sobota, 5 sierpnia 2017

Reading malware - Trojan.Delf

In the middle of time I found another test case on MalwareDB - this time we will try to analyze malware described as "Trojan.Delf". MD5 for the sample is b5597304495be0c425e512abd6f39f8c. Let's go!

As usual I started PEiD to check details of the sample file:



In my next step I decided to open that malware in IdaPro. I was wondering what is possible to find in imports or strings. Let's see:

(Not full) list of imports you will find below:


You will see some functions related to network connections as well:


I decided that it will be a good place to start analyzing the program. After a while you should be able to connect some dots (functions) with others, and now our flowchart should be similar to the one below:




As we can see - this malware is a bit more complicated that the one I analyzed before
It looks like the "main" part of the program (related to DoS attacks) is here:



Next part - 'identified' few more (purpose of some) functions:


And another one:


Let's go deeper. We should be somewhere here:


I was checking functions of the program to understand what is the purpose of each one. I must admit that Xrefs was very helpful this time... :]

I think it's some kind of a 'main' function of the malware (after you will already run the starter-exe-file). Let's switch for a while to dynamic analysis.

After we will run our sample-file, we can see a new process started - "svchost.exe":


So... we are running another "program" now to see some more results. After this step we can see (in the FakeNet's window) that the (new started) sample is trying to talk with some host:


At this stage I decided to restore my snapshot to the moment before I started the malware. Next step was editing FakeNet configs to add wrapper to handle new connection. I decided to also check the new file created after the malware was started (last time, before I restored VM):


Changed FakeNet's config now looks like this:


Now we are ready to run the sample again. (I created another snapshot at this stage.) Checking:


As you can see on the screen above I changed my hosts file again to 'persuade' the malware to talk with me - not the real C&C. We will get back to it later.

Below screen from part of replication process:


Next we can find some new hint here:


Going step by step for the next instructions we will find this place:


Bigger picture looks like this:


Now we can observe new value created in the Windows registry:


After a while we should be somewhere here:


As we can see there is still a lot to do ;]


Let's go for the next piece.

In the middle of time I also found interesting some "relations" (of other functions) for function Sleep() - example below:


After a while of reading that code, we should see some similar results to those presented below:

It looks like the (another ;)) "main" of the code is located in sub_407c00():
 At this stage I decide to stop the analysis and restore machine to the moment of creating new registry value. We will continue (the post) from that moment - see below:


Watching the malware in OllyDbg looks even better ;)


In my opinion (below) you will find commands used later to create communication with/from the malware:


Because our malware is very shy, when it will see that you're using IsDebuggerPresent() - it will not work "correctly" any more. After little discussion (in OllyDbg) malware will decide to pass ;]

To chat in asm use OllyDbg: when you will open malware.exe in Olly, type Alt+e (to open Executable modules" window). There we will look for kernel32.dll. Click Ctrl+n now to open "Names in kernel32" window. That's how we can find IsDebuggerPresent() function:


Set a breakpoint (F2) so when malware will try to verify (if it's started in debugger or not), we can observe that:


Snapshot... and let's see:

It's working. F8 until we will back to the code:


As we can see we are in the middle of TEST EAX,EAX instruction. Small hint from the window below:


Let's step forward (F8):


Let's change instruction JNZ to JZ so when the malware will 'find' working debugger (EAX=1), it will pass (not crash/exit).


Enter and click F8:


Indeed we will jump to POP ESI not to 74447cbf. Let's continue the malware (by clicking F9) now. We should see similar window:



 In that moment OllyDbg will jump to another place (and in FakeNet we can observe that the communication is already started):



I recreated the snapshot again and I've done same steps in debugger but this time I changed in Olly settings related to debugging child process. We can change it in OllyDbg in Options:



Let's check it again (F9 - remember to change JNZ-bp). When we will run debugger (F12, Alt+F9), after clicking 'run', we will find this place:



So child debug is wokring, good. F8 and we are in the middle of the new process:



I decided to copy new sample and re-run it again in debugger.


After reading the CALLs code (F8) we will change JZ instruction:



F8 to continue and we will find message from OllyDbg:


Let's look for some other functions responsible for the code's flow. After a while we should be here. We will change CMP to compare EAX with EAX:



Unfortunately it wasn't good idea and the process died. Let's run another one - this time from Roaming folder (of our user) called svchosts.exe. We are here and we are changing this line:



F8 to go into another CALL instruction:



...and we should be here:




F8 until we will see how malware is verifying other copies in the infected host:



Let's read some more code... At this stage (F8) we can observe some preparing to communicate with C&C.




It looks like the C&C is located in jp.0317168.com on port 6543/tcp. 

Checking more: after changing CMP (and JB for NOP as well as JE for JNE) we are here:






Few changes in FakeNet, and we are ready to run it again:


Checking again...



Now we can see some new messages in the way:



And can you se this?



At this stage message is prepared to encode it and send to the C&C. Below you will find interesting loop:


More:




If you're looking for more commands to talk with that malware I think that the good place should be here:




I think at this stage we can already know that this is a malicious program.

Sample file is available thanks to Malekal

Here you will find some results from VirusTotal.

Similar cases described here you will find with this tag.

Cheers!

Brak komentarzy:

Prześlij komentarz