PRACTICAL MALWARE ANALYSIS: ANTI VM (LAB 17-03)

Tools Used

  1. IDA Pro
  2. Ollydbg

Sample:

  1. Lab17-03.exe SHA256: b3b4c065849c81d856558e9cf91e8cef5d481648fd8aa88cdda534ab6b75e988

VirusTotal:

  • Detection Rate: 44/56
  • Analyzed on 2016-03-20
  • Compilation Date: 2011-10-14 19:35:33
  • View report here

Lab 17-3
Analyze the malware Lab17-03.exe inside VMware. This lab is similar to
Lab12-02.exe, with added anti-VMware techniques.
Questions
1. What happens when you run this malware in a virtual machine?

The malware terminates.

2. How could you get this malware to run and drop its keylogger?

we can patch the jump instructions at the following address

  1. 0x004019A1
  2. 0x004019C0
  3. 0x00401A2F
  4. 0x00401467

3. Which anti-VM techniques does this malware use?

@00401A80: I/O communication port

incheck
Figure 1. Backdoor I/O Comm Port

@004011C0: checking registry key SYSTEM\CurrentControlSet\Control\DeviceClasses\vmware

vmware
Figure 2 Checking vmware registry

@00401670: checking mac address

mac
Figure 3. Checking Mac address

@00401130: checking for vmware process name (hash of first 6 chars)

vm
Figure 4. Checking vmware process name hash

 

4. What system changes could you make to permanently avoid the anti-VM
techniques used by this malware?

  1. Patch the binaries
  2. Change Mac Address
  3. Remove VMware tools

5. How could you patch the binary in OllyDbg to force the anti-VM techniques
to permanently fail?

Change the following instruction to xor instead

19ff
Figure 5. in instruction patch

Change the following instruction to xor instead

19be
Figure 6. Registry checking patch

Nop out the calling of this subroutine

nopMac
Figure 7. Mac Address patching

Change the hash to AAAAAAAAh to invalidate the search

rubbishHash
Figure 8. Process Name Hash patching
Advertisements
PRACTICAL MALWARE ANALYSIS: ANTI VM (LAB 17-03)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s