PRACTICAL MALWARE ANALYSIS: SHELLCODE ANALYSIS (LAB 19-03)

Tools Used

  1. IDA Pro
  2. Ollydbg
  3. remnux

Sample:

  1. Lab19-03.pdf SHA256: 216a1b095dbcf7099f3b91633d5b663554bda1363d8a6a31323a28d4328c380e

VirusTotal:

  • Detection Rate: 37/56
  • Analyzed on 2016-06-15
  • Compilation Date:2010:06:11 15:30:10
  • View report here

Lab 19-3
Analyze the file Lab19-03.pdf. If you get stuck and can’t find the shellcode,
just skip that part of the lab and analyze file Lab19-03_sc.bin using
shellcode_launcher.exe.

Questions
1. What exploit is used in this PDF?

Lets recce the pdf file first to get more insight. We can see that it contains /JS and /JavaScript elements. Which indicates that this pdf might be using javascript to exploit the pdf…

pdfid
Figure 1. pdfid to recce the pdf file

using pdfextract we can easily extract the javascript contents.

pdfextract
Figure 2. Extract javascript via pdfextract tool

The extracted javascript contains the payload and some pdf version check to filter which pdf reader version can be exploited followed by some standard heapspray and finally the trigger “util.printf“. A google search on this printf exploit surfaced the following article from CORE security. CVE-2008-2992 a Printf buffer overflow exploit.

cve
Figure 3. CVE-2008-2992; Printf buffer overlow

2. How is the shellcode encoded?

Referring to Figure 3, we can easily see that the payload is unicode encoded by the %u symbol. We could convert it using a unicode2raw tool provided in remnux… or you can write your own simple tool to do it.

unicode2raw
Figure4. unicode2raw

3. Which functions does the shellcode manually import?

Before jumping straight into analyze the shellcode, we could use sctest to generate a nice little graph of the piece of shellcode we are analyzing.

graph
Figure 5. sctest and dot
diagram
Figure 6. Flow Graph

Notice the GetFileSize at the bottom left, this indicates that the shellcode is attempting to open a file and is using GetFileSize to find the correct file handler. Perhaps more payload is in the file.

using shellcode_launcher.exe provided by the book, we could launch the shellcode in ollydbg with a open file handle to the pdf file.

shellcode_launcher
Figure 7. shellcode_launcher

On running the malware, the program will break automatically. Manually set the new origin to the next instruction to resume program flow as shown below.

set new origin
Figure 8. Set new origin to jmp instruction

If we look at the handles, we would see that the pdf file is in it as well.

fileHandle
Figure 9. File Handle open

Tracing the shellcode we will soon come into the following codes. The code here is trying to find the function address from kernel32.dll by using a computed checksum.

GetProcAddress
Figure 10. imports

The shellcodes then attempts to Load shell32 library followed by a search for ShellExecuteA as shown in Figure 11 to 13.

loadLibrary
Figure 11. LoadLibraryA on shell32
shellA
Figure 12. finding ShellExecuteA address
ShellExeLoaded
Figure 13. ShellExecuteA added to list of imports

The populated functions are:

  1. LoadLibraryA
  2. CreateProcessA
  3. TerminateProcess
  4. GetCurrentProcess
  5. GetTempPathA
  6. SetCurrentDirectryA
  7. CreateFileA
  8. GetFileSize
  9. SetFilePointer
  10. ReadFile
  11. WriteFile
  12. CloseHandle
  13. GlobalAlloc
  14. GlobalFree
  15. ShellExecuteA

4. What filesystem residue does the shellcode leave?

Set breakpoint @ WriteFile and let the shellcode run. As shown in figure 11 and 12, 2 files are dropped on the victim’s machine. They are foo.exe and bar.pdf. Both are located in the temp folder as defined in the env variables of the victim’s machine.

droppingMZ
Figure 14. MZ dropped in Temp\foo.exe
droppingpdf2
Figure 15. PDF dropped in Temp\bar.pdf

5. What does the shellcode do?

The shellcode attempt to import various functions from kernel32.dll and then using its LoadLibraryA function to load shell32 library to import ShellExecuteA function.

The shellcode then attempts to read the pdf file to extract both the executable payload and a pdf file which are both dropped in the temp folder as foo.exe and bar.pdf respectively.

foo.exe is then executed via CreateProcessA as shwon in Figure 16 and 17.

CreateProcess_foo
Figure 16. CreateProcessA for foo.exe
createProcess
Figure 17. foo.exe

Bar.pdf is then opened via ShellExecuteA. ShellExecuteA uses the victim’s default application to open the pdf file.

shellexePDF
Figure 18. ShellExecuteA for bar.pdf
pdfFile
Figure 19. bar.pdf pops up

 

Advertisements
PRACTICAL MALWARE ANALYSIS: SHELLCODE ANALYSIS (LAB 19-03)

PRACTICAL MALWARE ANALYSIS: SHELLCODE ANALYSIS (LAB 19-02)

Tools Used

  1. IDA Pro
  2. Ollydbg

Sample:

  1. Lab19-02.exe SHA256: 3ba837e827a5a20cf51ec82972b5e5fe028708932bfe1e58fd1224ef2fe5bb75

VirusTotal:

  • Detection Rate: 32/56
  • Analyzed on 2016-06-04
  • Compilation Date: 2011-03-02 04:10:40
  • View report here

Lab 19-2
The file Lab19-02.exe contains a piece of shellcode that will be injected into
another process and run. Analyze this file.
Questions
1. What process is injected with the shellcode?

Firing up IDA Pro we can immediately see that a function is called to create a new process and thereafter injecting shellcode into it.

GetProcID
Figure 1. Launching new process

To see the arguments passed into the GetProcessID function (refer to 0x4013DE) we can set a breakpoint in ollydbg.

iexplore
Figure 2. iexplore.exe is the targeted process

From figure 2, we can see that iexplore.exe path is passed into a function. The function then use this path to CreateProcess.

2. Where is the shellcode located?

To find the shellcode, i would first try to find the function call responsible for writing the shellcode into the remote process. WriteProcessMemory is a good place to start.

processinjection
Figure 3. WriteProcessMemory

At address 0x00401230, we can see a function with a lpbuffer argument passed in along with the buffer size and a process id. It is not hard to guess that this function is responsible for opening a handle to the remote process and eventually writing payload into it. We would just need to trace who called this function to find out where is the shellcode located.

lpbuffer
Figure 4. Shellcode located at 0x407030

Seems like we have found the shellcode @0x407030. Lets take a peek at the shellcode =) as shown below… Press “C” to convert the bytes to code.

shellcode
Figure 5. A peek into the shellcode

3. How is the shellcode encoded?

Looking at the shellcodes in Figure 6, we can see that the author is using the “call” trick (as seen in step 2) to get the address of the shellcode. Analyzing the codes, we can that the shellcodes from 0x407048 onwards are decoded using XOR with 0xE7.

shell
Figure 6. Shellcode using call instruction and XOR

4. Which functions does the shellcode manually import?

To analyze the shellcode, we can either extract the shellcode and run it using sctest or you can choose to use a simple trick that I be showing to break in the newly created process.

  1. First break at WriteProcessMemory function
  2. Before the memory is written into the remote process we change the first byte of the shellcode (0x407030) to 0xCC (breakpoint)
  3. Attach debugger to the newly created IEXPLORE.exe
  4. Resume Lab19-02.exe in ollydbg
  5. The IEXPLORE.exe will break on executing the injected shellcode

On analyzing the shellcode, you will come across a function that is responsible for manually importing the following functions. You may also wish to break at CALL instructions in the shellcodes to trace where in the memory are the address coming from.

modules
Figure 7. imports

5. What network hosts does the shellcode communicate with?

We set a breakpoint @ connect and analzye the SockAddr struct passed to it.

IP
Figure 8. SockAddr Struct

sin_port = 0x3412 = 13330

sin_addr = 0xC0A8C802 = 192.168.200.2

onlineConvert
Figure 9. Convert Hex to IP Address (online tool)

6. What does the shellcode do?

Reverse shell(cmd.exe) to 192.168.200.2:13330. We can see that the shellcode executes CreateProcessA after connecting to the remote IP.

CreateProcess2
Figure 10. CreateProcessA

The following figure is a internal setup to see how the malware would behave on successful connection to the IP & port. As we have expected, a reverse shell connection is established.

remote
Figure 11. Reverse shell connection established
PRACTICAL MALWARE ANALYSIS: SHELLCODE ANALYSIS (LAB 19-02)

PRACTICAL MALWARE ANALYSIS: SHELLCODE ANALYSIS (LAB 19-01)

Tools Used

  1. Ollydbg
  2. Shellcode2Exe
  3. Sctest

Sample:

  1. Lab19-01.bin SHA256: 12C25180A497E9F9544454332A29DF45D1F8506DEE485ED0026D9969AF4AFEDE

Lab 19-1
Analyze the file Lab19-01.bin using shellcode_launcher.exe.
Questions

To generate a exe from shellcode, I decided to use shellcode2exe tool as seen below.

shellcode2hex
Figure 1. shellcode2exe tool

1. How is the shellcode encoded?

The shellcode is alphabetically encoded. In figure 2, we can see the function responsible for decoding.

inmemory
Figure 2. Decoding Function

2. Which functions does the shellcode manually import?

We can use a tool called sctest to help us to emulate the shellcode.

sctest
Figure 3. sctest
sctest_output
Figure 4. sctest output

We can see that the shellcode uses LoadLibraryA, GetSystemDirectory, URLDownloadtoFile and WinExec.

We can also use ollydbg to see it live.

manuallyImports
Figure 5. Codes responsible for manually importing functions.
imports
Figure 5. Imports

3. What network host does the shellcode communicate with?

As seen in Figure 4, the shellcode communcates with http://www.practicalmalwareanalysis.com/shellcode/annoy_user.exe.

4. What filesystem residue does the shellcode leave?

c:\windows\system32\1.exe

5. What does the shellcode do?

  1. Download http://www.practicalmalwareanalysis.com/shellcode/annoy_user.exe.
  2. Save the payload as c:\windows\system32\1.exe
  3. Execute the payload
PRACTICAL MALWARE ANALYSIS: SHELLCODE ANALYSIS (LAB 19-01)

PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-05)

Tools Used

  1. IDA Pro
  2. OllyDbg
  3. PEiD
  4. ImpREC

Sample:

  1. Lab18-05.exe SHA256: 1936dec547377977d07b5f0bc75de537a6771ac5ed37190bb2e74e16a564b69d

VirusTotal:

  • Detection Rate: 33/57
  • Analyzed on 2016-03-22
  • Compilation Date: 2004-01-23 23:39:42
  • View report here

Unpacking

Virus total & PEiD detects that the malware is packed with UPack.

upack.PNG
Figure 1. UPACK

Loading the malware in IDA Pro we can see that it’s import table is almost empty. This is another indicator of a packed binary. LoadLibraryA and GetProcAddress are typically used to rebuild the malware’s import table in the unpacking routine.

Figure 2. Imports
Figure 2. Imports

Usually for unpacking a technique that I would use is to break at GetProcAddress. Typically after the import table is rebuilt the unpacking routine will then jump to the OEP of the binary.

Figure 3. Breaking at GetProcAddress
Figure 3. Breaking at GetProcAddress

Soon after the last GetProcAddress was called, a jmp instruction was executed. We reached the OEP of the malware as seen below.

Figure 4. OEP found
Figure 4. OEP found

Next, we would begin dumping out the debugged process using ollydump plugin in ollydbg. However, when we tried to execute the binary… the application would crash! I could only think of 2 reasons why the dumped binary is behaving in this manner.

  1. Wrong OEP
  2. Corrupted PE Header

In our case here it is the later… We could fire up the ImpREC tool to fix the IAT as seen below and we would find ourselves with a healthy running malware.

Figure 5. Fixing IAT using ImpREC
Figure 5. Fixing IAT using ImpREC

 

Cheers

PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-05)

PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-04)

Tools Used

  1. IDA Pro
  2. OllyDbg

Sample:

  1. Lab18-04.exe SHA256: b8a5d54e5b8ae63d8f59bb3b1c8782e76154093fea83708ae657184c922eee0e

VirusTotal:

  • Detection Rate: 30/56
  • Analyzed on 2016-03-22
  • Compilation Date: 2011-10-18 18:46:44
  • View report here

Unpacking

Virus total detects that the malware is packed with ASPack.

aspack
Figure 1. ASPack

Yet another pushad operation spotted. Let’s try the same approach we did previously.

Hardware breakpoint on esp after pushad executed.

pushad.PNG
Figure 2. PUSHAD

the program will break on POPAD… Step till return is called

popad.PNG
Figure 3. POPAD

Unpacked codes? Reanalyzed it.

unpacked
Figure 4. unpacked codes
reanalyzed
Figure 5. Reanalyzed codes

Dump out the process

ollydump.PNG
Figure 6. Dump
PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-04)

PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-03)

Tools Used

  1. IDA Pro
  2. OllyDbg

Sample:

  1. Lab18-03.exe SHA256: b756a02776b6b33394b255ba99f4cc0379cccbe080f36fd80034a5a6e2ffaa3e

VirusTotal:

  • Detection Rate: 27/55
  • Analyzed on 2016-03-22
  • Compilation Date: 2011-04-30 12:26:40
  • View report here

Unpacking

  1. Run the program using ollydbg.
  2. break after pushad
pushad
Figure 1. PUSHAD

3. set breakpoint (hardware on access) on esp

breakpoint
Figure 2. Hardware breakpoint

4. Run the program, the program will break at POPAD

pop
Figure 3. POPAD

5. Step till return and you will see the following unpacked code in raw form

unpacked_1
Figure 4. unpacked code

6. Ctrl-A to reanalyze the code

analyzed
Figure 5. Reanalyzed code

7. Dump the process

dump
Figure 6. Dump
PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-03)

PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-02)

Tools Used

  1. IDA Pro
  2. OllyDbg
  3. Cerbero Profiler

Sample:

  1. Lab18-02.exe SHA256: 7983a582939924c70e3da2da80fd3352ebc90de7b8c4c427d484ff4f050f0aec

VirusTotal:

  • Detection Rate: 46/56
  • Analyzed on 2016-03-22
  • Compilation Date: –
  • View report here

Unpacking

Virustotal and PEID both suggests that the malware is packed using FSG.

fsg
Figure 1. FSG

For this malware, I did not see any tail jump signature. However after analyzing the sections in the binary, I observed a global variable that is being referenced in the code.

section
Figure 2. dword_401090

So i put a breakpoint @00409010 which is the address that the eip jumps to. Press Ctrl-A to reanalyze the code in ollydbg.

401090
Figure 3. 401090 Reanalyzed

Now dump out the memory and you will get the unpacked version. If you were to analyze the disassembled code, you will realise that LoadLibraryA is being called to fix the IAT of the unpack malware. Once the libraries are fixed, the malware should jump to the unpacked code. Tracing it from LoadLibraryA is an alternate way to reach the jump instruction to 0x401090.

PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-02)