Gameel Ali

Gameel Ali

Malware analysis & Reverse engineering

Full analysis dropper malware 0x01

8 minute read

Introduction

I am so happy to write about the second full analysis for dropper malware and we will deep into details of the analysis

Identification

When scanning the malware with virustotal we can see that the malware has been detected by 10 out of 70 security vendors and we can see the results in the next figure.

01

Artifacts

We can see the following artifacts that have been analyzed for the sample

  • PE timestamp : 2020-06-25 06:30:41
  • SHA256 : a4c1473add35a0409fc49c12c344decf8ff71b1029f77de2d20c9794ce387ab9
  • Size in KB : 95.50 KB
  • File name : sample.bin

obfuscation

When examining the next figure, we can see that attacker makes an array of Base64 data which obfuscate the process of reverse engineering and hidden C&C which will be used to download files after getting the temp path directory and also we can see that the sample use CryptStringToBinaryA to decode the C&C and after downloading the file, the malware will remove it and we can see the results in the next figures

02

Now we get an overview of the function and summary for actions that taken by sample. So I will deep into every function to extract more information about the behavior of the sample. After examining the first function from the parent function, we can see that malware gets the path to the temp directory and push the first index of the array to decode it and we can decode the first index to get the first C&C and we can see the results in the next figure.

03

After decoding the first index of the array, we can see that malware downloads the file from this link (http://www.elsmap.com/pic1.jpg) and after downloading the file in temp directory the malware will remove the file name and C&C which used for downloading the file, So we can see that malware makes for loop to do this operation for 10 times and we can see the result in the next figure

04

from the previous figure, we can see for loop and we will see 10 files and 10 C&C to download them in temp directory.

http://www.elsmap.com/pic1.jpg       ---> Temp\banner.jpg
http://www.elsmap.com/start.jpg      ---> Temp\start.jpg
http://www.elsmap.com/pic1.jpg       ---> Temp\pic1.jpg 
http://www.elsmap.com/pic1.jpg       ---> Temp\pic2.jpg
http://www.elsmap.com/pic1.jpg       ---> Temp\pic3.jpg
http://www.elsmap.com/pic1.jpg       ---> Temp\pic4.jpg
http://www.elsmap.com/pic1.jpg       ---> Temp\pic5.jpg
http://www.elsmap.com/footer.jpg     ---> Temp\footer.jpg
http://www.elsmap.com/exam/runme.bat ---> Temp\runme.bat
http://www.elsmap.com/header.jpg     ---> Temp\header.jpg

Anti debugging

I will deep into the next function, so we can see in the next figure that malware is being debugged in the process environment block and if find this flag is one, this means that the process is running under the debugger and show the message and in the end, will exit the process so we can change the path of if condition to bypass these techniques

05

Anti Sandbox

The malware uses anti sandbox tricks to detect running malware in a sandbox by making if condition on four functions and if any function return true the malware will show message sandbox detected and exit process to prevent running malware and we can see that in the next figure.

06

So we must examine every function to know about tricks that are used by malware to detect the sandbox and I will be started by Anti_sanbox_1 to deep into it and I will start by Anti_sanbox_1 function to deep into it, after examining the function we can see that malware gets information about a system using (GetSystemInfo) and then use (GlobalMemoryStatusEx) to retrieve information about the usage of the system for physical and virtual memory and we work on a virtual machine which uses less physical memory and virtual memory and from here the malware detects the sandbox by using this tricks and the malware also will create the file and in the end, it will check the DeviceIoControl calls that used to trigger the Virtualbox exploit. So we can see the results in the next figure. 07

I will examine the Anti_sandbox_2 function to know about tricks used by malware to detect the sandbox, the malware will search in the system32 directory for the two file

  • C:\Windows\System32\VBox*.dll
  • C:\Windows\System32\vm*.dll

And also open the following two registry key

  • SYSTEM\ControlSet001\Services\VBoxSF
  • SYSTEM\ControlSet001\Services\VMTools

After searching about two files and two registers, we can identify that malware tries to find VMware and VirtualBox programs that are used as a sandbox by these tricks and if the malware finds anything from them will detect the sandbox and we can see the results in the next figure. 08

I will examine the Anti_sandbox_3 function to know about tricks that used by malware to detect the sandbox, the malware use K32EnumProcesses to see all process and check for VMware processes or Virtualbox processes.

09

now I check the last function and we can see that the malware use GetTickCount64 to retrieves the number of milliseconds of the execution process to detect the sandbox.

If you open the malware in the debugger and bypass the anti-debugging and anti-sandbox techniques, the malware will show a message, and to bypass it, you must click on the (No) button to complete the process of debugging the malware and we can see the message in the next figure.

09

Updata a system

Malware download updates on a system and check the internet connection with (InternetCheckConnectionA)

11

persistence

The malware will copy base64 data and pass it as the first parameter to decode it and after decoding the base64 data the malware will set the key to persistence itself and we can see the overall in the next figure.

12

when decoding the base64 data, we can see the decoded value in the next line.

 Yzpcd2luZG93c1xzdmNob3N0LmV4ZQ== ---> c:\windows\svchost.exe

open the run key and set a key called WizLoader and we can see the results in the next figure

13

From the previous figure, we see the path to the key and the name of the key which is called “WizLoader”. SO I will go to regedit from run to see the key and we can see the result in the next figure.

14

so we see that the WizLoader is .exe and from here we can identify that the malware tries to make AutRun for malware. the malware copy another base65 data and decode it. so we can see the decoded value in the following lines.

 aHR0cDovL3d3dy5lbHNtYXAuY29tL2Jhbm5lci5qcGc= ---> http://www.elsmap.com/banner.jpg
 QzpcV2luZG93c1xTeXN0ZW0zMlxjb25iYXNlLmRsbA== ---> C:\Windows\System32\conbase.dll

we can see the code that copies the previous base64 data and decode them in the next figure.

15

we will check the next figure to see more information about malware, so we can see that malware tries to persist. We can see that the malware encodes the conbase.dll to supply conbase.dll during the system boot for malware and persistence in HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors and we can see that conbase.dll is located in C:\Windows\System32 and we can see the result in the next figure. 16

After that, the malware will download a file from (http://www.elsmap.com/banner.jpg) and delete the traces behind by deleting the URLs that used to download files and we can see the results in the next figure.

17

let us check the next figure, we can see that malware will generate a name for temp file and pass the generated name to (CreateFileA) to create a file with generated name and copy Base64 to decode it and write the buffer on the created file and we can see the result in the next figure.

18

now I will go to the debugger and see the generated name and the created file and we can see the result in the next figure. 19

we can see that the malware makes for loop to create 5 files and when I examine the first file of them. I can identify that this file is meaningless after writing the buffer in created file and we can see the buffer in the next figure.

20

Dropper files

After that, the malware will create a ph.exe file in the same directory and we can see the result in the next figure.

21

I want to see the buffer that will be written on file after creating it and we can see the results in the next figure

22

the buffer was base64 data and malware decodes it and copies the buffer by WriteFileA. when examining the next function we see the same methodology for creating and decode buffer to create the malicious file which is called Loader.exe and we can see the created file in the next figure.

23

In the last. the malware will execute Loader.exe by open cmd.exe as administrator and pass the parameter to execute the malware on the system so we can identify the first stage of malware is dropper another malware and execute on the machine and we can see the results in the next figure.

24

IOCs

a4c1473add35a0409fc49c12c344decf8ff71b1029f77de2d20c9794ce387ab9 CF48AF5B5779877C3BD9F15A443BE1B1 D2DCC98A3CF29BE377291DAC3EE5DF1C

C&C

hxxp://www.elsmap.com/header.jpg hxxp://www.elsmap.com/pic1.jpg
hxxp://www.elsmap.com/start.jpg
hxxp://www.elsmap.com/pic1.jpg
hxxp://www.elsmap.com/footer.jpg hxxp://www.elsmap.com/exam/runme.bat