Malware Analysis on Kartone's Reversing Garage

Project Sodinokibi

Thu, 29 Oct 2020 08:59:13 +0000

Learning Python

Python is the language I always wanted to learn. I tried but failed every single time, don’t know exactly why. This time was different though, I knew from the first line of code. So, with a little push of a dear friend of mine (thanks Elio!), I tried to investigate how to decode Sodinokibi ransomware configurations for hundreds, maybe thousands, of samples. I intended to understand, using powerful insights from VirusTotal Enterprise API, if there are relationships between Threat Actor, mapped inside the ransomware configuration, and the country visible from the VirusTotal sample submission.
I am perfectly aware that it’s not as easy as it seems: the ransomware sample submission’s country, visible from VirusTotal, may not be the country affected by the ransomware itself. But, in one case of another, I think there could be somehow a link between the two parameters: maybe from the Incident Response perspective.

Getting the samples

My first step was to get as many samples as I could. My first thought was to use VirusTotal API: I’m lucky enough to have an Enterprise account, but the results were overwhelming and, due to the fact I was experimenting with Python, the risk of running too many requests and consume my threshold was too high. So I opted to use another excellent malware sharing platform: Malware Bazaar by Abuse.ch

All the code is available here

downloaded_samples = []
data = { 'query': 'get_taginfo', 'tag': args.tag_sample, 'limit': 1000 }
response = requests.post('https://mb-api.abuse.ch/api/v1/', data = data, timeout=10)
maldata = response.json()
print("[+] Retrieving the list of downloaded samples...")
for file in glob.glob(SAMPLES_PATH+'*'):
filename = ntpath.basename(os.path.splitext(file)[0])
downloaded_samples.append(filename)
print("[+] We have a total of %s samples" % len(downloaded_samples))
for i in range(len(maldata["data"])):
if "Decryptor" not in maldata["data"][i]["tags"]:
for key in maldata["data"][i].keys():
if key == "sha256_hash":
value = maldata["data"][i][key]
if value not in downloaded_samples:
print("[+] Downloading sample with ", key, "->", value)
if args.get_sample:
get_sample(value)
if args.clean_sample:
housekeeping(EXT_TO_CLEAN)
else:
print("[+] Skipping the sample because of Tag: Decryptor")

This block of code essentially builds the request for the back-end API where the tag to search for comes from the command line parameter. I defaulted it to Sodinokibi. It then creates a list of samples already present in the ./samples directory not to download them again. Interestingly, because there are many Sodinokibi decryptors executables on the Malware Bazaar platform, I needed some sort of sanitization not to download them. When it founds a sample not present inside the local directory, It then calls the function to download it.

def get_sample(hash):
headers = { 'API-KEY': KEY }
data = { 'query': 'get_file', 'sha256_hash': hash }
response = requests.post('https://mb-api.abuse.ch/api/v1/', data=data, timeout=15, headers=headers, allow_redirects=True)
with open(SAMPLES_PATH+hash+'.zip', 'wb') as f:
f.write(response.content)
print("[+] Sample downloaded successfully")
with pyzipper.AESZipFile(SAMPLES_PATH+hash+'.zip') as zf:
zf.extractall(path=SAMPLES_PATH, pwd=ZIP_PASSWORD)
print("[+] Sample unpacked successfully")

A straightforward function: builds the API call, gets the zipped sample, unpack, and saves it inside the directory ./samples. Note that the sample filenames are always their SHA-256 hash. After unpacking it, I made a small housekeeping function to get rid of the zip files.

def housekeeping(ext):
try:
for f in glob.glob(SAMPLES_PATH+'*.'+ext):
os.remove(f)
except OSError as e:
print("Error: %s - %s " % (e.filename, e.strerror))

This is what happens when you run the script.

Getting insights on ransomware configuration

Now it’s time to analyze these samples to get the pieces of information we need. The plan is to extract the configuration from an RC4 encrypted configuration stored inside a PE file section. Save ActorID, CampaignID, and executable hash. With the latter, we then query VirusTotal API to get insights for the sample submission: the City and the Country from where the sample was submitted and when there was the submission. As I wanted to map these pieces of information on a map, with OpenCage API I then obtained cities coordinates of the submissions.

The code to build the API calls and parse the response JSON is rough, shallow and straightforward I would not go with it. I’m sure there are plenty of better ways to do its job, but…it’s my first time with Python! So bear with me, please. What I think it’s interesting is the function that extracts and decrypts the configuration from the ransomware executable PE file. These are the lines of code that do this task:

excluded_sections = ['.text', '.rdata', '.data', '.reloc', '.rsrc', '.cfg']
def arc4(key, enc_data):
var = ARC4.new(key)
dec = var.decrypt(enc_data)
return dec
def decode_sodinokibi_configuration(f):
filename = os.path.join('./samples', f)
filename += '.exe'
with open(filename, "rb") as file:
bytes = file.read()
str_hash = hashlib.sha256(bytes).hexdigest()
pe = pefile.PE(filename)
for section in pe.sections:
section_name = section.Name.decode().rstrip('\x00')
if section_name not in excluded_sections:
data = section.get_data()
enc_len = struct.unpack('I', data[0x24:0x28])[0]
dec_data = arc4(data[0:32], data[0x28:enc_len + 0x28])
parsed = json.loads(dec_data[:-1])
return str_hash, parsed['pid'], parsed['sub']
#print("Sample SHA256 Hash: ", str_hash)
#print("Actor ID: ", parsed['pid'])
#print("Campaign ID: ", parsed['sub'])
#print("Attacker's Public Encryption Key: ", parsed['pk'])

Disclaimer: these lines are, obviously, not mine. I modified the script provided by the guys of BlackBerry ThreatVector. I invite you to read where they explain how the configuration is stored within the section, where’s the RC4 encryption key and how to decrypt it.

In my version of the script, it runs on Python3 and uses a standard library for the RC4 algorithm. Also, it’s worth to mention that this script fails if input samples are packed. It expects the existence of the particular section with the saved encrypted configuration; it fails otherwise. I added some controls to handle miserable crashes, but there are unmanaged cases still: I’m so new to Python!

In the end, we have a dear old CSV file enriched with a bunch of information: Country, City, Latitude, Longitude, ActorID, CampaignID, Hash, Timestamp. We’re ready to map it.

Understanding the data

Our data is described inside a data.csv

Field aid (ActorID) is changed, during the months, from an integer number, like ActorID: 39 to a hash representation. For now, we have only 174 samples where we managed to extract the configuration. We can now group the data by aid field and count the submissions.

From what I see, I can understand that the samples related to ThreatActor with the ID 39 have nine submissions from the city of Ashburn US. I have to comprehend why this city has so many submissions related to Sodinokibi. I hope that someone that reads this post would help me to understand and shed some light.

If we map the ThreatActorID vs the City of the submission, we can easily see the data.

ThreatActors vs Submissions City

Submissions City vs Submissions count

Next steps would be acquiring as many samples as I can. The best choice would be using VirusTotal API to retrieve the samples and this is what I’m going to do. Hopefully I won’t burn my entire Company API limit.

All the scripts used in this post, the data and the Jupiter notebook used to map the data is available here.

The p0sT5n1F3r Backdoor

Wed, 16 Oct 2019 19:20:00 +0000

How does a malicious backdoor designed to sniff sensitive HTTPS traffic go completely undetected?

During an IR case, we found and dissected a highly targeted malware sample, a custom Apache module we callp0sT5n1F3r.

This threat was specifically engineered for its target’s environment and was rated 100% clean by all major security vendors due to its extensive use of custom encryption.

This report details the reverse engineering journey, from the initial static analysis to the critical breakthrough: cracking its custom RC4 encryption scheme. This discovery allowed us to unveil its true purpose—intercepting financial transaction data—and even uncover a hidden HTML interface used by the attackers.

Read the full technical deep dive to learn how this threat was unmasked.

WannaCry, two years later: a deep look into its code

Thu, 23 May 2019 09:17:00 +0000

My own technical analysis of the malware that, in 2017, spread like wildfire encrypting thousands of computers, using one of the tools leaked from the National Security Agency by the group named ShadowBrokers.

Almost two years passed after that weekend of May 2017, when the crypto-worm WannaCry infested the net thanks to the EternalBlue exploit. In roughly two days, WannaCry spread itself all over the world infecting almost 230.000 computers in over 150 countries:

By TheAwesomeHwyh

At that time, working as an Information Security Officer, with my colleagues, especially the guys from IT Infrastructure dept., worked hard to keep the entire Company perimeter safe. Luckily for us, we were not hit by the ransomware, but a lot of effort was spent explaining to the rest of the Company what happened.

Flash forward to 2019

Since this January, I’ve been running my own Dionaea honeypot that keeps catching a huge number of WannaCry samples. Just to give you some numbers, within two months, the 445 port was hit almost half a million times and I was able to collect roughly 18.000 of its samples at the rate of almost 300 samples per day.

If you notice from the file size, all these samples are all the same, and everyone of them is a WannaCry sample, delivered right to the 445 port in a DLL fashion.

Just to make a contribution to the WannaCry story, though small and useless, I thought it would be fun to analyze the internals of this malware as I wasn’t able to do it back in the days. I will concentrate the analysis on its various layers and the most important parts of the code that make this malware unique.

Peeling the onion

First look at one of these samples, confirms that we’re dealing with a malicious DLL and it’s worth to note its compilation timestamp. Let’s call this as launcher.dll because of the evidence found in a string inside the code.

Luckily for us, this sample is not packed. We can check its Import and Export Address Table to get an idea of what this sample is able to do.

Easily enough, checking the imported API, we can assume that the malware uses something in its resource section and supposedly create a file and run a process. Commonly, DLL malware exports functionalities to the outside via its Export Address Table. We can see only one exported function and it’s called PlayGame*:*

As noted above, malware imported some specific APIs to manage its resource section, like FindResourceA and LoadResource. We can easily recognize the magic numbers of a Portable Executable file - a Windows executable file - stored inside this section. We can dump it easily with tools like ResourceHacker:

But before analyzing it, we need to get rid of some bytes in the header, we’ll come to these bytes later.

So now, we can open it and check its sections like we just did with the aforementioned DLL. Interestingly this new dumped executable seems 7 years older than the first one, its compile timestamp is dated November 2010 but, be aware that this date can be easily fake.

We can get an idea of what its purpose is by checking out the imported libraries:

We have to expect much more complexity in this stage than the DLL. We have a bunch of standard libraries like KERNEL32.dll or WININET.dll and iphlpapi.dll. This DLL was unknown for me so I found, from MSDN, that:

Purpose
The Internet Protocol Helper (IP Helper) API enables the retrieval and modification of network configuration settings for the local computer.
The IP Helper API is applicable in any computing environment where programmatically manipulating network and TCP/IP configuration is useful. Typical applications include IP routing protocols and Simple Network Management Protocol (SNMP) agents.

A quick look suggests that this executable operates with Windows services configuration, manages files and resources and also, has network capabilities:

The Plan

My plan is to give a deep look inside all various stages that the malware extracts during its execution, analyzing its code and how it interacts with internal Windows subsystems.

For this reason, we’re now stepping back to analyze and understand how the DLL extracts this executable in the first place. Then we’ll give a look inside the debugger to see how things happen in realtime and then, we will analyze and try to understand what this executable is going to do once it infects the system.

Analysis of the first layer: launcher.dll

The purpose of this DLL is exactly what we supposed thanks to the analysis of the imported libraries. The only exported function PlayGame is easily disassembled by IDAPro.

The first call to sprintf compose the Dest string as C:\WINDOWS\mssecsvc.exe. Then it calls two functions, sub_10001016 that extracts, from its resource section, the executable we dumped before and then, saves it into a new file named as Dest string; after that sub_100010AB runs the file. Notice that we have just gained our first host-based indicator: C:\WINDOWS\MSSECSVC.EXE for this malware detection.

Function `sub_10001016` aka `ExtractAndCreate`

For better reading and understanding this function, we can rename it as ExtractAndCreate and we can split it into two parts: the extract part and the create file part.

Disassembled extract part

During this phase, the malware uses four API calls, that are completely covered inside the MSDN.

FindResourceA: Determines the location of a resource with the specified type and name in the specified module.
LoadResource: Retrieves a handle that can be used to obtain a pointer to the first byte of the specified resource in memory.
LockResource: Retrieves a pointer to the specified resource in memory.
SizeOfResource: Retrieves the size, in bytes, of the specified resource.

That being said, we can now analyze step by step this simple four blocks of code. First function prototype is:

HRSRC FindResourceA(
HMODULE hModule,
LPCSTR lpName,
LPCSTR lpType
);

We have three function parameters that, as per calling convention, must be pushed in reverse order, so:

push offset Type ; "W"
push 65h ; lpName
push hModule ; hModule
call ds:FindResourceA

Parameter hModule is being populated inside the DLLMain method, and is equals to variable hinstDLL.

hinstDLL: A handle to the DLL module. The value is the base address of the DLL. The HINSTANCE of a DLL is the same as the HMODULE of the DLL, so hinstDLL can be used in calls to functions that require a module handle.

lpName: The name of the resource. In this case, name is 0x65 or 101 in decimal value. If you look, name is confirmed by analyzing the DLL with ResourceHacker:

lpType: The resource type. Can be also noticed in the screenshot above.

From MSDN: If the function succeeds, the return value is a handle to the specified resource’s information block. To obtain a handle to the resource, pass this handle to the LoadResource function. If the function fails, the return value is NULL.

Coming back to the disassembly, this handle is returned into EAX and then moved inside EDI, where is being tested to check if it’s null. If it’s not, the handle is pushed, as the second argument, to the next API call to LoadResource. Quoting MSDN: it retrieves a handle that can be used to obtain a pointer to the first byte of the specified resource in memory. It also suggests:"…to obtain a pointer to the first byte of the resource data, call the LockResource function; to obtain the size of the resource, call SizeofResource".

HGLOBAL WINAPI LoadResource(
_In_opt_ HMODULE hModule,
_In_ HRSRC hResInfo
);

hModule: A handle to the module whose executable file contains the resource.

hResInfo: A handle to the resource to be loaded.

The same approach applies with the other two API calls: LockResource and SizeofResource. The interesting thing to note here is that the return value from this last call, stored inside EAX register as 500000, won’t be used at all:

So now, looking in the debugger, we have:

EAX = 500000
ESI = 10004060

ESI register contains the pointer to the memory region referred to the resource section that contains the executable itself. You can notice it thanks to the MZ header in the memory dump. Remember the 4 bytes that were been removed with hex editor before? According to MSDN this DWORD is the actual size of raw data inside the resource section of the binary itself. So, this value 0x0038D000is moved into EBX and then pushed as lpBuffer to the WriteFile function. Pretty standard call here: CreateFileA will create a file with specific attributes. Parameter dwFlagsAndAttributes, according to MSDN, a value of 0x4stands for: “The file is part of or used exclusively by an operating system”.

After the call to WriteFile, we have our executable saved and ready to run. The interesting parameters for this call are:

lpBuffer: equals to ESI, is the value returned by the call to LockResource and is a pointer to the buffer to write into the file. Basically is a pointer to the binary inside the resource section.
nNumberOfBytesToWrite: as we said earlier, this parameter is the value pointed by the ESI to a DWORD inside of resource header. Its value represent the size of the binary data.

So now, we can enable a breakpoint right after the WriteFile call and get the freshly created executable.

Function `sub_100010AB` aka `RunTheFile`

Here we’re dealing with a very simple API call to CreateProcessA, nothing fancy to add. I’d prefer not to dig inside all these parameters, it’s completely covered inside the MSDN.

Conclusion after the first layer

What I would show here is my own study process: be aware, sometimes it can be very, very time-consuming but it gives me a big, complete and deep look inside Windows internals and how malware uses them. This proceeding, for me as a novice, helped a lot.

Analysis of the second layer: mssecsvc.exe

This will differs from the DLL file. As we noted initially, this executable is way more complex: we’ll deal with various libraries and functionalities. But all start with a (Win)main function, right?

Do you remember the kill-switch? Do you remember the story behind? Give it a read, it’s very interesting.

In general terms, the main function of a Windows program is named WinMain, this is the first function that will be called when the program starts. We see a very strange url inside this code. Exactly the string is: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and is referred through the EDI register. After that, the WinINet subsystem is initialized using the call to InternetOpenA, this function returns a valid handle that the application passes to subsequent WinINet functions. Next, there’s a call to InternetOpenUrlA that opens a resource specified by a complete FTP or HTTP URL. After that the handle is closed and a new function is called: sub_408090, we’ll name it ServiceStuff:

In the first block of code, according to MSDN: GetModuleFileNameA retrieves the fully qualified path for the file that contains the specified module. The module must have been loaded by the current process, first parameter hModule is the handle to the loaded module whose path is being requested. If this parameter is NULL, GetModuleFileNameA retrieves the path of the executable file of the current process. Here the value is set to NULL, so it retrieves the name of the executable itself:

We then find a check on the number of arguments: if there are arguments the TRUE path will be taken. Because, in our case, we’re debugging without any argument, the FALSE path is taken and a new function sub_407F20 is called. This is a simple function that calls other two, so let’s call it FunctionCaller:

Simple enough sub_407C40 create a new service and then starts it, so we name it CreateAndStartService. Service will be run with command line mssecsvc.exe -m security and with a display name as "Microsoft Security Center (2.0) Service" defined as "mssecsvc2.0".

When we move then to sub_407cE0, things start to become fun. For the sake of simplicity, we’ll analyze this function in four parts. The first part is easy because the malware dynamically resolve some APIs:

Nothing too much complicated here: it uses GetProcAddress to populate some variables with the address of specific APIs, so it can call them in the next lines of code. After that, the second part will manage the resource section, just like the way we analyzed in the DLL launcher.dll:

This is confirmed into the debugger:

The return value from LockResource, as we know, is the pointer to the resource section into the binary and we can notice the MZ header into the memory dump. We then reach another interesting piece of code:

Two distinct string: Dest and NewFileName, are created using sprintf function. This two evidence are others good host-based indicators:

Dest = C:\WINDOWS\tasksche.exe

NewFileName = C:\WINDOWS\qeriuwjhrf

After that, the old file tasksche.exe is moved into the new file qeriuwjhrf and a new tasksche.exe is created. Now, I found myself lost into somehow obscure code: I got that WriteFile will dump the R resource into the created file tasksche.exe and runs it at the end. What’s inside the middle part, for me, remains in the dark.

In situations like this, I prefer to view the code inside the debugger because viewing the code during runtime maybe can help to shed some light. Indeed, seems like It created the command line for the incoming CreateProcessA call.

To recap: this function dumps its resource data inside a new executable file named tasksche.exe, making a copy inside another file named qeriuwjhrf, and then run tasksche.exe /i.

Stepping back to ServiceStuff function, there’s the other path to analyze: when there are the arguments "-m security", it enters into service mode. After its initialization, it changes service config:

According to MSDN, it changes the config so that failure actions occur if the service exits without entering a SERVICE_STOPPED state. After that, it executes its ServiceFunction:

This function setup the handles and starts exploiting the MS17-010 vulnerability into the reachable networks. Note that it exits after 24h. Here, I renamed this function ExecuteEternalBlue

This call starts a number of events that let the infection to happen. First thing, Winsock subsystem is initialized and a CryptoContext is generated:

Next, the malware will load a DLL into the memory - the very same launcher.dll we analyzed before - and then run it. Networks attacks happen inside two new threads. This flow can be easily observed if we decompile this function:

The first thread, involving the function sub_407720, will enumerates local network adapters and generates IP addresses compatible for those networks. For every IP, it tries to connect to port 445 and, if successful, launch the attack. Second thread, involving function sub_407840, will run 128 times with 2 seconds (hex 7D0) delay between each run. It will generates random IP address and tries to connect on port 445, if connection is successful, malware will launch the EternalBlue attack. It’s a pretty big chunk of code, but one interesting block of code is this:

Basically the malware, with the random IP placed into the Dest string converted into the proper format, calls sub_407480 aka CreateSocketAndConnect to try a connection to the 445 port, if the connection is successful, real attack is launched within the function sub_407540 aka SMBAttack.

Conclusion after the second layer

So, until now, we got a DLL - launcher.dll - that loads and runs a binary stored inside its resource section,mssecsvc.exe. The very first time, a new service is created to achieve persistence and after that it scans the networks (local and random remote) launching the EternalBlue exploits against 445 ports. In its stand-alone version, it dumps another binary from its resource section and runs it. What’s the purpose of this third binary? Let’s give a look.

Analysis of the third layer: tasksche.exe

Remember that this executable come from the resource section of previous file, mssecsvc.exe. When it runs as service, locates its resource section and writes it to the disk creating tasksche.exe. When it starts, it first generates a random string based on computer name, then checks if there are some command line arguments, in particular, if there’s /i as argument. We have now two branches to analyze:

If there’s /i argument: it creates specific directories and copies the file over it, like C:\ProgramData\somerandomstring\tasksche.exe and runs it from there.

If there’s no /i argument: it locates its resource section, named XIA, storing and extracting it onto disk. What’s interesting to note here that this resource is a compressed password protected archive. Luckily for us, password is hardcoded in clear text.

Let’s give a look inside the archive knowing the password: WNcry@2ol7

We can recognize the magic numbers for a ZIP file that we can dump directly and extract.

b.wnry is the bitmap image of the ransomware. Basically what you see as wallpaper when the computer is infected.

c.wnry is the configuration file in clear text, we can see some onion servers and the archive containing the TOR browser.

r.wnry contains some text ransom note.

Inside the msg folder there are some localized ransom note:

Conclusion after the third layer

This new executable seems pretty interesting because basically, it manages all the crypto actions involved within the ransomware. I won’t go into this analysis because it’s beyond my actual skills and also because, there are plenty of resources available on the internet, from amazing guys that are way better than me. For example, this technical analysis by FireEye was published only few days aftermath and is complete, deep and detailed. I used it a lot to better understand many pieces of obscure code.

Conclusion

I have learned a lot from this research: I learned how malware interacts with their resource section to hide, dump and create files; I learned how malware interacts with Windows service manager and how they actually load DLLs in memory, how they scans networks and how EternalBlue actually works. Also, having available such complete and detailed technical analysis, on this very specific malware, helped me to not loose the direction when I went too deep inside the assembly code. It was very fun and I hope this research will be helpful to someone at least as it was for me.

Pony stealer: a malware analysis - The sample analysis - Part three

Mon, 10 Sep 2018 07:30:00 +0000

After the first two parts here and here, we can move forward giving the sample a run inside a disassembler to look what’s inside and, eventually, into a debugger to see it live.

IDA has some difficulties to analyze the sample due to the facts it heavily uses anti-disassembly trick:

Note that the conditional jump to 41062E never gonna happens. We can patch those bytes \xF8\x72\x01 with NOP instruction or leave them alone knowing the fact that IDA can be fooled during analysis. Also at 41062F the sample delays its execution, invoking GetTickCount function and dividing the remainder of the DIV instruction by a predefined constant. So until the CMP instruction is satisfied it will run this bunch of code a pseudo-random number of times. It appears that this technique can trick some antivirus heuristic controls.

After condition is verified, the flow reaches the CALL instruction at 4105c3, we see another anti-disassembly technique, the misaligned PUSH instruction.

Clearly the misaligned PUSH at 4105c7 is there to fool the disassembler and we need to fix it if we want to have a better look on that piece of code. By defining manually that byte at 4105d0, IDA can now better analyze the code:

Now it’s clear what this piece of code does: it pushes the address of the function at 4105a2 onto the stack. This pointer will be the argument of SetUnhandledExceptionFilter function that, in the end, will exit from the process in case of unhandled exception.

Let’s focus on what happens at address 410508, because it’s where the fun starts:

After some studies I tried to interpret that code and the results are shown below.

Basically malware is starting its activities: first it loads libraries with the OleInitialize and LoadLibraries calls, after it fires up a delayer routine that, in malware intentions, will fool the heuristic controls of Kaspersky Antivirus. After that it enable some required privileges with the fourth call:

This routine will cycle through and enable all these privileges:

And after that it tries to get if the process is running within LocalSystem or not. In both cases it will impersonate or the LocalSystemUser or the LocalUser using the API call to GetUserNameA.

In the next session we’ll go deeper into the analysis trying to better understand its codebase.

Pony stealer: a malware analysis - The sample dry run - Part two

Fri, 03 Aug 2018 07:00:00 +0000

After we were able to unpack the sample like we did in the previous post, it’s time to understand what the malware is intended to do. The very first thing that I normally do is to give the sample a dry run inside a dedicated virtual machine, just to observe its behavior and monitoring its API calls. These calls can be monitored with a little tool called ApiLogger - that can be found here and it’s automatically installed by the Flare-vm script.

The API logger works by injecting a DLL into the target process. Once loaded, the DLL will insert a series of detours style hooks into specific API calls. When these API are accessed by any code in the process, they will trigger a notification message which gets sent to the main interface.

It’s clear that malware tries to steal informations (probably credentials) of various software via calls to RegOpenKeyA and RegOpenKeyExA:

And at the end of the run, it tries to connect to the domain singatradeing.com:

We can catch this connection with another great tool from FireEye, FakeNet-NG that will capture and fake responses to all the queries DNS and HTTP requests, saving all activities into a pcap file that could be analyzed with Wireshark:

We can see that the malware resolved the domain name singatradeing.com with a query DNS (that is faked by FakeNet-NG):

And sent an http GET request to: http://singatradeing.com/espnphp/coreserver/shit.exe

Our fake response served an executable file that was run by the malware:

After that, the malware deleted itself. For this reason, remember to make a copy of the sample executable.

I wasn’t able to download the real executable (shit.exe) but I’m sure it will be easy to find it.

More informations related to that domain can be found here.

Recap

The malware sample, when it runs, tries to steal credentials from the registry keys, tries to download another executable and run it, deleting itself at the end.

Pony stealer: a malware analysis - Unpacking the sample - Part one

Mon, 23 Jul 2018 07:00:00 +0000

During my day by day job, I had the chance to came across a mail that was blocked by an antispam platform. Attached to this mail there was a sample recognized as a variant of Pony Stealer malware. Since I’ve been greatly interested into malware analysis in the last few months, I thought it would be fun, and also a useful exercise, to apply all the notions I’ve been reading so far and writing this post, maybe, would help me in fixing methodologies and concepts. I hope this will be a two parts blog post: during this first part I will focus on unpacking the malware, during the second one I’ll try to analyze its real behavior. Let’s the journey begin.

Noob alert

First things first: I’m no expert at all. This is my first experience in reversing malware - and also in blogging something - and so expect a lot of shady things and confused assumptions. Learning something new is always a good idea and I hope that digging into malware analysis will allow me to glue together some skills that I’m trying to learn in the last couple of years. Also, do not rely on the memory addresses in the screenshots. As this post was written during various sessions, memory addresses changed every time due to operating system memory protections (ASLR).

Lab setup

You can find great tutorials online on how to setup a professional and secure lab to test all malicious sample you get. I’d like to point you out to these useful resources:

Running the sample into online sandbox

Since, right now, I don’t have a working setup of Cuckoo sandbox on my behalf, the very first thing I did was uploading the sample into a freely usable sandbox online with these results: http://tinyurl.com/y9gspzmt. As you can see, it labels the sample as a variant of the VBObfus.g family. I didn’t find a lot of informations about this malware family, but dynamic analysis shows me very few indicators:

No evidence of malware activity into screenshot.
No network activity.
Every string is almost obfuscated.
No extracted files.
No evidence of process injection.

Important to note, although no clear evidences, the sample is classified as malicious with threat level as 71/100. Pretty strange, uh?

Hybrid Analysis has this great feature: if you click on the sample filename, in this case SKMBT_C36018060720040_pdf.exe*,* it shows a bunch of useful informations such as API calls used by the executable, registry keys it gets and/or sets during its runtime, filesystem activity, handles opened to files, operating system modules and other kind of libraries it uses. With all these informations we should have a proper level of confidence of what happens during the sandbox run. Let’s dig into some of them.

First thing I looked at, was the activity on the filesystem:

No files saved and the infamous msvbvm60.dll caught my attention, but we will deal with this later. Nothing too much interesting into registry section too:

There’s a possibility to filter the operations (Query, Open, Write and Delete) but I didn’t find anything related to write or delete operations.

The most interesting section is the API calls section. To understand the malware behavior during its run inside the sandbox, it’s necessary to analyze what API this sample calls. Following this and this useful resources, I started checking API calls, trying to find any evidence of anti-debug or anti-vm techniques, mainly because there’s no evidence of process injection and nowadays process injection is a very, very common technique. After checking all API anti-debug calls found in documentation I was clearly missing something because I wasn’t able to find any of them. So it’s time to give it a run into my lab and observe its behavior.

Static analysis

Before give it a run, let’s check with some basic tools how’s the file is built:

So, really we’re dealing with a VisualBasic 5/6 executable file.

Let’s dig into more details with the executable:

With this great tool we can find some initial informations:

File Version Info Size=1548 -> 060Ch
Translations : 040904B0 Language : English (U.S.) - ( 0 4 0 9 )

CompanyName = NIrSOft
FileDescription = ELEctrum
FileVersion = 6.02
InternalName = Bulbotuber
LegalCopyright = LAVasoft
LegalTradeMarks = THE ERAser PROject
OriginalFilename = Bulbotuber.exe
ProductName = ASUs
ProductVersion = 6.02
Comments = Pwa, INA.

Don’t know how useful these informations are but, anyway, it’s always better to have informations rather than nothing. Assumed that it’s a VB5/6 executable file and I don’t know how to deal with it inside IDAPro, my next action will be to run it inside my Analysis VM, with the intent to understand better its behavior.

Dynamic analysis

Interestingly it seems to me that, after some sort of unpacking in memory, there is clearly a process injection:

Apparently there must be in place some sort of anti-debug and/or anti-vm tricks. Easily enough in x32dbg there is a life-saving plugin, named ScyllaHide, that is capable of doing some black magic to hide the debugger from malware. We can avoid the process crashing during its run inside the debugger.

We can observe that the sample creates another process with the same name - a copy of itself - and this is typically an indication of the process hollowing.

I won’t dig into describing the process injection because there are some great guys that have created very complete and clear tutorials on how to approach this technique. I can suggest this site maintained by this great guy: Sergey and also his Youtube channel here. I strongly suggest to follow all of his videos and tutorials: they are a great way to learn malware analysis and unpacking.

Unpacking the malware

To unpack the malware we’ll focus mainly on these three API calls:

kernel32.CreateProcessW

ntdll.NtWriteVirtualMemory

ntdll.NtResumeThread

New process creation

First API call to breakpoint into debugger is kernel32.CreateProcessW, that creates a new process and its primary thread (cit. Microsoft). We’re interested in its syntax:

BOOL CreateProcessA(
LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);

And more interestingly, its structure on the stack when its called:

In accordance with the calling convention the function parameters are pushed on the stack in reverse order. At address 0x0018F460 there’s the function fifth parameter dwCreationFlags, with the value of 0x00000004. This value means CREATE_SUSPENDED; we have reached the start of the hollowing process: a new copy of the process has been created in suspended mode.

We can confirm its PID 2660, running the function CreateProcessW until it returns and checking in memory dump the value of the first parameter pushed on the stack at address 0x0018F470 with the value of 0x0643008C:

The new process PID is at address 0x06430094: 0x0A64 that translate into decimal in 2660.

Running the newly created process

We won’t bother too much with ntResumeThread API call. Just note that when you reach breakpoint on this call, you know that the malware is ready to run itself (the new copy of itself actually) and, for this reason, you need to be very caution. Just don’t let this call run because you’re executing the malware itself.

Unpacking the malware

The interesting part: this API call let us to dump the hidden payload stored inside the malware. So, breakpoint on it and let the malware run until it reaches the breakpoint. As before:

NtWriteVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN PVOID Buffer,
IN ULONG NumberOfBytesToWrite,
OUT PULONG NumberOfBytesWritten OPTIONAL );

Basically we’re interested in two arguments, in particular: the BaseAddress andthe Buffer. These two parameters tell us where the buffer (the malware payload) will be written inside the newly created child’s memory. During its run, the malware makes a lot of calls to this function and I single stepped all of them: when breakpoint is reached, analyze the stack:

Focus on the third argument: 0x064B6000 and follow it into the memory dump:

It seems we found something interesting, uh? :-)

We found that a PE file will be copied inside a memory address. Easy to dump it, right now: right click on to that address and follow it into memory map and after that dump that segment into a file.

So we have dumped an entire segment into a bin file. We can open it with an hex editor, scroll down until we reach the start of PE file (MZ magic bytes) and clear all junk from MZ to the beginning of the dump. Save to a new exe file and we’re ready to open it with another great tool made by hasherazade: PE Bear. Luckily for us, IAT (Import Address Table) was not corrupted and we can see all the API the (real)malware calls when it runs.

Basically we have unpacked the malware.

I will try to update this post with the second part as soon as I’ll figure it out. :-)

Malware Analysis on Kartone's Reversing Garage

Project Sodinokibi

Learning Python

Getting the samples

Getting insights on ransomware configuration

Understanding the data

The p0sT5n1F3r Backdoor

WannaCry, two years later: a deep look into its code

Flash forward to 2019

Peeling the onion

The Plan

Analysis of the first layer: launcher.dll

Function sub_10001016 aka ExtractAndCreate

Function sub_100010AB aka RunTheFile

Conclusion after the first layer

Analysis of the second layer: mssecsvc.exe

Conclusion after the second layer

Analysis of the third layer: tasksche.exe

Conclusion after the third layer

Conclusion

Pony stealer: a malware analysis - The sample analysis - Part three

Pony stealer: a malware analysis - The sample dry run - Part two

Recap

Pony stealer: a malware analysis - Unpacking the sample - Part one

Noob alert

Lab setup

Running the sample into online sandbox

Static analysis

Dynamic analysis

Unpacking the malware

New process creation

Running the newly created process

Unpacking the malware

Function `sub_10001016` aka `ExtractAndCreate`

Function `sub_100010AB` aka `RunTheFile`