Now let's just jump into a demo and see what we're looking at.
So this particular hash I will make available to you
and here, let's just say, um,
the scenario is dynamic analysis is failing. Someone who doesn't know as much as you do about malware has said, Hey, I can't get this simple to do anything. It just starts up it,
you know, executes. It just dies.
we can replicate that here. And let's say they were looking for a network traffic.
hear of installed wire shark.
I will start it up here.
standard password is infected.
we'll start a plier shark.
As always. Just check and make sure that the network is Ah,
exactly how you want it.
It's not. Not it's on our virtual net to we haven't powered up a router.
and execute our malware.
Does she see if you are requests trying to get out,
give it a few seconds on dhe and it
open up or log and says
it was created. Then it terminated.
We can run a few more times just to make sure, but
the person who detonated our malware before us and can't get to run anymore is right. There's something about the sample
that makes it just terminate. It could be a killed eight. It could be V m aware it could be
doing any number of things that could be checking the back address of the virtual machine to see if it's Ah, Riel,
Mac address. Not ah one allocated to VM where it could be
doing lots of stuff.
get in there into that sample and figure out what's going on?
as you would imagine, we use our reverse engineering skills.
So in this PM I've installed by a pro here,
please version is 6.8.
Since it's the demo version, we won't be able to save our analysis. But that's okay. We can still ah,
you still look to see what's going on.
Disassemble that just fine
and weaken. Go and do this. We can just go click around. But our goal is to figure out why it's not running in our little sandbox and our virtual machine. So
for that we shouldn't just go jump into the code
because that's an easy way to get lost
because you'll pop back up an hour later after, uh, reverse engineering this thing and say, What was I supposed to do again? So here I'm just going to look at something that's usually a good indicator for getting an idea of what this power does, and that's go to view some views and strings. Now
I know. Look at these strings that are referenced.
We can always use the map pack
and just right click on
but her file and say strings.
Thank you, Dave Zimmer.
And we can see usually, ah, fume or strings.
I'm just gonna look at him inside. I just kind of get
ah on idea of what's going on. So I see Rudy. I see
you know a few things that are interesting.
no current user. So more permission aware there that's probably registry Key Uses
Google Chrome opera Firefox Internet Explorer. Max. Ethan. So these air,
you know, interesting things that I could die then.
any second and try to figure out what's going on. You know, private measures noticed kick IRC commands was probably in Eire See, bought
paying. So no conduce a network stuff Gmail Yahoo. Facebook?
Okay, so this is interesting here, Sam. Boxy.
So I look at this and I say, Okay, Sandbox, ijo, sandbox. These are sandboxes. Thes are commercially available Malware analysis, solution's automated analysis solutions. I can see the string is referenced here. I can hit X, see where it's referenced or just click over here
The string is moved into someplace on the stack.
made thes function, Cole's just take the arguments on the stack.
This function is being called each time. Ah, string is being moved here.
It's moved in the same location,
even though there are pushes
their pops here at the end. Okay,
so I see that takes in ah parameter string
escape. Trump back up and say OK,
so I'm gonna guess this is either a process name
But I've been around. I've been doing this for a while, and usually my work here is about what's running right now.
So if I go here and hit, why
then I can say, Okay, string, I can say
and I usually want to name things as I go along like this function. I want to take a quick look and figure out what's going on. But if I hit X
ah, I can see his reference in several other places. So I should probably go ahead and figure out what this function does pretty easy. I could do that pretty easily because it's only making a few calls.
It's not going any deeper.
AP I standard FBI calls create tool snapshot 32 Earth Create tool help 32 Snapshot. If you're not familiar with Windows programming, you can easily google this or hover over, and you can see the parameters. You can get an idea for what it does, but it's just googling these things and or manually programming them
s so you can get idea as a developer,
what's required for,
what what the malware author is trying to do
so I can see desecrates tool, help snapshot and then does process 32 1st And if you google this and you go on to MST an or and these websites, you can see that these functions are acquired and the most common use of them is to liberate through all the running processes
so I can see there's a string compare. There's the same kind move convention
as we saw earlier were instead of pushing, it's just moving. It's ah, bit faster.
we can see there's two strings being compared. These may or may not match up, as the actual parameters are.
I don't may not have properly named these,
Uh, this is a structure
or these aren't struck Cesaire parameters,
for string compare. We know we're taking in two strings, and we know that, uh, DW flags That's a d w. Means
double word and windows language. That would be
32 bits or four bites.
because a divisional
word was 16 deaths or two bites
uh, we see that there's two strings being compared,
and we know we're getting in process name
as a parameter here,
right here that Ali I mean, sorry that I'm a pro has looked at, um
it knows that there is some this much space on the stack because it's allocated right here.
So it took its best guess at what those things were.
Um, it says, Okay, this is a structure
and I'm gonna name it here
string too, which is what was passed in
Is the perimeter here?
No, Normally, Ida renames that, but, um
well, we can do it manually. See, it knows it's the same thing
so we can see the process name. It's moved into your axe,
and the X is one of things. It's comparing.
the string compare has been compared to and then the tests he actually the result of string compare. And,
if you can look at the results of string comparing, we can see what the output is. Um,
be it like zero if the strings air matching or one if they're not or vice versa.
And we can see that there's a loop here and it's iterating through each process name,
and it is testing it
process 32 next return zero. And if it did, it would quit.
It would exit the loop
so we can see here that it probably was looking for a process name very specifically, and if it didn't find it returns zero. But if it did find it, it returns one
so a l is the lower part of E X.
it's a little little sloppy
by the compiler is trying to be more efficient,
frankly, e x could have been something. Could have been put in the higher bits like h
and it's only storing one in the lower bit,
it's okay. It probably figured out some mathematical way of determining that this is an okay instruction to do
we can see that. Ah, this is testing to see given a process. Name it tests to see. Is this running
false? Zero. True, if one.
So I'm gonna need it
we can see that it does the same kind of test.
and the's instructions are a little redundant here.
It could have easily just left
this value in here and just put the return up here.
But compilers do what they do
We can name this function as,
for last minute anti
So we'll see what calls this by pressing X and you see only one function calls it
and we jump up here. You can see what other things that calls it calls a few other functions
jump into one of those. Oh, look higher shark.
or it's not really anti debugging. It's a tool check
So but all to say, anti bugging our 80. So why're shark
his process running is also in there.
So since his process running seems to be a,
you know commonly dysfunction by by this stuff we can see is just sandboxes wire shark. And then there's, uh,
two other functions that use it
and doing the same sort of thing. Sam. Boxy.
uh, sandbox e check.
Andi is process running. Let's just
ex again See what other functions left
V box service. So this is a virtual box check
Virtual view box check.
So there seems to be it's like anti tool anti analysis, anti sandbox, anti B M stuff in here.
um, we could see what other functions are being called.
So there was a anti sandbox, anti wire shark
and type virtual box
another function here.
debug output string.
So this is actually a specific shrinking that will
Ah, So this function is used by programs to print out,
that when a de buggers tach will display
or will be able to process, So this is useful for, like an application as, ah, driver
or something else that may not have access to a front end
or doesn't want to create a console or whatever. But if it's if there's some problem, you can. I want to find out So you can redirect debug messages, toe logs. Or you can use a program that Microsoft provides to read out put debug or to read de VOCs strings.
has a little little bug in it that when in
it tries to process a string, it will fail.
So I happen to know that because I've seen it before, and if you just google around for it, you condone,
you know, find stuff. So I'm gonna call this a D
So move zero and to find file
that calls. Find clothes. I have to know that's another little anti Debo trick.
I can see is trying to find a window. Find a particular window
I'll see what the Prime minister that
that's a long pointer class name along point or C string
as the Windows name. I can look at this and say, Okay, well, that's interesting. That's right. Here, it's right here. Um,
or this value here looks interesting to me.
Usually constants that large r r
usually use all that often less theories for comparison checks or whatever. So if we right click on this week, see, we can display it as a decimal weaken displayed as octo we can display is binary, or we could display it as asking.
So that's interesting.
So if we do the same to the other value,
weaken c o l l y d b g
So it is looking for the window
with the name of all ladybug.
So is trying to find Ah,
I was trying to get a handle to
already broke the window.
Someone ever name this is
So it tried to break already book with this. Tried to find all ladybug
call is debunker president. So it is using that function call that we discussed earlier,
and it does a simple test
So it was here that Tess pl which was what this other, um
which these other things would usedto say, Hey, I'm being bugged or Hey, there's I'm in a virtual machine
And then it would call this function if it determines that it is in a virtual machine.
Tests test jump, not zero. So jump around, if not zero. So this would be called if there was a virtual machine
Let's see bl bl be all be a So if a tool is detected, B l would be marked his one.
So for right now, I'm just going to say,
It's probably like some terminate thing or
Okay, so it does asleep
on this values. Interesting. So 500.
it's doing ah, basically asleep,
and then it keeps going
so that's interesting.
Move a ll. And so if it's
so, if it's n a v m, it does asleep
now. Normally I would have a little notes file opening
or I would have a notes file open,
and I would be making notes about the stuff I'm finding as I'm finding it.
But now we get to the end
even if I don't know exactly what it is, I want to do my best to name the functions.
There's being deep PO'ed
I'm gonna hit action, see what calls that
I can see. It's called by this function so we can repeat this process over and over again and climb up the ladder and, you know, completely reverse engineer the program.
we basically accomplish our goal. We figured out why the program wasn't running and we contest this weaken, be scientific about and run it before in a virtual machine with the same conditions as the other guy did on then weaken.
you know, do something about it. We can change the environment or we can,
as a is something that I will talk about later we can actually patch the program. We can change them out where? So that it no longer does this. Check where If this returns true,
Ah, one. If it returns a non zero, basically it will go execute this and terminate the process.
it's interesting if it
if nothing is detected, everything is fine. It will take this jump, jump a zero
do a little sleep for one millisecond
and set this fight to zero.
Now, despite is interesting because it's also compared up here to see if it should even,
if it's a comparison zero and jump, not zero
the green as if it takes the jump.
then it would fall through here.
If it's not zero, it would jump here.
that's interesting. So I'm gonna call this for right now, the de bug flag.
it's not exactly the dealbook flag because it doesn't seem to be doing it doesn't seem to be checking for deep buggers. If there is a debunker, it'll just terminate.
But it looks pretty interesting nonetheless because I can see
that it is referenced throughout the program
we can jump in to some of these
and we can reverse the engineer
the program or weaken Seo. Look, there's a create process, and then it checks this flag
on, then changes its behavior. So
me being a little paranoid, I would think Okay, maybe this is another anti debugging technique because another technique
is relying on the fact that you can on Lee debug a program with one d bugger at a time. So some
program, some malware will launch another process of itself,
and then I can tell that process Hey, try to debunk me. If you can been great,
you're the only one that can debug me. If not, if you can't attach to me as a debunker, that means there's another d bugger attached, and I should just go ahead and die,
So I would kind of look,
I'll try to reverse engineer this more
on and see if that is the case.
But for now, I'm just going to jump around and see where else this flag is referenced.
I can see that there's more sleeping involved.
Well, I am a paranoid person, but this reminds me of another anti debug technique, which is
that Ah, lot of malware will just say, Oh, you know, you just insulted on system, okay? We'll sleep for, like,
10 minutes, two hours a day or whatever, and it's relying on the fact that sandboxes and automated analysis solutions will only wait 30 seconds or a minute or two minutes or five minutes or whatever, and the malware can just simply outlast him. So a lot of sand boxes will hook this function, sleep
and will speed it up. It'll just say, Oh, you want to sleep for 10 minutes? Okay, well done. Now it's 10 minutes later
as kind of a like a sandbox detection method will see if that time actually did pass. And they can use that with, like, get take count. They can see they can use an instruction to see how long the
computer has been online, how long has been on, and they compare that before and after the sleep taken Dua lot of things to determine if it was actually a certain period of time has elapsed,
so I dig into this a bit more to see if this is the tint, that technique that they're using.
I mean, probably not because it's only sleeping for one millisecond.
So usually when I see a flag that I find interesting, I kind of start up front because generally
thes addresses are shorted
from beginning to end, and generally code upfront is executed first.
Um, obviously, you can have a jump instruction that jumps all around,
left found his tent compilers tend to, um,
make the coast linear and
and where it is being executed.
So I find this interesting
where it will check this candy book flag and then go to
Say says, Quit uninstalling.
Ah, I see it shutting down a socket
and closing down the windows socket library
and then calling this function
just dive into it really quick. I see that
is accessing the registry keys. That is probably using for persistence,
and I can see after accesses those it opens Reggie aqui.
Then does Reggie aqui delete so it looks like it is indeed uninstalling.
I'll just make a quick note of that
hit escape Go back up and say OK, so this flag
may not be a debug flag, but may just be a
uninstall D Look, flag uninstall
Under column Debo collect
ex again and say Okay, where else is it referenced?
It's referenced here. Oh,
somewhere we've been before. Look like it looks like a tire. See stuff Looks like an RC
Command processing module
version. Request destination.
Well, this looks interesting, but it's not what I'm after. What I'm after just is to see there's my
other flag again. What I'm after is to see Is there any more anti debugging, uh, things going on? Is there anything else built into the code that will hinder dynamic analysis?
Because I assume, as I
figure that out, I could be like Okay. No, it's,
um I just don't want run wire shark on your own
ex again find all the places he's being referenced
next to this one. Just kind of climb up.
access called in a few places. So, really right now, I'm just kind of wandering around the code. Um,
So another thing I'm interested in Since this caf flag was seen around just hitting escape a few times since this flag
was seen around this area,
and it's like has been bugged.
I'm gonna name this function is
And where this flag was written like where?
it is access and what's pay attention to it. Because if this has anything to do with debugging, I
I would like to know about it so I can hit acts.
And over here on the type, I can see it's only written two in three places and and all the rest of places here it's being read from So investigating those places will tell me
how what criteria this
code is using to access or to write that variable.
So this is very interesting
down here in the bottom left that this is a fairly big function and I'm willing to bet just from the structure of it, it looks very much like a command processing module.
Oh, are very, very large. Switch statement.
I can see where it writes one into this uninstall off debug flag and by just double clicking on this arrow here I could jump all the way to where? What? Cho Block had that jump. And here I can see it's checking something against the string of uninstall.
So it's looking more and more like this flag doesn't really have much to do with debugging. So much is
unstow all some uninstall feature.
I wanted to do a full reverse engineering, this would be a great place toe
to start because we can enumerate all the commands and probably get a good idea of capability in function and purpose. So
just is like, it could have it jump back up here and say,
or processes. It doesn't make sense processing.
Okay, so you might be like Okay, great. Good. Um,
my company really likes
that's interesting stuff.
check out these other places where it's written.
Quit updating. So another kind of quit slash uninstall thing Go X
and go back to the last Go to the last place. This flag was written, too, and, uh,
we can see this, and you might be like, Oh, what is this? What's going on? here. Well, I can see a zero on a bunch of other constants being moved into,
the flag's not just this flag with this leg inside. Just like and, uh,
you know, looks like program data, the registry key. User profile. When does X p when it's two k?
Uh, you know, all this stuff? It looks like
Yeah. It's sitting like global
Is this woman called that one place, so
weaken? Yes. Thank you, Ida.
I really like your product very much
s so we can see that
we already begun digging into this program, but we got what we came for. We don't really see any other,
anti analysis strings.
We don't really see any anti debugging stuff other than what we we pinpointed.
so what are we gonna do about it? So if our person says Okay, well, I really have to have wire shark on.
I have really have to have wire shark on my analysis machine based on all the PM's or may I really have to use Sam boxy, or I really have to do this Or that, uh, what should I do?
debugging action here. So
here is where the program says,
am I being debugged and then gets a return value from all these checks that it does
than it acts on it. It says, okay, test to return value.
keep going with our thing.
If it's anything else, terminate process
so we can actually pass the program, we can modify it.
And how do we do that with our good old friend all ladybug?
2.1 you can use to. You can use 1.1. They all do a fine job of this.
There are help it. There are plug ins that can help. But I'm just gonna do this without plug ins.
we know has anti debugging,
but ah, and we know in fact, that one string might even break a ladybug
or just detected it's there.
But we can go ahead and load it up. And by default, all they will break at the system. Maine
Ah, break point or not Break point Little break when the main module loads and begins executing.
note for the paranoid,
by this execute herbal here
that gets executed before the main function does
like a t. L s call back. So some our authors will hide either the main code in the tea Let's call back or they will hide there
Maine or their anti debug stuff in the tea, Let's call back. So sometimes you might have to modify Ali
where instead of wind, Ming
you can say, you know, break out the tea, let's call back,
the main code, the main module begins. Or maybe whenever the system takes over or whenever deal l loads or whatever it is.
But this is just fine for our purposes.
So here in Ali, we can see
So I'm gonna hit space,
and I'm gonna go to this location.
Now, this is the relative virtual address, the R V. A.
And this is basically the ex Cuba was said, Hey, I want a load at,
you know, fourth out, 40100 is usually where it says I wanna be loaded. So all this code Ida has said Okay, if this were actually memory, it would be at this address. So
Ali has begun this program. It has loaded into memory at the address that it wanted. And we could just hit control G. I can say I want to be taken to zero x
and we can see that it's the same assembly code.
Let me make this bigger.
over here, we see this address. Copy and paste it on. Dhe just control G
and we can see that, uh, dysfunction Cole.
Ah, assembly matches exactly as what Ida has produced.
I just made it a bit prettier, but there's a call function, and there's a test. A l testing will jump
jump. Zero jumped zero, etcetera, etcetera. That space we can see similar. And this is just because Ali has a pretty good too similar, and so does Ida.
It's over, so we can see stack a bit better.
we don't actually need to do very much, so we can see right here is the only place if we hit acts
only place that this function is being called
unless the program's doing something tricky, which, by the looks of it isn't doing anything too tricky.
No, the strings were very sophisticated. Nothing was really encrypted that we saw. So
I'm gonna guess that this is the only place this is called.
Just like I had a stack. Analysis has determined. So here
we can hit F to which prices places a soft breakpoint replaces um
G eight and seven effort here with
or just e eight replaces with the bite C C, which is a software break point.
Um, these bites are left here,
and they don't actually make any sense
hardware were to try to execute it so we can hit play and it'll run the program them our up to this point.
if we hit up to again, it's removed the break point.
If we just hit play again, it would remove the break point and let it go anyway.
So here it's about to call this function, and it's going to return
Ah one, because it will be able to find Ali if it doesn't crash it
so we could do something pretty cool.
Where, since we want a l or the lower parts of the ex toe always be zero.
So we always want to make that jump
around the terminate process.
say we could just type the sudden
Now. This is really cool because we just replace some code there instead of calling that function and returning a value, we just manually put a value we wanted into the ex.
This is how a lot of people who cracks software work will. They will make a patch,
which is what we did. We made a patch
and we can even test it. We can say Okay, now execute that.
We can see that e x zero
and then we can step over,
We can see the jump zero
and it does that one millisecond sleep
and repairs of the stack from that Cole
and it goes about its business.
How does that really help us? So
we want to give this back to them our analysts who can Onley detonate stuff in sandboxes. Roman does
dynamic analysis or whatever.
So wouldn't it be cool if we could make this patch
stick to the execute a ble?
Well, we can, Ida. I mean, Ali debug has given us that capability because all he is awesome,
So but it is a little confusing about how to do it. So I'm just gonna right click anywhere in this pain, go to edit
and go to the bottom where it says, copy all modifications to execute herbal.
Or we could just say, copied or executed almost a copy, all modifications that's gonna pop up and says, Hey, uh, what you did here is a bit different.
Um, I'm gonna arrange
from this execute herbal,
and I'm gonna put it up in a new window. That's basically what it's saying.
that's cool. And this is the new window. So I went right click
and just say, save file
and says, Are you sure?
Same sort of thing. And so we have
so I can say blah, blah the hash all you underscore patched you sexy
go the folder now we have our new binary right here.
So now what we should test.
at archives, zip file
with the password infected,
and then I'm gonna pull it off of my VM.
So I pulled it off my VM,
and normally I'd be a little more careful about saving my files. Um,
I would save my analysis that I've done
whatever, but I'm just gonna go ahead and revert it,
okay? I now have reverted my p. M.
I'm gonna delete these files
Password is infected.
so I'm gonna run wire shark as I did before
and execute. Capture that
and execute the original buyer again.
Give it a few seconds,
As we saw before our explorer executed the file and then it terminated.
Now, normally, I would say, Revert again, just to be sure.
But, uh, I'm just gonna go ahead. And do you believe this long
and then run our past version.
Give it a few seconds. I know that. Ah,
from looking at the code manually
that they used a lot of sleep
usually with small intervals, but it doesn't hurt to let it run for a while.
Go on. Hit control C.
Look at the log and there we go. We see our malware has done quite a bit more than just start and die.
Sea Explorer executed.
Okay, let's see. Well, that was just Explorer. So
process created. There's a process.
We see that it ran itself.
We saw that in the code.
in the temp directory
something something that bat
and does other things with it
on dhe at some registry keys
goes about its business.
Now, that's, uh, plenty of information for our, um,
other guy, the one who's doing
dynamic analysis for himto
go and figure out what exactly just happened
with this malware. Since dynamic analysis is, it's a lot easier,
so we can just go into our capture
and we can see what deleted files there were.
Yeah, I was wondering if that
that foul got pleaded.
Okay, this is interesting. So
trusted. Lied itself after making a scheduled task.
just run on a runs to see if it actually
maintained any other persistence
we happen to know that I was doing something with that.
Looks like auto runs his hand of problems. It could be some anti war, anti tool code,
but I think we would have seen that.
But, uh, I happen to know that this piece of malware does other things. So if you'd like to find out what those other things are,
then I'd suggest you go through
the process of reverse engineering it completely. It's a good exercise.
Ah, nice old piece of malware.
So we just went through the demo of
reverse engineering piece of our and then patching it so that it, uh,
will go through dynamic analysis just fine.