PRACTICAL MALWARE ANALYSIS: SHELLCODE ANALYSIS (LAB 19-02)

Tools Used

  1. IDA Pro
  2. Ollydbg

Sample:

  1. Lab19-02.exe SHA256: 3ba837e827a5a20cf51ec82972b5e5fe028708932bfe1e58fd1224ef2fe5bb75

VirusTotal:

  • Detection Rate: 32/56
  • Analyzed on 2016-06-04
  • Compilation Date: 2011-03-02 04:10:40
  • View report here

Lab 19-2
The file Lab19-02.exe contains a piece of shellcode that will be injected into
another process and run. Analyze this file.
Questions
1. What process is injected with the shellcode?

Firing up IDA Pro we can immediately see that a function is called to create a new process and thereafter injecting shellcode into it.

GetProcID
Figure 1. Launching new process

To see the arguments passed into the GetProcessID function (refer to 0x4013DE) we can set a breakpoint in ollydbg.

iexplore
Figure 2. iexplore.exe is the targeted process

From figure 2, we can see that iexplore.exe path is passed into a function. The function then use this path to CreateProcess.

2. Where is the shellcode located?

To find the shellcode, i would first try to find the function call responsible for writing the shellcode into the remote process. WriteProcessMemory is a good place to start.

processinjection
Figure 3. WriteProcessMemory

At address 0x00401230, we can see a function with a lpbuffer argument passed in along with the buffer size and a process id. It is not hard to guess that this function is responsible for opening a handle to the remote process and eventually writing payload into it. We would just need to trace who called this function to find out where is the shellcode located.

lpbuffer
Figure 4. Shellcode located at 0x407030

Seems like we have found the shellcode @0x407030. Lets take a peek at the shellcode =) as shown below… Press “C” to convert the bytes to code.

shellcode
Figure 5. A peek into the shellcode

3. How is the shellcode encoded?

Looking at the shellcodes in Figure 6, we can see that the author is using the “call” trick (as seen in step 2) to get the address of the shellcode. Analyzing the codes, we can that the shellcodes from 0x407048 onwards are decoded using XOR with 0xE7.

shell
Figure 6. Shellcode using call instruction and XOR

4. Which functions does the shellcode manually import?

To analyze the shellcode, we can either extract the shellcode and run it using sctest or you can choose to use a simple trick that I be showing to break in the newly created process.

  1. First break at WriteProcessMemory function
  2. Before the memory is written into the remote process we change the first byte of the shellcode (0x407030) to 0xCC (breakpoint)
  3. Attach debugger to the newly created IEXPLORE.exe
  4. Resume Lab19-02.exe in ollydbg
  5. The IEXPLORE.exe will break on executing the injected shellcode

On analyzing the shellcode, you will come across a function that is responsible for manually importing the following functions. You may also wish to break at CALL instructions in the shellcodes to trace where in the memory are the address coming from.

modules
Figure 7. imports

5. What network hosts does the shellcode communicate with?

We set a breakpoint @ connect and analzye the SockAddr struct passed to it.

IP
Figure 8. SockAddr Struct

sin_port = 0x3412 = 13330

sin_addr = 0xC0A8C802 = 192.168.200.2

onlineConvert
Figure 9. Convert Hex to IP Address (online tool)

6. What does the shellcode do?

Reverse shell(cmd.exe) to 192.168.200.2:13330. We can see that the shellcode executes CreateProcessA after connecting to the remote IP.

CreateProcess2
Figure 10. CreateProcessA

The following figure is a internal setup to see how the malware would behave on successful connection to the IP & port. As we have expected, a reverse shell connection is established.

remote
Figure 11. Reverse shell connection established
Advertisements
PRACTICAL MALWARE ANALYSIS: SHELLCODE ANALYSIS (LAB 19-02)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s