implant's calls of interest: * send() * recv() * socket() * connect() * gethostbyname() (2) KERNEL32.dll (3) USER32.dll (4) ADVAPI32.dll Here are some interesting strings: Source: OST on "Malware Reverse Engineering", Professor Poz Goals:
Purpose of networking code in malware
How to detect If the intruder uses a specific tool, technique, or procedure, then it is likely possible to fingerprint Command and Control While each of the listed purposes of networking code offers an opportunity to detect and prevent an intrusion, we will focus on remote access tool (RAT) analysis in our examples and exercises. Windows Networking APIs [source: Sikorski, M. & Honig, A. (2012).“Practical Malware Analysis,” p. 313] Command and Control (C2)
Understanding a remote access tool (RAT) is all about understanding its network communication. All RATs are broken into two pieces, an implant, which is placed on the compromised system, and a controller, which the intruder uses to control the implant. The network communication is then one of four types:
Indicators Creating low false positive, low false negative signatures can be difficult. The best indicators come from hard-coded, static strings in the malware. For example, when the C2 is tunneled over HTTP and is using a unique User-Agent string, the string can be turned into a simple NIDS signature. When there are no strings that would yield a low false positive signature, attributes of the C2 can sometimes be used to create effective, though higher false positive, signatures. Examples:
IDS Rule Writing WARNING: Know where your signatures will be used! For example, HTTP communication through a proxy can change the headers or the requested resource depending on which side of the proxy the signature is implemented. Pre-proxy means the requested resource is a full URL, with protocol and domain name. Post-proxy means possible additional headers added by the proxy, such as X-Forwarded-For or Via. Don’t give up if the C2 is encrypted. Depending on the chosen encryption algorithm or implementation, a reasonable signature is still possible. For example, if the attacker is using RC4, has embedded the key in the malware itself, and the pre-encrypted C2 has well-defined fields that are NULL padded, you can pick an offset into the data that you know will always be NULL bytes before encryption and compute their encrypted values. Then a simple NIDS signature can be used to test for those specific bytes at the chosen offset. Source: "Malware Reverse Engineering"
Malware Family: Backdoor, Keylogger Static Analysis Tools: pestudio, IDA Pro, CFF Explorer, PEID, BinText Dynamic Analysis Tools: pexplorer, ProcMon, RegShot, ProcDump, Autorun, Wireshark Walkthrough:
Reports: (1) Malwr: https://malwr.com/analysis/YTNlZWI4Nzg1NGRhNDMzMGFhYjkwY2EwMzQzMDU1M2M/ (2) VirusTotal: https://www.virustotal.com/en/file/255c26611cd8fe190d1cba2ed92ac4e744049d0841e082b542e87bac286481e2/analysis/1449809684/ I. Static Analysis: bserver.exe Name: bserver.ex_ File Type: PE32 executable (GUI) Intel 80386, for MS Windows Target Machine: Intel 386 or later processors and compatible processors Compilation Timestamp: 2006-06-05 22:46:55 Link Date: 6:44 AM 5/20/2008 Entry Point: 0x0002DCD1 Number of sections: 3 Binary Source: OST on "Malware Reverse Engineering"
Problem: Often, malware writers employ various encoding and encryption techniques to avoid detection and complicate malware analysis. Solution: The below-referenced Python programs decode standard and custom Base64 encoded strings. Implementation: I. Sample Python 2.7 Standard Base64 Decoder (see analysis of APT1 WEBC2-CSON) #!/usr/bin/env python # -*- coding: iso-8859-15 -*- # created by Vitali Kremez import string import base64 encoded_string = raw_input("Enter your standard Base64 encoded string: ") print base64.decodestring(encoded_string) II. Sample Python 2.7 Custom Base64 Decoder #!/usr/bin/env python # -*- coding: iso-8859-15 -*- # created by Vitali Kremez import string import base64 temp_string = "" # string custom_b64 = "9ZABCDEFGHIJKLMNOPQRSTUVWXYabcdefghijklmnopqrstuvwxyz012345678+/" # Example of custom Base64 algorithm above Base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" cipher = raw_input("Enter your custom Base64 encoded string: ") for ch in cipher: if (ch in Base64): temp_string = temp_string + Base64[string.find(custom_b64, str(ch))] elif (ch == "="): temp_string += "=" decoded_string = base64.decodestring(temp_string) print(decoded_string) Preferred Usage: (1) Create a .py file using the above-referenced source code (2) Make this Python file executable in terminal: $ chmod +x [file path] (3) Edit any custom Base64 algorithm set in custom_b64 string variable (4) Run the file as an executable Source: OST "Malware Reverse Engineering"
Payload Launch Vehicles I. Droppers: Droppers very often copy themselves to another location and behave differently once in their expected location (e.g. C:\Windows\system32). Other possibilities are:
II. Downloaders: Downloads may use a variety of network functions and protocols to retrieve their payloads, and may even use encryption or chunk modification/reordering to fool Intrusion Detection Systems (IDS). Some common Network libraries and functions used are:
III.Injectors: Malicious processes can stick out like a sore thumb. Even the cleverly named processed like scvhost.exe are noticeable to the well trained analyst. DLL Injection is less noticeable, and shellcode injection is even more stealthy, though the calls to perform it may raise alarms as it is unusual behavior. They include:
Source: OST "Malware Reverse Engineering"
Goal: To study and walkthrough this tutorial very diligently (and loop over this process to infinity and beyond) Background: • Packers were first created at a time when network bandwidth was expensive • UPX was a cheap way to obscure identifiable strings from Anti-Virus • As an added bonus, it increased the complexity of analysis Packing Process: • Packers progressed to Executable Protectors which use additional Anti-Analysis tricks
The Unpacking Stub: • The code and data are decoded
|
AuthorVitali Kremez Archives
September 2016
Categories |