Malware Dissection: Looking at the eyes of Evil [ENG]

Hi H4x0rs!
Continuing with the theme of solving Malwaretech’s challenges that seems you´ve like it, I want to bring you what would be an A-B-C to do a basic and static analysis of Malware in which we’ll see several tools above and what they do by ending up with a small final scheme to use it as a checklist or methodology.

First of all Don’t be alarmed, but it is true that in this case we are already handling real malicious content so we have to be aware that a click where we should not or unpack this in some compromised site can have fatal consequences. To begin here you are a list of sites from which we will be able to extract material for analysis and practice:

• https://github.com/ytisf/theZoo
• https://virusshare.com/
• http://vxvault.net/
• http://atm.cybercrime-tracker.net/
• https://beta.virusbay.io/

 

Afterwards, if you want more updated samples, all you have to do is open an email and subscribe to one of the pages that come out when we try to make a download of dubious legal content…

As an intro and knowing that many of you already know it, some theory about the types of malware that exist in the wild:

• Virus
  • Computer viruses are simply malicious programs that «infect» other files in the system with the intention of modifying or damaging it. This infection consists of embedding its malicious code inside the «victim» file (usually an executable) so that from that moment the executable becomes a carrier of the virus and therefore, a new source of infection.
• Trojans
  • A Trojan is a small program usually hosted within another normal application (a file). Its purpose is to go unnoticed by the user and install itself on the system when it executes the «host» file.
• Rootkits
  • If we are talking about malware, they take the cake because in this case it is code that is hidden in the system and its objective is to remain hidden while helping with different tasks that are required.
• Worms
  • They’re a type of malware that doesn’t need a host file to stay alive. Worms can reproduce on their own and spread freely.
• Spyware
  • Spyware is an application that collects information about a person or organization without their knowledge or consent.
• Ramsonware
  • It is a malicious code that encrypts the information of the computer and enters in it a series of instructions so that the user can recover his files.
• Addware
  • Addware is a software that displays advertising for different products or services. These applications include additional code that shows the advertising in pop-up windows, or through a bar that appears on the screen simulating to offer different useful services for the user.

What is a Packer?

Packers are code compression programs that optimize an executable and make it weigh less.  Almost all current malware uses packers in fact there are several types that are very common:

• UPX (Ultimate Packer for eXecutables) Free
• Themida

In fact there are packers that directly add capabilities such as detection of where the program is running and avoid execution in virtual environments for example.

What is a Crypter?

It is a content encrypter of the executable code so that it is possible to skip antivirus scanners.

A crypter is divided into 2 parts:

• Builder
  • It is the program with graphical interface with which we «encrypt» the content of the binary.
• Stub
  • What the stub does is encapsulate both the original file and the stub itself and leave it in a single file in which it also leaves the indications for its execution from the end of the file.

 

FURTHER INFO => Here

What do you mean by Obfuscated Code?

It is another technique used to prevent the code from being accessed since what they do is change variable names and functions so that analysts cannot see what they are doing and thus make reverse engineering difficult.

FURTHER INFO=> Here

Okay now we need an environment in which we feel safe to do so I offer two possibilities.

1. ANY.RUN  ⇒VERY CONTROLLED and ONLINE Environment that offers the advantage of not bundling it too much since it is an environment prepared for this purpose and that allows us to monitor absolutely everything but with a small glitch …. is limited by time so if the malware in question has something to delay the activation is not going to serve us much.

1. Own environment with VMs, needless to say that in this a setback and we risk … but if we have the isolated environment should not have any problem. This is the most recommendable option in case you want to be serious in this world. In this case we will have a virtual HOST ISOLATED network in which we will need 2 machines:
   • On the one hand the «Malware Lab» which is where we will have our tools to analyze the sample.
   • On the other hand «Service Server» that will simulate the exit to Internet of this malware and will give answer to the requests that it makes to the outside.

Okay, but as much as I have VMs… what tools do I need and what is each one good for?

ONLINE Analyzers

It is always interesting to have tools that give us quick answers and are easy to use and for this we have two main resources that are very useful:

• Hybryd Analisis => RPerforms an exhaustive analysis of the samples or links that we provide to later generate a complete report in which it shows screenshots of what has been happening with the binary in the virtual machines they have.
• Virustotal=> I think there is no need for presentations, antivirus engine par excellence that analyzes the sample in a cluster in which they have more than 40 AVs showing the results of each analysis.
• KOODOUS => A community where applications are scanned for malware and catalogued. Really interesting and on top of that a national product!
• Intezer => A very interesting binary analyzer that has a «Comunity Edition» option that dissects the file, breaks it up and compares it with its database to give results adjusted to the sample.
• Alienvault OTX => E-intelligence Tool from the company ALIENVAULT which has its own free API that comes great for making own scripts.

OFFLINE Tools

• Hahs Calculator
  • https://www.slavasoft.com/hashcalc/
  • Useful to calculate the hash of the Binary and not need to upload it to any platform since all the pages dedicated to the analysis and cataloguing of malware normally use the MD5 format of the hash of the Binary to archive it.
  • 
• Strings
  • https://docs.microsoft.com/en-us/sysinternals/downloads/strings
  • It is used to extract data from an executable that has not been obfuscated such as IPS, commands or Dlls to which it refers.
  • 
• PEiD
  • https://www.aldeid.com/wiki/PEiD
  • It serves for the detection of Packers in the file to analyze.
  • 
• Dependency Walker
  • http://www.dependencywalker.com/
  • To review the Dynamically Linked functions and associated dlls.
  • 
• Peview
  • https://www.aldeid.com/wiki/PEView
  • It serves to look in the Header the files and references that the binary has written.
  • 
• Resource Hacker
  • http://www.angusj.com/resourcehacker/
  • Check the .rsc content of the binary to see what kind of resources it contains.
  • 
• PEStudio
  • https://www.winitor.com/
  • Performs a quick audit of the binary we want to analyze, even going to Online Services to analyze it.
  • 
• Regshot
  • https://sourceforge.net/p/regshot/wiki/Home/
  • Creates a snapshot of the system’s Registry, which is then able to compare with another one we provide after the binary has been executed.
  • 
• InetSim
  • https://www.inetsim.org/
  • Internet network simulator that responds to requests made by the malware in question or an application.
  • 
• ApateDNS
  • https://www.fireeye.com/services/freeware/apatedns.html
  • DNS resolution simulator that together with the previous tool allows us to simulate the entire Internet network and see how the malware in question operates.
  • 
• IDA Free
  • https://www.hex-rays.com/products/ida/support/download_freeware.shtml
  • Reversing tool par excellence that has a free version with which we can dissect the binary and see in assembly code how it works.
  • 
• Process Hacker
  • https://processhacker.sourceforge.io/
  • Similar to the Windows Process viewer but allows more customization by filtering the processes that interest us as well as references it takes and what it is doing in the system.
  • 
• Ollydbg
  • http://www.ollydbg.de/
  • Very well Known debugger.
  • 
• x64dbg
  • https://x64dbg.com
  • Debugger well known for files in x64 architecture
  • 
• Inmunity Debugger
  • https://www.immunityinc.com/products/debugger/
  • Debugger widely used in the world of Exploiting
  • 
• Windbg
  • http://www.windbg.org/
  • Own Windows system debugger
  • 
• Wireshark
  • https://www.wireshark.org/#download
  • Tool to see the network traffic and analyze the packets that are traveling through it.
  • 
• Dirwatch
  • https://www.aldeid.com/wiki/SysAnalyzer/DirWatch
  • A tool that gives us a summary of what happened in a folder that we tell you has to monitor.
  • 
• Powertool
  • https://code.google.com/archive/p/powertool-google/downloads
  • Antimalware and portable antirootkit tool for Windows systems that allows us to analyze some movements inside the system kernel and repair them.
  • 

Now comes when you say ALL precious well explained (or not) but we still do not see a «methodology» by which to guide us minimally and for that I attach my template EXCEL and a guide of what I DO (Which does not have to be the most «correct»). It’s not a panacea but in order to practice it’s coming great.

1. Calculate Binary HASH
2. Review the Strings and write down what is useful to us.
   1. Functions
   2. Urls
   3. IPs
   4. Key Words
3. Type of packing /Unpacking
4. System functions and APIs you use

And for now with this you have more than enough to entertain you for a while … many things to see … many things to touch … and even more … perhaps you can even infect you hahahahaha. In the next article we will see how to start analyzing a binary little by little and how to use the tools that we have been mentioning.

Be good!

«There are trojans… that deploy rootkits  in your brain and slowly creep into your heart to gain silently root access and persistence… MZC»

Nebu_73