PRACTICAL MALWARE ANALYSIS: DATA ENCODING(LAB 13-03)

Tools Used

  1. IDA Pro
  2. Ollydbg
  3. Proc Mon
  4. Process Monitor
  5. Wireshark
  6. inetsim
  7. PEID

Sample:

  1. Lab13-03.exe SHA256: e2aed4398e0178670d9678961ca89a0f15a3eac20f396bdf29de8ac66cb853fa

VirusTotal:

  • Detection Rate: 6/53
  • Analyzed on 2016-03-14
  • Compilation Date: 2011-11-17 23:04:54
  • View report here

Lab 13-3
Analyze the malware found in the file Lab13-03.exe.
Questions
1. Compare the output of strings with the information available via
dynamic analysis. Based on this comparison, which elements might
be encoded?

Based on Wireshark and program response we could see the following strings.

wireshark
Figure 1. http://www.practicalmalwareanalysis.com
error
Figure 2. Error Message

In IDA Pro we can see the domain host name and some possible debug messages.

strings
Figure 3. IDA Pro strings

 

2. Use static analysis to look for potential encoding by searching for the
string xor. What type of encoding do you find?

There are quite a lot of xor operations to go through. But based on the figure below, it is highly possible that AES is being used; The Advanced Encryption Standard (AES) is also known as Rijndae.

xor
Figure 4. XOR operations

3. Use static tools like FindCrypt2, KANAL, and the IDA Entropy Plugin to
identify any other encoding mechanisms. How do these findings compare
with the XOR findings?

Most likely AES is being used in the malware.

aes
Figure 5. PEID found AES
findcrypt
Figure 6. Find Crypt 2 Plugin Found AES

4. Which two encoding techniques are used in this malware?

@0x4120A4 we can see a 65 characters string. Which seems like a custom base64 key. The standard base64 key should be “ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=” which consists of A-Z, a-z, 0-9, +, / and =.

base64
Figure 7. Custom Base64

A custom Base64 and AES are used in this malware.

5. For each encoding technique, what is the key?

The custom base64 string uses “CDEFGHIJKLMNOPQRSTUVWXYZABcdefghijklmnopqrstuvwxyzab0123456789+/” To test if this key is valid i used a online custom base64 tool to verify.

Online Tool: https://www.malwaretracker.com/decoder_base64.php

Using the above tool with the custom key, I encoded HELLOWORLD and pass it to the program via netcat to decode. True enough, the encoded text was decoded back to the original text.

Testingbase64
Figure 8. Base64 decode

Based on some debug message, this function (0x00401AC2) seems to be initializing the AES key.

aeskey
Figure 9. Init Key

x-ref the function and locate the 2nd argument… the key is most likely to be “ijklmnopqrstuvwx“.

keyfound
Figure 10. Key pass in as 2nd argument

6. For the cryptographic encryption algorithm, is the key sufficient? What
else must be known?

For custom base64, we would just need the custom base64 string.

For AES, we would need the Cipher’s encryption mode, key and IV.

7. What does this malware do?

The malware connects to an http://www.practicalmalwareanalysis.com’s 8190 port and establishes a remote shell. It then reads input from the attacker. The inputs are custom base64 encoded. Once decoded, the command is pass to cmd.exe for execution. The return results is encrypted using AES and send back to the attacker’s server.

8. Create code to decrypt some of the content produced during dynamic
analysis. What is this content?

Using the key, we use CBC mode with no IV to decrypt the AES encrypted packet. The content is the response from the command sent earlier via the remote shell from the attacker.

decrypt
Figure 11. Decrypted Data
Advertisements
PRACTICAL MALWARE ANALYSIS: DATA ENCODING(LAB 13-03)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s