Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

In this module, we'll elaborate on a scenario where dynamic analysis is failing. We'll demonstrate how to reverse engineer a piece of malware code and patch it, so it may go through the dynamic analysis process.

Video Transcription

00:04
Now let's just jump into a demo and see what we're looking at.
00:10
So this particular hash I will make available to you
00:14
and here, let's just say, um,
00:17
the scenario is dynamic analysis is failing. Someone who doesn't know as much as you do about malware has said, Hey, I can't get this simple to do anything. It just starts up it,
00:29
you know, executes. It just dies.
00:32
And
00:33
we can replicate that here. And let's say they were looking for a network traffic.
00:39
So
00:41
hear of installed wire shark.
00:44
I will start it up here.
00:47
Here's our simple
00:51
extract it
00:53
standard password is infected.
01:07
Okay,
01:08
we'll start a plier shark.
01:14
As always. Just check and make sure that the network is Ah,
01:19
exactly how you want it.
01:21
It's not. Not it's on our virtual net to we haven't powered up a router.
01:26
That's okay.
01:30
Start capture, bat
01:34
and execute our malware.
01:37
Does she see if you are requests trying to get out,
01:42
give it a few seconds on dhe and it
01:46
open up or log and says
01:48
it was created. Then it terminated.
01:51
We can run a few more times just to make sure, but
01:53
rest assured
01:56
the person who detonated our malware before us and can't get to run anymore is right. There's something about the sample
02:04
that makes it just terminate. It could be a killed eight. It could be V m aware it could be
02:10
doing any number of things that could be checking the back address of the virtual machine to see if it's Ah, Riel,
02:19
Mac address. Not ah one allocated to VM where it could be
02:23
doing lots of stuff.
02:24
So how to we
02:27
get in there into that sample and figure out what's going on?
02:32
Well,
02:34
as you would imagine, we use our reverse engineering skills.
02:43
So in this PM I've installed by a pro here,
02:49
please version is 6.8.
02:52
Since it's the demo version, we won't be able to save our analysis. But that's okay. We can still ah,
02:58
you still look to see what's going on.
03:06
Disassemble that just fine
03:08
and weaken. Go and do this. We can just go click around. But our goal is to figure out why it's not running in our little sandbox and our virtual machine. So
03:22
for that we shouldn't just go jump into the code
03:25
because that's an easy way to get lost
03:30
because you'll pop back up an hour later after, uh, reverse engineering this thing and say, What was I supposed to do again? So here I'm just going to look at something that's usually a good indicator for getting an idea of what this power does, and that's go to view some views and strings. Now
03:47
I know. Look at these strings that are referenced.
03:51
We can always use the map pack
03:53
and just right click on
03:57
but her file and say strings.
04:00
Thank you, Dave Zimmer.
04:01
And we can see usually, ah, fume or strings.
04:05
But
04:06
I'm just gonna look at him inside. I just kind of get
04:11
ah on idea of what's going on. So I see Rudy. I see
04:16
you know a few things that are interesting.
04:18
Um,
04:20
no current user. So more permission aware there that's probably registry Key Uses
04:28
Google Chrome opera Firefox Internet Explorer. Max. Ethan. So these air,
04:33
you know, interesting things that I could die then.
04:35
Ah,
04:36
any second and try to figure out what's going on. You know, private measures noticed kick IRC commands was probably in Eire See, bought
04:46
paying. So no conduce a network stuff Gmail Yahoo. Facebook?
04:51
Um,
04:54
Hotmail.
04:55
Okay, so this is interesting here, Sam. Boxy.
04:59
So I look at this and I say, Okay, Sandbox, ijo, sandbox. These are sandboxes. Thes are commercially available Malware analysis, solution's automated analysis solutions. I can see the string is referenced here. I can hit X, see where it's referenced or just click over here
05:18
and I can see
05:19
where this is.
05:21
The string is moved into someplace on the stack.
05:27
So
05:28
instead of pushing
05:29
the compiler
05:30
made thes function, Cole's just take the arguments on the stack.
05:36
So
05:38
looks like it.
05:39
This function is being called each time. Ah, string is being moved here.
05:44
It's moved in the same location,
05:46
even though there are pushes
05:49
their pops here at the end. Okay,
05:53
so I see that takes in ah parameter string
05:58
escape. Trump back up and say OK,
06:00
so I'm gonna guess this is either a process name
06:04
or a
06:06
file name,
06:09
But I've been around. I've been doing this for a while, and usually my work here is about what's running right now.
06:15
So if I go here and hit, why
06:18
then I can say, Okay, string, I can say
06:24
process name
06:29
and I usually want to name things as I go along like this function. I want to take a quick look and figure out what's going on. But if I hit X
06:38
ah, I can see his reference in several other places. So I should probably go ahead and figure out what this function does pretty easy. I could do that pretty easily because it's only making a few calls.
06:46
It's not going any deeper.
06:49
AP I standard FBI calls create tool snapshot 32 Earth Create tool help 32 Snapshot. If you're not familiar with Windows programming, you can easily google this or hover over, and you can see the parameters. You can get an idea for what it does, but it's just googling these things and or manually programming them
07:10
s so you can get idea as a developer,
07:13
what's required for,
07:15
um,
07:16
what what the malware author is trying to do
07:21
so I can see desecrates tool, help snapshot and then does process 32 1st And if you google this and you go on to MST an or and these websites, you can see that these functions are acquired and the most common use of them is to liberate through all the running processes
07:40
so I can see there's a string compare. There's the same kind move convention
07:46
as we saw earlier were instead of pushing, it's just moving. It's ah, bit faster.
07:50
And
07:51
we can see there's two strings being compared. These may or may not match up, as the actual parameters are.
08:01
I don't may not have properly named these,
08:05
Uh, this is a structure
08:07
or these aren't struck Cesaire parameters,
08:11
but ah,
08:13
for string compare. We know we're taking in two strings, and we know that, uh, DW flags That's a d w. Means
08:22
double word and windows language. That would be
08:28
32 bits or four bites.
08:31
So
08:31
because a divisional
08:33
word was 16 deaths or two bites
08:39
So,
08:39
uh, we see that there's two strings being compared,
08:43
and we know we're getting in process name
08:46
as a parameter here,
08:48
and these things
08:50
right here that Ali I mean, sorry that I'm a pro has looked at, um
08:56
it knows that there is some this much space on the stack because it's allocated right here.
09:03
So it took its best guess at what those things were.
09:07
Um, it says, Okay, this is a structure
09:11
and I'm gonna name it here
09:13
and
09:13
string too, which is what was passed in
09:16
here.
09:20
Is the perimeter here?
09:22
No, Normally, Ida renames that, but, um
09:30
well, we can do it manually. See, it knows it's the same thing
09:33
so we can see the process name. It's moved into your axe,
09:37
and the X is one of things. It's comparing.
09:41
Ah,
09:43
the string compare has been compared to and then the tests he actually the result of string compare. And,
09:50
ah,
09:50
if you can look at the results of string comparing, we can see what the output is. Um,
10:00
if it's
10:01
what
10:01
we expect it to be,
10:03
be it like zero if the strings air matching or one if they're not or vice versa.
10:11
And we can see that there's a loop here and it's iterating through each process name,
10:18
and it is testing it
10:22
to see if
10:22
process 32 next return zero. And if it did, it would quit.
10:28
It would exit the loop
10:30
so we can see here that it probably was looking for a process name very specifically, and if it didn't find it returns zero. But if it did find it, it returns one
10:43
so a l is the lower part of E X.
10:48
So
10:50
it's a little little sloppy
10:52
by the compiler is trying to be more efficient,
10:56
but, uh,
10:58
frankly, e x could have been something. Could have been put in the higher bits like h
11:03
um
11:05
and it's only storing one in the lower bit,
11:09
but
11:09
it's okay. It probably figured out some mathematical way of determining that this is an okay instruction to do
11:18
so
11:20
we can see that. Ah, this is testing to see given a process. Name it tests to see. Is this running
11:28
false? Zero. True, if one.
11:33
So I'm gonna need it
11:35
with N Oregon. Why
11:41
I can say
11:41
is
11:43
process
11:46
running.
11:50
Why didn't it take?
11:52
That's
11:54
weird.
11:54
I'll just use and
11:58
is
11:58
process running
12:03
so
12:05
we can see that it does the same kind of test.
12:09
Um,
12:11
and the's instructions are a little redundant here.
12:15
It could have easily just left
12:18
this value in here and just put the return up here.
12:22
But compilers do what they do
12:26
so we can do.
12:28
We can name this function as,
12:31
um,
12:31
Joe
12:35
for last minute anti
12:37
80 for anti debug
12:41
Joe sand
12:45
box check.
12:52
So we'll see what calls this by pressing X and you see only one function calls it
12:58
and we jump up here. You can see what other things that calls it calls a few other functions
13:03
we can
13:05
jump into one of those. Oh, look higher shark.
13:09
So
13:11
city anti debugging
13:13
or it's not really anti debugging. It's a tool check
13:16
So but all to say, anti bugging our 80. So why're shark
13:24
check
13:28
his process running is also in there.
13:30
So since his process running seems to be a,
13:33
you know commonly dysfunction by by this stuff we can see is just sandboxes wire shark. And then there's, uh,
13:39
two other functions that use it
13:41
and doing the same sort of thing. Sam. Boxy.
13:46
So I'm gonna say
13:50
and
13:52
D
13:54
uh, sandbox e check.
14:01
Andi is process running. Let's just
14:03
ex again See what other functions left
14:07
V box service. So this is a virtual box check
14:15
Virtual view box check.
14:16
So there seems to be it's like anti tool anti analysis, anti sandbox, anti B M stuff in here.
14:26
So, uh,
14:28
fleeing
14:30
X and pop up here,
14:33
um, we could see what other functions are being called.
14:39
So there was a anti sandbox, anti wire shark
14:43
and type virtual box
14:46
anti sandbox e.
14:48
So that looks to be
14:52
another function here.
14:54
Jump in it.
14:56
Okay, so
14:58
debug output string.
15:00
So this is actually a specific shrinking that will
15:05
break on ladybug.
15:07
Ah, So this function is used by programs to print out,
15:13
um,
15:16
messages
15:18
that when a de buggers tach will display
15:20
or will be able to process, So this is useful for, like an application as, ah, driver
15:28
or something else that may not have access to a front end
15:31
or doesn't want to create a console or whatever. But if it's if there's some problem, you can. I want to find out So you can redirect debug messages, toe logs. Or you can use a program that Microsoft provides to read out put debug or to read de VOCs strings.
15:50
Um,
15:52
so on Ladybug
15:54
has a little little bug in it that when in
15:58
it tries to process a string, it will fail.
16:03
So I happen to know that because I've seen it before, and if you just google around for it, you condone,
16:10
you know, find stuff. So I'm gonna call this a D
16:12
no anti
16:15
for 80 Ali the lug,
16:21
uh, breaker
16:22
really
16:27
find
16:30
So move zero and to find file
16:33
that calls. Find clothes. I have to know that's another little anti Debo trick.
16:40
If I jump in here,
16:42
I can see is trying to find a window. Find a particular window
16:48
and it's moving.
16:49
I'll see what the Prime minister that
16:52
that's a long pointer class name along point or C string
16:57
as the Windows name. I can look at this and say, Okay, well, that's interesting. That's right. Here, it's right here. Um,
17:06
and this address
17:07
or this value here looks interesting to me.
17:11
Usually constants that large r r
17:15
usually use all that often less theories for comparison checks or whatever. So if we right click on this week, see, we can display it as a decimal weaken displayed as octo we can display is binary, or we could display it as asking.
17:30
So that's interesting.
17:33
So if we do the same to the other value,
17:37
we can see
17:37
that, um
17:41
weaken c o l l y d b g
17:45
a ladybug.
17:45
So it is looking for the window
17:48
with the name of all ladybug.
17:52
So is trying to find Ah,
17:55
I was trying to get a handle to
17:57
already broke the window.
18:00
Someone ever name this is
18:03
on ladybug.
18:04
Find her.
18:07
So it tried to break already book with this. Tried to find all ladybug
18:12
and then
18:17
call is debunker president. So it is using that function call that we discussed earlier,
18:22
and it does a simple test
18:26
jump if zero
18:30
So it was here that Tess pl which was what this other, um
18:36
which these other things would usedto say, Hey, I'm being bugged or Hey, there's I'm in a virtual machine
18:41
And then it would call this function if it determines that it is in a virtual machine.
18:47
Tests test jump, not zero. So jump around, if not zero. So this would be called if there was a virtual machine
18:56
detected.
18:57
Let's see bl bl be all be a So if a tool is detected, B l would be marked his one.
19:07
So for right now, I'm just going to say,
19:10
um,
19:11
tool
19:14
announce was tool
19:18
or
19:22
environment
19:23
detected?
19:29
It's probably like some terminate thing or
19:32
Okay, so it does asleep
19:33
on this values. Interesting. So 500.
19:37
So
19:38
it's doing ah, basically asleep,
19:45
and then it keeps going
19:47
so that's interesting.
19:51
Move a ll. And so if it's
19:52
so, if it's n a v m, it does asleep
19:56
now. Normally I would have a little notes file opening
20:00
or I would have a notes file open,
20:03
and I would be making notes about the stuff I'm finding as I'm finding it.
20:08
But now we get to the end
20:11
and it's time to
20:14
name dysfunction.
20:15
So
20:15
even if I don't know exactly what it is, I want to do my best to name the functions.
20:19
There's being deep PO'ed
20:25
So
20:26
I'm gonna hit action, see what calls that
20:29
I can see. It's called by this function so we can repeat this process over and over again and climb up the ladder and, you know, completely reverse engineer the program.
20:41
Ah, but
20:42
we basically accomplish our goal. We figured out why the program wasn't running and we contest this weaken, be scientific about and run it before in a virtual machine with the same conditions as the other guy did on then weaken.
20:59
Um,
21:00
you know, do something about it. We can change the environment or we can,
21:03
um
21:04
you know,
21:06
as a is something that I will talk about later we can actually patch the program. We can change them out where? So that it no longer does this. Check where If this returns true,
21:19
if it returns
21:22
Ah, one. If it returns a non zero, basically it will go execute this and terminate the process.
21:32
So
21:33
it's interesting if it
21:36
if nothing is detected, everything is fine. It will take this jump, jump a zero
21:41
and it will ah,
21:44
do a little sleep for one millisecond
21:48
and set this fight to zero.
21:52
Now, despite is interesting because it's also compared up here to see if it should even,
21:57
uh, do this at all.
22:00
So
22:00
if it's a comparison zero and jump, not zero
22:06
So,
22:07
uh, let's see.
22:08
So it
22:10
the green as if it takes the jump.
22:12
So
22:15
if this is zero,
22:18
then it would fall through here.
22:22
If it's not zero, it would jump here.
22:26
So
22:26
that's interesting. So I'm gonna call this for right now, the de bug flag.
22:40
And, uh,
22:41
it's not exactly the dealbook flag because it doesn't seem to be doing it doesn't seem to be checking for deep buggers. If there is a debunker, it'll just terminate.
22:52
But it looks pretty interesting nonetheless because I can see
22:57
that it is referenced throughout the program
23:02
and
23:03
we can jump in to some of these
23:06
and we can reverse the engineer
23:08
the program or weaken Seo. Look, there's a create process, and then it checks this flag
23:14
on, then changes its behavior. So
23:18
me being a little paranoid, I would think Okay, maybe this is another anti debugging technique because another technique
23:26
is relying on the fact that you can on Lee debug a program with one d bugger at a time. So some
23:33
program, some malware will launch another process of itself,
23:37
and then I can tell that process Hey, try to debunk me. If you can been great,
23:42
you're the only one that can debug me. If not, if you can't attach to me as a debunker, that means there's another d bugger attached, and I should just go ahead and die,
23:52
So I would kind of look,
23:55
huh?
23:56
I'll try to reverse engineer this more
24:00
on and see if that is the case.
24:02
But for now, I'm just going to jump around and see where else this flag is referenced.
24:07
I can see that there's more sleeping involved.
24:11
And if I was
24:12
Well, I am a paranoid person, but this reminds me of another anti debug technique, which is
24:19
that Ah, lot of malware will just say, Oh, you know, you just insulted on system, okay? We'll sleep for, like,
24:26
10 minutes, two hours a day or whatever, and it's relying on the fact that sandboxes and automated analysis solutions will only wait 30 seconds or a minute or two minutes or five minutes or whatever, and the malware can just simply outlast him. So a lot of sand boxes will hook this function, sleep
24:45
and will speed it up. It'll just say, Oh, you want to sleep for 10 minutes? Okay, well done. Now it's 10 minutes later
24:52
and then so malware
24:53
as kind of a like a sandbox detection method will see if that time actually did pass. And they can use that with, like, get take count. They can see they can use an instruction to see how long the
25:07
computer has been online, how long has been on, and they compare that before and after the sleep taken Dua lot of things to determine if it was actually a certain period of time has elapsed,
25:19
so I dig into this a bit more to see if this is the tint, that technique that they're using.
25:26
I mean, probably not because it's only sleeping for one millisecond.
25:32
So usually when I see a flag that I find interesting, I kind of start up front because generally
25:41
thes addresses are shorted
25:42
from beginning to end, and generally code upfront is executed first.
25:49
Um, obviously, you can have a jump instruction that jumps all around,
25:53
but
25:55
I tend to that
25:56
left found his tent compilers tend to, um,
26:00
make the coast linear and
26:03
and where it is being executed.
26:07
So I find this interesting
26:10
where it will check this candy book flag and then go to
26:14
I see this,
26:15
uh, string
26:17
where it is,
26:18
Say says, Quit uninstalling.
26:22
Ah, I see it shutting down a socket
26:26
and closing down the windows socket library
26:30
and then calling this function
26:33
just dive into it really quick. I see that
26:36
is accessing the registry keys. That is probably using for persistence,
26:41
and I can see after accesses those it opens Reggie aqui.
26:48
Then does Reggie aqui delete so it looks like it is indeed uninstalling.
26:52
I'll just make a quick note of that
26:56
on stall.
26:59
Uh,
27:00
rich keys
27:03
hit escape Go back up and say OK, so this flag
27:08
ah
27:10
may not be a debug flag, but may just be a
27:15
uninstall D Look, flag uninstall
27:21
Under column Debo collect
27:22
So hit escape
27:26
or just
27:26
ex again and say Okay, where else is it referenced?
27:30
It's referenced here. Oh,
27:33
somewhere we've been before. Look like it looks like a tire. See stuff Looks like an RC
27:40
Oh,
27:41
processing module.
27:42
Command processing module
27:45
version. Request destination.
27:48
Well, this looks interesting, but it's not what I'm after. What I'm after just is to see there's my
27:55
other flag again. What I'm after is to see Is there any more anti debugging, uh, things going on? Is there anything else built into the code that will hinder dynamic analysis?
28:07
Because I assume, as I
28:08
figure that out, I could be like Okay. No, it's,
28:11
um I just don't want run wire shark on your own
28:15
victim machine
28:25
ex again find all the places he's being referenced
28:30
next to this one. Just kind of climb up.
28:36
So
28:38
access called in a few places. So, really right now, I'm just kind of wandering around the code. Um,
28:48
So another thing I'm interested in Since this caf flag was seen around just hitting escape a few times since this flag
28:56
was seen around this area,
28:59
Um
29:00
and it's like has been bugged.
29:03
I'm gonna name this function is
29:07
determinate.
29:10
If being
29:11
debugged,
29:18
I, um, interested.
29:22
And where this flag was written like where?
29:26
Uh,
29:26
it is access and what's pay attention to it. Because if this has anything to do with debugging, I
29:33
I would like to know about it so I can hit acts.
29:36
And over here on the type, I can see it's only written two in three places and and all the rest of places here it's being read from So investigating those places will tell me
29:51
how what criteria this
29:53
code is using to access or to write that variable.
30:00
So this is very interesting
30:02
or I can see Ah,
30:06
down here in the bottom left that this is a fairly big function and I'm willing to bet just from the structure of it, it looks very much like a command processing module.
30:17
Oh, are very, very large. Switch statement.
30:19
I can see where it writes one into this uninstall off debug flag and by just double clicking on this arrow here I could jump all the way to where? What? Cho Block had that jump. And here I can see it's checking something against the string of uninstall.
30:38
So it's looking more and more like this flag doesn't really have much to do with debugging. So much is
30:42
unstow all some uninstall feature.
30:45
And if,
30:47
of course, if we
30:49
I wanted to do a full reverse engineering, this would be a great place toe
30:53
to start because we can enumerate all the commands and probably get a good idea of capability in function and purpose. So
31:03
just is like, it could have it jump back up here and say,
31:07
um
31:10
main
31:14
command,
31:15
processing
31:19
or processes. It doesn't make sense processing.
31:25
Okay, so you might be like Okay, great. Good. Um,
31:30
my company really likes
31:33
that's interesting stuff.
31:34
Escape. Go back.
31:37
Ah,
31:37
check out these other places where it's written.
31:41
Quit updating. So another kind of quit slash uninstall thing Go X
31:47
and go back to the last Go to the last place. This flag was written, too, and, uh,
31:52
we can see this, and you might be like, Oh, what is this? What's going on? here. Well, I can see a zero on a bunch of other constants being moved into,
32:01
Um,
32:02
the flag's not just this flag with this leg inside. Just like and, uh,
32:08
this,
32:09
you know, looks like program data, the registry key. User profile. When does X p when it's two k?
32:19
Uh, you know, all this stuff? It looks like
32:22
this, uh,
32:23
is
32:24
setting
32:28
the global?
32:30
No.
32:32
Oh, are sitting?
32:36
Yeah. It's sitting like global
32:38
variables.
32:43
His ex. Okay,
32:45
Is this woman called that one place, so
32:50
weaken? Yes. Thank you, Ida.
32:52
I really like your product very much
32:55
s so we can see that
32:58
we already begun digging into this program, but we got what we came for. We don't really see any other,
33:05
um,
33:06
anti analysis strings.
33:08
We don't really see any anti debugging stuff other than what we we pinpointed.
33:16
And
33:19
so what are we gonna do about it? So if our person says Okay, well, I really have to have wire shark on.
33:23
I have really have to have wire shark on my analysis machine based on all the PM's or may I really have to use Sam boxy, or I really have to do this Or that, uh, what should I do?
33:36
Well,
33:38
what am I doing?
33:39
I would go back to
33:42
Ah, the place
33:44
where we saw
33:45
the
33:46
debugging action here. So
33:50
here is where the program says,
33:52
uh,
33:54
am I being debugged and then gets a return value from all these checks that it does
34:01
and
34:02
than it acts on it. It says, okay, test to return value.
34:07
And if it's
34:07
zero,
34:09
keep going with our thing.
34:12
If it's anything else, terminate process
34:15
so we can actually pass the program, we can modify it.
34:21
And how do we do that with our good old friend all ladybug?
34:24
It can use
34:27
2.1 you can use to. You can use 1.1. They all do a fine job of this.
34:34
There are help it. There are plug ins that can help. But I'm just gonna do this without plug ins.
34:39
So
34:40
we know has anti debugging,
34:43
but ah, and we know in fact, that one string might even break a ladybug
34:49
or try to kill it
34:52
or just detected it's there.
34:53
But we can go ahead and load it up. And by default, all they will break at the system. Maine
35:00
Ah, break point or not Break point Little break when the main module loads and begins executing.
35:08
And just as a
35:10
note for the paranoid,
35:12
there is code
35:14
that is supplied
35:15
by this execute herbal here
35:19
that gets executed before the main function does
35:22
like a t. L s call back. So some our authors will hide either the main code in the tea Let's call back or they will hide there
35:30
Maine or their anti debug stuff in the tea, Let's call back. So sometimes you might have to modify Ali
35:37
through options
35:40
where,
35:45
where instead of wind, Ming
35:47
uh,
35:49
you can say, you know, break out the tea, let's call back,
35:52
or just wherever
35:54
the main code, the main module begins. Or maybe whenever the system takes over or whenever deal l loads or whatever it is.
36:05
But this is just fine for our purposes.
36:07
So here in Ali, we can see
36:09
dysfunction
36:12
being cold.
36:13
So I'm gonna hit space,
36:15
and I'm gonna go to this location.
36:19
Now, this is the relative virtual address, the R V. A.
36:22
And this is basically the ex Cuba was said, Hey, I want a load at,
36:25
you know, fourth out, 40100 is usually where it says I wanna be loaded. So all this code Ida has said Okay, if this were actually memory, it would be at this address. So
36:38
Ali has begun this program. It has loaded into memory at the address that it wanted. And we could just hit control G. I can say I want to be taken to zero x
36:49
got want law,
36:51
and we can see that it's the same assembly code.
36:53
Let me make this bigger.
36:57
Okay,
36:58
so
37:00
over here, we see this address. Copy and paste it on. Dhe just control G
37:07
Pacer address in,
37:10
and we can see that, uh, dysfunction Cole.
37:15
Ah, assembly matches exactly as what Ida has produced.
37:22
I just made it a bit prettier, but there's a call function, and there's a test. A l testing will jump
37:30
jump. Zero jumped zero, etcetera, etcetera. That space we can see similar. And this is just because Ali has a pretty good too similar, and so does Ida.
37:43
It's over, so we can see stack a bit better.
37:52
Okay, so
37:54
we don't actually need to do very much, so we can see right here is the only place if we hit acts
38:01
only place that this function is being called
38:04
unless the program's doing something tricky, which, by the looks of it isn't doing anything too tricky.
38:12
No, the strings were very sophisticated. Nothing was really encrypted that we saw. So
38:17
I'm gonna guess that this is the only place this is called.
38:22
Just like I had a stack. Analysis has determined. So here
38:25
we can hit F to which prices places a soft breakpoint replaces um
38:31
G eight and seven effort here with
38:35
or just e eight replaces with the bite C C, which is a software break point.
38:40
Um, these bites are left here,
38:44
and they don't actually make any sense
38:46
if the
38:47
ah if the
38:50
oh
38:51
hardware were to try to execute it so we can hit play and it'll run the program them our up to this point.
38:59
And
39:00
if we hit up to again, it's removed the break point.
39:02
If we just hit play again, it would remove the break point and let it go anyway.
39:07
So here it's about to call this function, and it's going to return
39:13
Ah one, because it will be able to find Ali if it doesn't crash it
39:17
so we could do something pretty cool.
39:20
Where, since we want a l or the lower parts of the ex toe always be zero.
39:28
So we always want to make that jump
39:30
around the terminate process.
39:32
We can just
39:36
say we could just type the sudden
39:37
we can just say
39:40
M OVI moves
39:43
E X comma zero,
39:47
and I can
39:50
assemble.
39:52
Now. This is really cool because we just replace some code there instead of calling that function and returning a value, we just manually put a value we wanted into the ex.
40:05
This is how a lot of people who cracks software work will. They will make a patch,
40:10
which is what we did. We made a patch
40:14
to this program
40:15
and we can even test it. We can say Okay, now execute that.
40:21
We can see that e x zero
40:23
and then we can step over,
40:28
which is
40:30
at eight.
40:31
We can see the jump zero
40:34
is taken
40:36
and it does that one millisecond sleep
40:39
and repairs of the stack from that Cole
40:43
and it goes about its business.
40:45
That's fantastic.
40:47
How does that really help us? So
40:50
we want to give this back to them our analysts who can Onley detonate stuff in sandboxes. Roman does
40:54
dynamic analysis or whatever.
40:58
So wouldn't it be cool if we could make this patch
41:00
stick to the execute a ble?
41:02
Well, we can, Ida. I mean, Ali debug has given us that capability because all he is awesome,
41:10
So but it is a little confusing about how to do it. So I'm just gonna right click anywhere in this pain, go to edit
41:20
and go to the bottom where it says, copy all modifications to execute herbal.
41:25
Or we could just say, copied or executed almost a copy, all modifications that's gonna pop up and says, Hey, uh, what you did here is a bit different.
41:35
Um, I'm gonna arrange
41:37
all the stuff
41:38
from this execute herbal,
41:40
and I'm gonna put it up in a new window. That's basically what it's saying.
41:45
Hit. Okay,
41:46
that's cool. And this is the new window. So I went right click
41:51
and just say, save file
41:53
and says, Are you sure?
41:55
Same sort of thing. And so we have
42:00
here.
42:01
But
42:02
this new binary
42:05
so I can say blah, blah the hash all you underscore patched you sexy
42:12
go the folder now we have our new binary right here.
42:17
Underscore. Patched.
42:20
So now what we should test.
42:24
So I'm going to
42:28
at archives, zip file
42:31
and encrypted
42:34
with the password infected,
42:38
and then I'm gonna pull it off of my VM.
42:49
So I pulled it off my VM,
42:53
and normally I'd be a little more careful about saving my files. Um,
43:00
I would save my analysis that I've done
43:02
or
43:05
whatever, but I'm just gonna go ahead and revert it,
43:22
okay? I now have reverted my p. M.
43:25
I'm gonna delete these files
43:29
drag up over my
43:31
new file
43:36
Password is infected.
43:43
All right,
43:45
so I'm gonna run wire shark as I did before
43:52
and execute. Capture that
43:57
and execute the original buyer again.
44:00
Give it a few seconds,
44:01
control. See,
44:04
Look at the log.
44:06
As we saw before our explorer executed the file and then it terminated.
44:14
Now, normally, I would say, Revert again, just to be sure.
44:19
But, uh, I'm just gonna go ahead. And do you believe this long
44:22
capture about again
44:27
and then run our past version.
44:30
Give it a few seconds. I know that. Ah,
44:32
from looking at the code manually
44:35
that they used a lot of sleep
44:37
functions,
44:38
usually with small intervals, but it doesn't hurt to let it run for a while.
44:45
Go on. Hit control C.
44:49
Look at the log and there we go. We see our malware has done quite a bit more than just start and die.
44:59
Sea Explorer executed.
45:02
Okay, let's see. Well, that was just Explorer. So
45:07
process created. There's a process.
45:13
We see that it ran itself.
45:15
There we go.
45:17
We saw that in the code.
45:20
It creates a file
45:22
in the temp directory
45:23
something something that bat
45:29
and does other things with it
45:30
on dhe at some registry keys
45:36
and
45:37
goes about its business.
45:39
Now, that's, uh, plenty of information for our, um,
45:45
other guy, the one who's doing
45:49
dynamic analysis for himto
45:52
go and figure out what exactly just happened
45:55
with this malware. Since dynamic analysis is, it's a lot easier,
46:00
Um,
46:01
stack analysis
46:05
so we can just go into our capture
46:08
and we can see what deleted files there were.
46:14
Yeah, I was wondering if that
46:16
that foul got pleaded.
46:21
Okay, this is interesting. So
46:24
trusted. Lied itself after making a scheduled task.
46:31
Yeah,
46:37
that's interesting.
46:38
Next, I would
46:40
just run on a runs to see if it actually
46:45
maintained any other persistence
46:47
scheduled tasks. I
46:50
we happen to know that I was doing something with that.
47:09
Looks like auto runs his hand of problems. It could be some anti war, anti tool code,
47:15
but I think we would have seen that.
47:17
But, uh, I happen to know that this piece of malware does other things. So if you'd like to find out what those other things are,
47:27
then I'd suggest you go through
47:30
the process of reverse engineering it completely. It's a good exercise.
47:35
Ah, nice old piece of malware.
47:39
So we just went through the demo of
47:42
reverse engineering piece of our and then patching it so that it, uh,
47:49
will go through dynamic analysis just fine.

Up Next

Intro to Malware Analysis and Reverse Engineering

In this malware analysis course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor