PRACTICAL MALWARE ANALYSIS: ANTI-DEBUGGING(LAB 16-02)

Tools Used

  1. IDA Pro
  2. OllyDbg
  3. Cerbero Profiler

Sample:

  1. Lab16-02.exe SHA256: 0c3031f630adc6cdd7b877fa1c2982909cde01dff612db5dd7df58cc778dd919

VirusTotal:

  • Detection Rate: 4/54
  • Analyzed on 2016-03-19
  • Compilation Date: 2011-11-03 04:19:52
  • View report here

Lab 16-2
Analyze the malware found in Lab16-02.exe using a debugger. The goal of this
lab is to figure out the correct password. The malware does not drop a malicious
payload.
Questions
1. What happens when you run Lab16-02.exe from the command line?

Picture worth a thousand words.

cmd
Figure 1. password required

2. What happens when you run Lab16-02.exe and guess the command-line
parameter?

incorrect
Figure 2. Incorrect password

3. What is the command-line password?

To get the command-line password, we can set breakpoint @0040123A to see what the malware is comparing the password against. However, on running the malware, the program simply terminates.

callback
Figure 3. Callbacks

Seems like 0x00408033 subroutine was called before we reach main method. Analyzing it in IDA Pro, this subroutine is checking for OLLYDBG window via FindWindowA and it is also using OutputDebugString to detect for debugger. Just nop the function at let it return to bypass these checks.

pyqr
Figure 4. byqrp@ss

and so we got the password… however this password is invalid when tried on the command line with debugger attached.

Lets look at the subroutine @00401090 which is called by the CreateThread function. This function is responsible for generating the password to check against.

debugger
Figure 5. BeingDebugged Flag

In the subroutine we can see that there is a check against BeingDebugged Flag… maybe this is the cause of it. Let’s fix the structure and see how it goes.

byrr
Figure 6. byrrp@ss

The decoded password is “byrrp@ss”. However the strncmp will only compare the first 4 characters.

correct
Figure 7. Correct Password

4. Load Lab16-02.exe into IDA Pro. Where in the main function is strncmp
found?

@0x40123A

40123a
Figure 8. strncmp

5. What happens when you load this malware into OllyDbg using the
default settings?

The program just terminates. In fact even if I am running it in command line but ollydbg is running in the background, the application will also terminates.

6. What is unique about the PE structure of Lab16-02.exe?

There is a .tls section.

section
Figure 9. .tls section

7. Where is the callback located? (Hint: Use CTRL-E in IDA Pro.)

At address 0x00401060.

controlE
Figure 10. Ctrl-E

8. Which anti-debugging technique is the program using to terminate
immediately in the debugger and how can you avoid this check?

  1. OLLYDBG window via FindWindowA
  2. OutputDebugString to detect for debugger
  3. BeingDebugged Flag via fs:[30h]+2

9. What is the command-line password you see in the debugger after you
disable the anti-debugging technique?

refer to solution for question 3.

10. Does the password found in the debugger work on the command line?

refer to solution for question 3.

11. Which anti-debugging techniques account for the different passwords in
the debugger and on the command line, and how can you protect
against them?

  1. OutputDebugString (nop out the callback function)
  2. BeingDebuggedFlag (change the structure to set debug flag back to 0)
PRACTICAL MALWARE ANALYSIS: ANTI-DEBUGGING(LAB 16-02)

PRACTICAL MALWARE ANALYSIS: ANTI-DEBUGGING(LAB 16-01)

Tools Used

  1. IDA Pro
  2. OllyDbg

Sample:

  1. Lab16-01.exe SHA256: 309217d8088871e09a7a03ee68ee46f60583a73945006f95021ec85fc1ec959e

VirusTotal:

  • Detection Rate: 19/54
  • Analyzed on 2016-03-19
  • Compilation Date: 2011-10-20 16:42:33
  • View report here

Lab 16-1
Analyze the malware found in Lab16-01.exe using a debugger. This is the
same malware as Lab09-01.exe, with added anti-debugging techniques.
Questions
1. Which anti-debugging techniques does this malware employ?

Based on the figures below, the anti debugging techniques used are

  1. checking being debugged flag
  2. checking process heap[10h]
  3. checking NtGlobalFlag
antidebugger
Figure 1. Anti debugger
peb
Figure 2. the offset used
processheap
Figure 3. Checking process heap

2. What happens when each anti-debugging technique succeeds?

It will self delete and then terminates by calling the subroutine @00401000.

delete
Figure 4. Self Delete & terminates

3. How can you get around these anti-debugging techniques?

  1. Set breakpoint at the checks and manually change the flow in ollydbg
  2. Patch the program to make jz to jnz etc
  3. use plugins such as phantom.

4. How do you manually change the structures checked during runtime?

use command line and enter dump fs:[30]+2 (refer to figure 2). Set the byte to 0.

commandline
Figure 5. Changing structure

5. Which OllyDbg plug-in will protect you from the anti-debugging techniques
used by this malware?

PhantOm plugin will do the job

PRACTICAL MALWARE ANALYSIS: ANTI-DEBUGGING(LAB 16-01)

PRACTICAL MALWARE ANALYSIS: ANTI-DEBUGGING(LAB 16-03)

Tools Used

  1. IDA Pro
  2. OllyDbg
  3. Wireshark

Sample:

  1. Lab16-03.exe SHA256: f36de55cf09c24045f241d50519a2ff1e5578336d0e8426eeabe5b39162d9006

VirusTotal:

  • Detection Rate: 0/56
  • Analyzed on 2016-03-19
  • Compilation Date: 2011-10-22 19:36:11
  • View report here

Lab 16-3
Analyze the malware in Lab16-03.exe using a debugger. This malware is similar
to Lab09-02.exe, with certain modifications, including the introduction of
anti-debugging techniques. If you get stuck, see Lab 9-2.
Questions
1. Which strings do you see when using static analysis on the binary?

these are the only strings of interest to us that we can observe statically.

strings
Figure 1. strings

2. What happens when you run this binary?

Nothing happen. It just terminates.

3. How must you rename the sample in order for it to run properly?

In ollydbg, we set breakpoint @0x401518 (strncmp) to see what the malware is comparing against. The executable name needs to be “qgr.exe“. However nothing happen when we attempt to run the malware via command line…

qgr
Figure 2. qgr.exe

Firing up IDA Pro we trace back the variable that was used to match against the current running executable filename.

var_29c
Figure 3. var_29C

Seems like the variable is initially set to ocl.exe. It is then passed to a function where QueryPerformanceCounter was called twice… In between the 2 QueryPerformanceCounter is a Division by zero opcodes that is purposely set there to slow down the debugged process.

The time difference between the 2 QueryPerformanceCounter will determine if var_118 is 2 or 1 which will affect the return result of this subroutine. If we are using debugger the QueryPerformanceCounter difference might be above 1200 due to the triggering of the division by 0 error… if the time difference is above 1200, var_118 will be set to 2 and the filename should be qgr.exe else var_118 will be set to 1 and the filename should be peo.exe.

1200
Figure 4. QueryPerformanceCounter

By manually making sure that var_118 is set to 1 and not 2, we get the following filename; peo.exe.

Renaming the executable as peo.exe will do the trick in running the app properly.

peo
Figure 5. peo.exe

4. Which anti-debugging techniques does this malware employ?

The techniques used are all time based approach

  1. QueryPerformanceCounter
  2. GetTickCount
  3. rdtsc (subroutine: @0x401300)

5. For each technique, what does the malware do if it determines it is
running in a debugger?

  1. QueryPerformanceCounter – determines what name should the executable be, in order to execute properly
  2. GetTickCount – crashes the program by referencing a null pointer
  3. rdtsc – call subroutine @0x004010E0; self delete

6. Why are the anti-debugging techniques successful in this malware?

The malware purposely triggers division by 0 error that will cause any attached debugger to break and for the analyst to rectify. This action itself is time consuming as compared to a program without debugger attached throwing exception and letting SEH handler to do the job. Therefore the malware codes are able to determine whether a debugger is being attached just via the time difference.

7. What domain name does this malware use?

adg.malwareanalysisbook.com

url
Figure 6. adg.malwareanalysisbook.com
PRACTICAL MALWARE ANALYSIS: ANTI-DEBUGGING(LAB 16-03)

PRACTICAL MALWARE ANALYSIS: ANTI – DISASSEMBLY(LAB 15-03)

Tools Used

  1. IDA Pro
  2. HxD

Sample:

  1. Lab15-03.exe SHA256:b2a6e13fab9d8fa32acbfaa346f2987c35f7d7c0ba7547aa8524b20cde63773b

VirusTotal:

  • Detection Rate: 37/54
  • Analyzed on 2016-03-14
  • Compilation Date: 2011-02-05 05:40:38
  • View report here

Lab 15-3
Analyze the malware found in the file Lab15-03.exe. At first glance, this binary
appears to be a legitimate tool, but it actually contains more functionality
than advertised.
Questions
1. How is the malicious code initially called?

The return address was overwritten by the malicious code address  at the start of the program. the stack which contains the ret address was written with 0x40148c.

changingRet
Figure 1. Overwriting return address

2. What does the malicious code do?

seh
Figure 2. SEH

@0x40148c we can see that the malware is adding a SEH handler (0x4014C0) via fs:0. It then performs a divide by 0 error to trigger the SEH.

The handler download a file from a url and executes it via WinExec.

sehHandler
Figure 3. SEH Handler

 

3. What URL does the malware use?

I decided to write a script to decode the url. the decoding function is simple… just negate the inputs.

decode
Figure 4. Decoded URL

The url is: http://www.practicalmalwareanalaysis.com/tt.html

4. What filename does the malware use?

spoolsrv.exe

decoded_2
Figure 5. Decoded filename
PRACTICAL MALWARE ANALYSIS: ANTI – DISASSEMBLY(LAB 15-03)

PRACTICAL MALWARE ANALYSIS: ANTI – DISASSEMBLY(LAB 15-02)

Tools Used

  1. IDA Pro

Sample:

  1. Lab15-02.exe SHA256:20653de88265b4ab7b657de38e6585956368df037b66836008f8426f3e28cae6

VirusTotal:

  • Detection Rate: 6/53
  • Analyzed on 2016-03-19
  • Compilation Date: 2011-11-16 22:11:46
  • View report here

Lab 15-2
Analyze the malware found in the file Lab15-02.exe. Correct all anti-disassembly
countermeasures before analyzing the binary in order to answer the questions.
Questions
1. What URL is initially requested by the program?

url
Figure 1. URL

http://www.practicalmalwareanalysis.com/bamboo.html

2. How is the User-Agent generated?

via modifying GetHostName returned string.

host
Figure 2. shift right

The above code will shift the string by 1 character. To prevent invalid ascii, Z is changed to A, z is changed to a and 9 is changed to 0.

3. What does the program look for in the page it initially requests?

Bamboo::

bamboo
Figure 3. strstr

4. What does the program do with the information it extracts from
the page?

It extracts out another url and download its content via InternetOpenUrlA and InternetReadFile saving it under Account Sumamry.xls.exe. It then executes it via ShellExecuteA.

download
Figure 4. InternetOpenUrlA followed by InternetReadFile followed by fopen,fwrite then ShellExecuteA
PRACTICAL MALWARE ANALYSIS: ANTI – DISASSEMBLY(LAB 15-02)

PRACTICAL MALWARE ANALYSIS: ANTI – DISASSEMBLY(LAB 15-01)

Tools Used

  1. IDA Pro

Sample:

  1. Lab15-01.exe SHA256: 1120d5ee34d2cd4519ea551cd4c8b1544b9a5993aba33774ffc854cec34001e1

VirusTotal:

  • Detection Rate: 0/53
  • Analyzed on 2016-03-18
  • Compilation Date: 2011-02-04 15:22:33
  • View report here

Lab 15-1
Analyze the sample found in the file Lab15-01.exe. This is a command-line
program that takes an argument and prints “Good Job!” if the argument
matches a secret code.
Questions
1. What anti-disassembly technique is used in this binary?

Xor was used followed by jz to trick the disassembler into making a jump. An opcode “E8” is used to make IDA Pro disassemble the code wrongly.

jmp
Figure 1. A confuse looking IDA Pro

We can undefine the code and reanalyze the code as shown below.

re-analyzed
Figure 2. Reanalyzing opcodes

2. What rogue opcode is the disassembly tricked into disassembling?

E8 was used to trick the dis assembler.

e8
Figure 3. E8 opcode

3. How many times is this technique used?

5 times. Just count the number of 0xE8(refer to figure 2) you can find.

4. What command-line argument will cause the program to print
“Good Job!”?

Based on the analysis of the following codes, we need to pass in a pass phrase “pdq“.

pdq_ida
Figure 4. decoding the pass phrase
pdq
Figure 5. Good Job!
PRACTICAL MALWARE ANALYSIS: ANTI – DISASSEMBLY(LAB 15-01)

PRACTICAL MALWARE ANALYSIS: MALWARE -FOCUSED NETWORK SIGNATURES(LAB 14-03)

Tools Used

  1. IDA Pro

Sample:

  1. Lab14-03.exe SHA256: a00c3277d9e56864d615441f41d5405216c1130107067094643a268b944b9c71

VirusTotal:

  • Detection Rate: 20/53
  • Analyzed on 2016-03-18
  • Compilation Date: 2011-08-22 05:08:27
  • View report here

Lab 14-3
This lab builds on Lab 14-1. Imagine that this malware is an attempt by
the attacker to improve his techniques. Analyze the malware found in file
Lab14-03.exe.
Questions
1. What hard-coded elements are used in the initial beacon? What elements,
if any, would make a good signature?

From the figure below, we can see hard-coded user-agent and headers (Acccept, Accept-Language, Accept-Encoding, and a unique UA-CPU field). All of these can be used as a signature especially the UA-CPU field. It is also noted that the author pass the string “User-Agent: xxx” into InternetOpenA API call. This results in User-Agent field being set to User-Agent:User-Agent:xxx… A duplicate error in which we can used it to generate a good signature too.

headers
Figure 1. HTTP Headers

2. What elements of the initial beacon may not be conducive to a longlasting
signature?

In the subroutine @0x401457, we can see that the url “http://www.practicalmalwareanalsysis.com/start.htm” is being set as the beacon destination. However that is provided that “c:\\autobat.exe” does not exists, if it exists, the contents will be read and parsed as the beacon destination instead. Using “http://www.practicalmalwareanalsysis.com/start.htm” as a signature might not be a good idea since an attacker might be able to change the beacon destination.

autobat
Figure 2. autobat.exe

3. How does the malware obtain commands? What example from the
chapter used a similar methodology? What are the advantages of this
technique?

The malware scan the response for a <noscript> tag. The text after the tag is the command to execute. The advantage of using this technique is that it is hiding the commands in plain sight that blends in the returned html page. Therefore making detection hard for defender.

tag
Figure 3. <noscript>

4. When the malware receives input, what checks are performed on the
input to determine whether it is a valid command? How does the
attacker hide the list of commands the malware is searching for?

Analyzing subroutine @00401000 & 0x00401684. The checks are as follows

  1. starts with <noscript>
  2. url exists after <noscript>
  3. url ends with “69′”
  4. commands must be in the form of /command/parameter

The attacker hides the commands by using only the first character to switch between predefined commands. Therefore he can use different words to represent same command so long as the first character matches in the switch.

5. What type of encoding is used for command arguments? How is it different
from Base64, and what advantages or disadvantages does it offer?

The malware divides the parameters by 2 characters. Each 2 characters are passed to atoi function to convert it to integer. It then references the following string to get the exact character it represents.

key
Figure 4. Decode string

Pro

It is a custom encoding technique thus not easily detected by existing tools

Con

It is pretty simple to reverse.

6. What commands are available to this malware?

Command Description
d  Download & Execute
n  Exit
s  Sleep
r  Write autobat.exe

7. What is the purpose of this malware?

The malware serves as a backdoor by downloading and execute new codes on the victim’s machine via http request. It can also rewrite the config file “autobat.exe” to let it connect to a different C2 Server.

8. This chapter introduced the idea of targeting different areas of code
with independent signatures (where possible) in order to add resiliency
to network indicators. What are some distinct areas of code or configuration
data that can be targeted by network signatures?

  1.  “http://www.practicalmalwareanalsysis.com/start.htm&#8221;
  2. Any new url found in “c:\\autobat.exe”
  3. Headers such as UA-CPU and User Agent (duplicated User-Agent)
  4. http response contains <noscript>[url][69′]

9. What set of signatures should be used for this malware?

refer to question 8.

PRACTICAL MALWARE ANALYSIS: MALWARE -FOCUSED NETWORK SIGNATURES(LAB 14-03)