- IDA Pro
- Cerbero Profiler 2.5
- Lab10-02.exe SHA256: 20bf5d516f3f3ef4c9453437211486b73d519ff97d8659851012adff8e84e0a9
- Lab10-02.sys SHA256: 42b66f4dcb1380ab6330cfb638ce97c7bea6d772eddd1d34c1031b0d16dea19c
- Detection Rate: 28/55(1),0/55 (2)
- Analyzed on 2016-03-08
Compilation Date: 2010-12-31 15:33:33(1), 2010-12-31 15:22:59(2)
- View report here(1) & here(2)
The file for this lab is Lab10-02.exe.
1. Does this program create any files? If so, what are they?
Cerbero Profiler highlighted that the malware contains a PE Resource. Instinct tells me that this malware behaves like a packer and will extract this resource onto the target’s machine.
“C:\\Windows\\System32\\Mlwx486.sys” seems suspicious. xRef this string might help us to solve this problem.
In the main method, we can see that the code is trying to extract the FILE resource into “C:\\Windows\\System32\\Mlwx486.sys”.
After extracting the driver, the malware then goes on to create a service (486 WS Driver) and start it using StartServiceA.
Using Proc mon we can observe that WriteFile to “C:\\Windows\\System32\\Mlwx486.sys” was captured by the tool.
2. Does this program have a kernel component?
Attempts to locate the dropped driver in system32 folder was fruitless. Somehow the file is not in the folder. So instead I decided to extract the driver out from the resource directly. Firing up IDA Pro we can see DriverEntry function suggesting that this executable is a driver.
3. What does this program do?
DrierEntry leads us to the following subroutine in IDA Pro (0x10706). The malware is attempting to change the flow of the kernel Service Descriptor Table and the target that it is attempting to hook is the NtQueryDirectoryFile. The malware calls MmGetSystemRoutineAddress to get the pointer to the NtQueryDirectoryFile and KeServiceDescriptorTable subroutine. Then it loops through the service descriptor table looking for the address of NtQueryDirectoryFile. Once found, it will overwrite the address with the evil hook (custom subroutine).
In the driver, NTQueryDirectoryFile function is used. According to msdn, this function returns various kinds of information about files in the directory specified by a given file handle. Further down, we can see that RtlCompareMemory is called. A comparison was made between the filename and the following string “Mlwx“. If it matches, the file will be hidden.
To see all this win action, fire up Windbg and attach it to the kernel.
use the following command to list the service descriptor table. This table has yet been tampered with…
kd> dps nt!KiServiceTable l 100
Set breakpoint by using this command bu Mlwx486!DriverEntry. Run Lab10-02.exe and windbg should break.Set breakpoint at nt!IopLoadDriver+0x66a and let the program run again. Once the kernel breaks, you will be able to run !object \Driver to list the loaded drivers. DriverInit for the malware has yet been executed at this stage so you can set your breakpoint from this point on.
From Figure 10 & 11, we can see that DriverInit is actually DriverEntry in IDA Pro.
runing kd> dps nt!KiServiceTable l 100 now shows that the service descriptor table has been modified.
To conclude, the malware uses ring 0 rootkit to hide files that starts with “Mlwx” via hooking of the service descriptor table.