PRACTICAL MALWARE ANALYSIS: DATA ENCODING(LAB 13-02)

Tools Used

  1. IDA Pro
  2. Ollydbg
  3. Remote DLL Injector

Sample:

  1. Lab13-02.exe SHA256: 598f21f1e6f4d5829ba8cfba19d361e09de510493df8472a605f46dbf7927030

VirusTotal:

  • Detection Rate: 4/55
  • Analyzed on 2016-03-13
  • Compilation Date: 2011-11-08 22:44:00
  • View report here

Lab 13-2
Analyze the malware found in the file Lab13-02.exe.
Questions
1. Using dynamic analysis, determine what this malware creates.

A file with size 6,214 KB is written on the same folder as the executable every few seconds. The naming convention of the file is temp[8xhexadecimal]. The file created seems random.

temp
Figure 1. Proc Mon

2. Use static techniques such as an xor search, FindCrypt2, KANAL, and the
IDA Entropy Plugin to look for potential encoding. What do you find?

Only managed to find XOR instructions. Based on the search result, we would need to look at the following subroutine

  1. 0x0040128D
  2. 0x00401570
  3. 0x00401739
xor
Figure 2. XOR

 

3. Based on your answer to question 1, which imported function would be a
good prospect for finding the encoding functions?

WriteFile. Trace up from WriteFile and we might locate the function responsible for encoding the contents.

4. Where is the encoding function in the disassembly?

The encoding function is @0x0040181F.  Tracing up from WriteFile, you will come across a function @0x0040181F. The function calls another subroutine(0x00401739) that performs the XOR operations and some shifting operations.

encode
Figure 3. encode

5. Trace from the encoding function to the source of the encoded content.
What is the content?

Based on the subroutine @0x00401070. The malware is taking a screenshot of the desktop.

GetDesktopWindow: Retrieves a handle to the desktop window. The desktop window covers the entire screen. The desktop window is the area on top of which other windows are painted.

GetDC: The GetDC function retrieves a handle to a device context (DC) for the client area of a specified window or for the entire screen. You can use the returned handle in subsequent GDI functions to draw in the DC. The device context is an opaque data structure, whose values are used internally by GDI.

CreateCompatibleDC: The CreateCompatibleDC function creates a memory device context (DC) compatible with the specified device.

CreateCompatibleBitmap: The CreateCompatibleBitmap function creates a bitmap compatible with the device that is associated with the specified device context.

BitBlt: The BitBlt function performs a bit-block transfer of the color data corresponding to a rectangle of pixels from the specified source device context into a destination device context.

screenshot
Figure 4. Screenshot

6. Can you find the algorithm used for encoding? If not, how can you
decode the content?

The encoder used is pretty lengthy to go through, However if we look at the codes in 0x401739, we can see lots of xor operations. If it is xor encoding we might be able to get back the original data if we call this subroutine again with the encrypted data.

401739
Figure 5. xor operations

7. Using instrumentation, can you recover the original source of one of the
encoded files?

My way of decoding the encoded files is to use DLL injection. To do that, i write my own DLL and create a thread to run the following function on DLL_PROCESS_ATTACHED. To attach the DLL to the malware process, we first run the malware and use a tool called Remote DLL injector by securityxploded to inject the DLL into the malicious process.

decode
Figure 6. Decode Function

The above codes simply scan the path in which the executable resides in for encoded files that start with “temp“. It then reads the file and pass the data to the encoding function @0x40181F. Once the data is decoded, we make use of the function @0x401000 to write out the file to “DECODED_[encoded file name].bmp“. Last but not least i shall delete the encoded file so as not to clutter the folder.

decoded

 

Advertisements
PRACTICAL MALWARE ANALYSIS: DATA ENCODING(LAB 13-02)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s