For security reasons i can’t post in my blog links to the malware i used in analysis. So sorry for that. Finding appropriate sample is lies on you…



Hello dear reader. This is continuation of my introduction article about Malware analysis. Today i will write about analysis type and overview different tools.

So, let’s start. Imagine you have a malware in stub.exe. To analyze it we will firstly start virtual machine to isolate malware from our host machine. In VM we also can create snapshots. It allows us to revert every changes to the previous state. I found this malware in virus share websites ( there is a lot, it is a databases ).

Let’s scan it firstly on virustotal.com.

So it is looking like to be a dropper

Dynamic analysis

Advantages

Gives full image of malware behavior without disassembling

Easy to perform

Doesn’t requires special knowledge

Disadvantages

Easy to mitigate by malware

May be difficult to interpret in sophisticated malware

This is a type of analysis when you run a malware and look for differences in system. Firstly, you need to know that many malware has mitigation techniques. For example it may try to perform detection of analysis to avoid execution on analytic’ system . We will cover it in later articles, today we will see the basics.

So, let’s start from ProcMon. You can download it from Microsoft’s web-site.

After start you will see the window exactly like this. There you can see logging of usage Windows’ API by all processes. In the example you see how windows explorer tries to read several registry keys. Let’s execute our stub.exe.

Let’s click to Filter -> Filter. Then there we can filter all output by stub.exe like this:

After applying filter we can see now window like this:

This code is windows PE Loader calls. When .EXE file starts windows loads all dependencies. You can see several Load Image calls ( CreateFile is used there like function IsFileExists() ).

Then we can scroll our window next.

Wow! The typical malware behavior. You can see calls in loop of file-read, then file-write. What happens? Malware reads self in loop and writes to file in ProgramData. The usage of such technique is something like Antivirus bypass. It is an implementation of CopyFile-function. So this is installation routine.

Let’s look next.

What’s this? It is setting startup key in HKCU\Software\Microsoft\Windows\CurrentVersion\Run key with name of mscorsvw.EXE. But wait. There is no information about value. To see additional info – double click on the line.

So we can sure it sets itself to autorun. Scrolling next will show the typical image of network interaction. There is no answer and malware ends. I don’t know the reasons: may be there is no command, or there is no C&C already.

1 – the main network communication.

2 – the clean-code ( process destruction )

3 – initialization of network

So this was a dynamic analysis. What did we know? The behavior: installation routine, network communications. What we didn’t know? The logic. Why does it exited? We can’t know. So we will use static analysis now!

Static Analysis

Advantages

Full logic analysis

Possibility to reconstruct the whole code of malware

Possibility to find weak places

Disadvantages

May be very difficult sometimes

Malware in the wild frequently uses encryption and packing, so later i will write how to bypass it 🙂

Let’s open our file in IDA Pro. This is an interactive disassembler. It will build assembly language code of the stub.exe. This code is luckly unpacked. I will write laterally how to deal with packed/crypted code.

When you first open you will see window like this. At the center is a code in EntryPoint. Let’s see what is in sub function.

This code actually has every malware. It gets path to self executable and then path to ProgramData. Not interesting. Let’s find Network communication. The main mystery of this sample.

( contstuctions like mov [esp+298h+dwFlags] means it was compiled in gcc/mingw )

Let’s go to Imports. then click on every WS2_32 function. After going to it’s import table press ctrl + x to look Xrefs

So we see the function connect xrefs in two places but in the same function. It seems this function is network interaction! Let’s see what inside

There is we can see the usage of connect function at 2. At 1 we see domain resolve by gethostbyname. But look! There is no defined string at the location gethostbyname refers. It means it’s calculating dynamic while malware execution. To see this we need use Debugger ( it is included to IDA Pro ). My some of next article will be about debugging ( it is not so necessary, address we saw from dynamic analysis ).

Let’s now what’s happen in the place network communication is called! The place where process exit after. Going up and press ctrl + x on the name of this routine we will see it’s xrefs

It calls from the another level of network communication. Sure! The routine we was is connection. But there is also routine to send http packets and receive it. Let’s go up again by doing the same. If you have a Hex Rays plugin you can also decompile assembly to pseudocode!

There we can see the logic. If connection succeed it parse HTTP header ( look to sscanf ), after it is calling some functions. Okey… we can go deeper. But i stop. I can say that it reads some payload and then loads it directly to memory ( based on further 5 mins analysis ). But detection of such routines will be covered in other articles. This article is too long.

Conclusion

We got with dynamic analysis:

This is a malware downloader

Installs itself to C:\ProgramData\NetFramework 4.0\mscorsvw.exe

Connects to web-server

Exits

We got with static analysis:

It exits because of there is no payload at target address

If there is payload it allocating memory and calls some functions ( uncovered in article: LoadPE )

So you see advantages and disadvantages of all methods. I hope you liked it! Share with your friends and wait for new articles. Subscribe in wordpress!