Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9

Video Description

In this module, we'll cover some basic malware tricks using the reverse engineering technique. As many of you might know that malware uses certain tricks to confuse, make analysis more difficult, or even break the disassembler. We'll demonstrate stack analysis of a malware to understand the malware and its attribution, identify Indicators of Compromise (IOCs), confirm our dynamic analysis results, and discover the anti-debugging code.

Video Transcription

00:04
Welcome to Sudbury.
00:05
Hi. My name is Sham Peers. And in the subject matter expert for introduction to malware analysis.
00:11
Today we're gonna be covering the basics of stack analysis Part four,
00:15
where we will actually be reverse engineering a piece of malware. And we're gonna be looking at some of the tricks commonly imposed by malware,
00:23
sometimes in an effort to burke assemblers, sometimes in an effort to just be confusing or make analysis more difficult whether it be automated or
00:33
just to try to trick a person.
00:36
So
00:37
we have looked at
00:38
illusion bought before we looked at it. Last time,
00:42
I'm gonna just extract it here,
00:45
which is something you should be a bit careful with.
00:49
I care for you. Click.
00:53
So I'm just gonna hit f two and renamed these files so they don't accidentally get executed.
01:03
I'm gonna pull up. I'd approve
01:10
and start analyzing
01:11
the bought binary dot dxc
01:15
because that is the execute a ble that actually does the infection.
01:22
So some pretty fast analysis.
01:25
So here we see something immediately down here and read
01:30
says sp analysis failed.
01:33
That's the stack pointer analysis. So last time we were talking about
01:38
the stack a lot, and we're talking about how the compiler will generate instructions toe clean out the stack or make functions that will save registers. And then
01:49
you pushed them in the beginning and pop them off at the end or will
01:52
do things so that it can clean up the stack before, after different functions called a paying off on if it's standard call or see tackle. And here we can see this very basic trick where a lot of very basic assemblers will just break is where the stack
02:12
doesn't match up from beginning to end.
02:15
So we see we see here, push EVP move
02:21
A B p e s p standard introduction to a,
02:27
um, the standard prologue to ah subroutine.
02:31
And then there's no minus E S P. So it's not making room on the stack
02:37
except for it is it's doing this push, push, push.
02:42
Usually this is done in an effort to save these registers, but you'll notice there's no popping here at the end.
02:49
So it does this load effective address
02:53
and does this subroutine
02:55
or the location to the subroutine. I have figured out this was excusable code
03:00
puts it into this address
03:02
and it pushes this address
03:05
and does this return.
03:08
Now think about that for just a minute.
03:13
The return instruction.
03:15
We'll go and find
03:20
whatever
03:21
return instruction it thinks it's supposed to go to, because there's thinks some
03:25
function Cole called it. So it has to return to that address.
03:31
It will be this.
03:36
So the return instruction,
03:38
once it executes it, will actually execute this function.
03:44
All right,
03:45
Now, if we had space,
03:47
we can see that there might have been something else down here.
03:53
Maybe code.
03:54
I like to hit c and find out.
03:58
It'll try toe
03:59
analyzes code,
04:00
but it seems like it failed.
04:03
I'm gonna switch over to the *** view, which, uh, is basically hex editor.
04:09
I like to look at this data here.
04:11
These data in between these two functions,
04:15
these two bits of code and
04:18
I like to usually look to see if their strings or unusual data or if this random junk
04:24
it looks to be random junk because there's no references to it. So it looks just from the side of it. It looks like there's no part of the program trying to access it,
04:34
but it could do that dynamically. because, like we said, there's no way to know what the code is gonna do until it actually does it
04:44
until we actually executed.
04:46
So here I to recognize that there is a reference to this, and it was likely some code.
04:50
So this is the function here. So I'm gonna hit end and call this riel main,
05:00
and we can see that it's also called right here,
05:06
So I don't know how this Coke it's executed at all.
05:10
I won't hit ex to see if there's any references to it, and there's
05:14
not not at least ah kind Ida has found.
05:18
So that might be interesting, but it's not important to us right now, so we'll look into it later.
05:25
I'm interested in what this function does.
05:29
What this separate e does was more proper,
05:32
so it looks like it calls three functions.
05:39
It uses some strings like Win 98.
05:42
So perhaps it's testing to see what version of the operating system it's using.
05:48
Now we see this constant here, so that would be something I would google for.
05:54
Perhaps someone else has done some analysis that we can leverage.
05:58
I keep looking down and I see this
06:01
registry coal or see this path.
06:06
We can see this,
06:09
but notice that there's no names to any of these functions.
06:15
That's not uncommon, especially if something statically linked.
06:19
But what is interesting is here it's calling a D word. Usually you call addresses,
06:28
but there's d words here everywhere, so that means it's data.
06:31
So at some point, this is manipulated. So I like to see
06:36
was there. We look at it and we see it's just a reference to some memory address that hasn't been filled in.
06:44
So I want to see what
06:45
references are to this memory address.
06:47
Someone hit X and see that it's reference and three places.
06:54
And
06:56
here we can see on the right hand side, uh, the instructions associated with it and one instruction. This move instruction
07:03
is the only one that rights to it.
07:05
So that's curious. The only places modified and the whole program is right here,
07:12
so I don't click on it and go to it.
07:14
So this is very interesting,
07:15
Ruth.
07:17
These were all function calls,
07:20
and there's this skit Prock address
07:24
function call here,
07:26
and if we scroll up, we can see there's the's, this load library address
07:30
and it's loading
07:31
these
07:33
deals. So it's getting the functions it needs
07:38
from these deals
07:40
rather than have all these deals. Are all these function names populated in the import address table?
07:47
So under imports, we see that's actually just using
07:51
a few of these function calls. You only need to load library and get Prock address to resolve all the other function calls.
08:00
So the library is used to get a handle to a library
08:03
and then get Prock addresses used
08:07
to get the address to that
08:09
function. Call, as you might guess,
08:13
so we can flip back over here
08:15
and we can start looking at this pattern
08:18
So
08:20
little library is called.
08:22
It needs a parameter.
08:24
It's doing the same kind of move
08:28
is doing the same kind of push
08:31
So it looks like E. A axe was being stored in the bar. Eight.
08:35
We can see that the library was called up here as well,
08:39
so
08:41
I'm gonna say
08:43
there is a push
08:46
when I net
08:48
waas
08:50
push on to the stack.
08:52
This move doesn't really affect that and load library was called
09:00
So load library was called and a handle was returned. A handle was put into E. X.
09:07
Because remember, E X is what
09:11
functions return.
09:13
It's the E X holds the value off whatever the function returned.
09:20
So
09:20
there's a Kit Prock address
09:26
and
09:28
it's moving that in the S. I
09:30
because low libraries not using it anymore,
09:33
that's going to push
09:35
two things
09:37
e v x
09:39
and a product name
09:41
and move E X and two of our four.
09:45
So e x was last modified when I called Load Library.
09:50
So we now know that far for
09:52
is the one I knit Deal l
09:56
handle.
09:58
So I'm gonna just say
10:05
and
10:07
get Prock Address will return
10:09
a value in the e x register.
10:13
And if you ah, look at that, it will be
10:16
for
10:18
talk
10:20
and that's a pretty standard return AP Windows A p I return.
10:24
Um, but
10:26
what we really want
10:28
is
10:30
the D words to say,
10:33
Get Prakit
10:33
are the D words to say
10:35
send or whatever else?
10:39
So if we run, get proxy address here and store the result in yaks,
10:46
we can guess
10:48
that's send
10:50
the function
10:52
address
10:54
for send is stored
10:56
there,
10:58
make a little cleaner and say
11:01
function. Send
11:03
still, check that. So get Prock address
11:07
little return.
11:11
I think it returns well. The good thing about this is we can always google in check.
11:39
So retrieves the address of an exported function or variable from the specified dynamic link library or Diello.
11:50
It takes in two parameters H module,
11:54
which is a handle to the library. And
11:58
ah, long pointer to the product Name as a long point or C string
12:05
the return value if it succeeds to return values the address of the exported function.
12:11
So yes.
12:13
And if it's no, then it failed. But there doesn't seem to be any error checking,
12:18
so we can kind of see this pattern.
12:22
All right, get Prock. Address was called
12:26
so we know that Yea axe
12:30
was then
12:31
the send function
12:33
the sea
12:35
get Prock address
12:39
was moves last calls law library.
12:43
So when was this receive? Used
12:48
pushed
12:50
Pushed the each module
12:54
called Get Prock address. Okay, so
12:58
this send
13:00
was a parameter to the next one.
13:03
And this receive
13:05
was actually the perimeter to this Get Prock address.
13:09
That makes sense.
13:11
So this was actually
13:15
receive.
13:16
So what tipped me off to this was a little when I net
13:20
and then
13:22
use this string which is seven receiver pretty common functions used by network Aware software. And they're pretty common in malware as well.
13:33
So we can continue the same type of process
13:35
where
13:37
the X was then inserted here. Send was next one.
13:41
So sand from you
13:45
or functions end
13:46
good to be consistent.
13:52
And we could do all of this
13:54
down the line. If you're really good, you can use I, D. C
14:00
or Python
14:01
to write a small script to do this for you.
14:05
But what are we really after again?
14:09
Well,
14:09
we might like to know, um, you Tex that's created
14:13
so we can see it's pushed.
14:16
It will be the parameters to this.
14:20
So we now know that
14:22
yaks
14:24
as a result of Prague address So we know this
14:30
was creating you text A
14:33
It's like, Do you want to make it bigger? So I'm gonna say ax. What else, uh, uses this?
14:39
Only two functions use this.
14:43
So if we see here called create you text function, eh?
14:48
There's three prowlers that were pushed
14:50
and
14:52
this one being the first I'm willing to bet
14:56
that if we Googled
14:58
cream, you text a
15:00
the final parameter
15:01
the right most parameter
15:03
will be the name of the mu Tex I'm willing to, but this is probably zero.
15:09
So x ory ex G
15:11
or ex or yes, I yes, I So it zeroes out. Yes. I
15:16
compares it to something but reuses the value. Don't hear. So it's calling, creating you text a,
15:22
uh
15:24
00 and then this value.
15:26
So
15:28
let's Google that
15:28
you check say
15:33
a If you see these kinds of functions, like message box message box a mess box w creating you text Kareem, you tax a create new text w a at the end stance for ask e w at the end stance for Unicode.
15:48
I don't know why
15:48
anyways
15:50
so
15:50
Ah, I was right. The last prouder the right most parameter is a long pointer c string
15:58
and it's pointing to the name of the Mu Tex. So this is another indicator of compromise. If this mu tex appears on your computer,
16:07
then you might be compromised with this piece of malware.
16:14
And this is a pretty good knowledge
16:17
to have
16:18
when you're fighting malware because
16:23
I pulled that out
16:25
in a few minutes.
16:26
So if your organization had the capability to search across the entire enterprise for all running you. Tex is
16:33
with some software, like titanium or
16:37
whatever. Agents were listening on your devices.
16:42
You could immediately pass set over to ah, Hunt team or something like that, or the soft team or whoever does that. And you can say, Hey, I'm not done with my analysis. But look for this man attacks,
16:55
and then you can keep going.
17:00
So I'm kind of interested to know what
17:03
what part of the program is checking them. You, Tex?
17:07
To see if there's another infection going on.
17:11
We can see that it was called by Real Main.
17:17
If I'm not mistaken. Real main also called creating you, Tex Here.
17:23
So is this the same string
17:26
we had escaped and we could just go back
17:30
forward, Back, forward, back,
17:33
back. It looks like the same strength. So it's checking in two different places in its code to make sure another instance of infection isn't running.
17:42
I'd like to know this code is
17:45
because
17:47
depending on, uh, what
17:49
the create new text a function returns. It's going to do something else
17:56
because it compares
17:59
eso. It makes another function call and then compares the output of that to this value.
18:03
So
18:06
I'm gonna go find out what this is,
18:07
so it's only written to once.
18:11
Yea, x e x was modified by this call instruction. Forget Prague addressing the options to that get product.
18:18
The parameters of that get Prock address was get last error,
18:22
so that's pretty useful. It's probably called and
18:26
more than one place.
18:27
So following that path of logic again,
18:30
last error was pushed
18:33
as a parameter to Cole
18:36
this
18:37
and which affected e x e a e a e X, which was inserted into here.
18:44
Hello, sir.
18:48
And then it compares that to be
18:52
seven.
18:53
So let's do some more Googling,
18:59
Same windows,
19:00
their codes.
19:10
Let's just say I hope they have hex
19:12
seven
19:15
Drew
19:15
X b seven Perfect
19:18
error already exists, so we know that it's comparing that to error already exists. And if it already exists,
19:26
it does this.
19:30
So this is probably
19:32
exit process or terminate or do something else.
19:37
So another cool trick we could do with Ida
19:41
is we can say, Hey, I know this is that Ah,
19:48
error already exists. You knew, you know,
19:52
So we can actually specify that here.
19:56
Use standards and book constant or the M shortcut.
20:00
It's gonna bring us a list of all the error or all of the
20:06
in new Marais shins that it knows off.
20:08
So here
20:11
it knows that air already exists.
20:12
Matches this value and they can click. Okay,
20:15
so it makes it a little easier to read.
20:18
Get last. Error already exists
20:22
means we'll figure out what this is.
20:26
It's written to here.
20:27
It's written to hear. That's very interesting. Let's check this one out.
20:33
Hope that's the location. We already are at
20:36
that location. So
20:40
creating you text A. It stores a Valium here
20:42
and the result of creating you text a
20:56
search for returns
21:03
For the fun
21:03
that the function succeeds, the return value is a handle to the newly created
21:08
you text object
21:11
function fails. The value is no.
21:15
So
21:15
I'm gonna say
21:18
handle.
21:21
It's a new tax handle,
21:26
so it's a local variable.
21:30
I want to find out what this is. Apparently, it's called a lot.
21:34
We should really label that function,
21:38
so I'm gonna
21:41
figure out with the suits
21:45
the X was modified by get Prock address
21:48
here,
21:48
which had the parameters off close handle
21:57
change his name
21:59
or I guess I should be consistent and say function close handle. But it's okay.
22:03
So I'm gonna name this because I see it quite frequently.
22:08
Um,
22:11
function
22:15
table builder. It's not really a table, um,
22:22
function resolver
22:30
agency who calls it
22:32
real name. That's right.
22:33
Calls it right there as the first thing that calls.
22:37
So we can pick apart this program
22:41
bit by bit and really get into exactly what it's doing. And we can totally
22:47
I understand
22:48
all of its capabilities.
22:51
But
22:52
before diving in, you should really ask yourself, What am I after? A. My after indicators compromise. Um, I am after a network traffic.
23:00
Am I after
23:03
authorship? Sophistication?
23:07
Because it's easy to get lost in the details because you have a very detailed view
23:14
of everything, and you can easily just go down a rabbit holes. You can go off into the weeds. You can,
23:21
you know, take whatever analogy you want. But early on I said, this is very detail oriented,
23:26
and
23:27
every once in a while you need to pop your head up and say, OK, what am I after again?
23:33
Ah,
23:33
because this power was found on the machines. Okay, what's its capabilities? Okay, I can go for that.
23:41
A good way to determine s capabilities. Uh,
23:45
after you've already gotten a look at what it's doing to defend itself
23:52
would be to look at the function calls it makes
23:56
so we can see
23:57
host name. We could do some,
24:00
we can say, OK, it's doing something with the network.
24:03
Um,
24:07
I can delete files that can read files, create files,
24:12
It can modify the registry.
24:18
And we already kind of knew this from our dynamic analysis. We saw that mollify the registry opened a hole in the firewall for itself. We saw that
24:26
it could
24:29
It could take certain commands from the IRC server
24:36
so we can see virtual free virtual Alec. This is important because it could create memory, which he could,
24:41
um,
24:41
insert code into
24:44
and then use the virtual protect
24:47
function to then execute that code
24:51
in such directories.
24:55
It's using some Z W functions. Zw are usually reserved for lower level libraries. That should almost
25:04
yeah, they should never be cold by
25:07
higher level
25:10
user land programs.
25:11
Unless you really know what you're doing. And even then you probably shouldn't do it.
25:15
So this guy is ah,
25:18
using this function,
25:22
and I would be curious to see how he's using that, because it's probably an anti debugging
25:29
method,
25:30
because you can call this function
25:33
and you will get back information about
25:37
your process or your threat or any other process of threat you want.
25:42
And you can determine from the colonel's response
25:48
if that threat process or whatever is being debugged.
25:52
So,
25:53
uh, I'd be willing to look into that if I wanted to debug it,
26:03
say in an open address
26:07
registry stuff
26:10
so
26:11
it can also messed with service is. So If I didn't know any better, I would be like, Okay, it's probably installing be a service. And if I wanted to go
26:22
down that rabbit hole and determine its the service name it's using,
26:26
uh, I could do that with these functions
26:30
very quickly. I could just
26:33
seo Where is this thing being used?
26:37
It's only being used in one function.
26:40
Yeah,
26:41
being used here.
26:42
I can look for any strings around there.
26:48
I see none.
26:48
Um,
26:49
I go for another one.
27:00
Okay,
27:00
but
27:02
if I wanted to
27:03
follow that rabbit hole, I could
27:06
Now here's some Maur. Interesting strings
27:11
is interesting because there's a slash slash and escape slash In there
27:17
this is interesting.
27:18
P
27:19
colon slash slash On what looks to be a file name extension
27:26
and this looks interesting. These look like encrypted shrinks basic off use cation.
27:33
So it looks like it's pushing these
27:37
moving a value
27:40
into the word excess modified by this. So this is delete registry
27:45
handle here.
27:49
Tip rocket dress.
27:51
So it was the last of
27:56
these,
27:57
but it calls this
28:00
after is received the parameters earthy the parameters of,
28:07
uh,
28:07
pointers to these strings.
28:11
And it's called multiple times. And each time there's a
28:15
off you skated string
28:19
and a different location.
28:22
So I'm willing to bet this string is input.
28:26
Dysfunction is decryption or D a few vacation and this is output.
28:33
So let's take a quick look into that.
28:36
I want to say D
28:37
crypt strength
28:48
takes into arguments to pointers is what it looks like.
28:57
Source on the E s. I and then stores
29:02
this one e d. I
29:07
assistant to a l, which is the lower
29:10
ah,
29:11
eight bits of the 32 bit
29:15
e x register.
29:17
I'm not mistaken.
29:18
So this is useful for she just want character.
29:22
So test
29:25
a l
29:26
means it tests to see if this is zero
29:30
to test a LL
29:32
ale says is the string blank
29:37
if it is,
29:38
If
29:40
zero flag
29:41
was ah
29:44
active was ah one bit in there, it will skip to the end.
29:48
So it tests to see
29:51
if there was any characters in that string.
29:55
If they're if that string had a character in it,
29:59
then I would begin executing this loop.
30:03
Where does the push
30:04
increments E s I,
30:07
the source index?
30:10
It calls us function
30:15
that moves
30:15
a l
30:17
into E t I
30:21
and then moves. Yes, I
30:23
increments idea Eddie, I
30:26
pops
30:27
the value
30:29
off the stack into E c X
30:33
and test it to see if it zero.
30:36
If this is
30:37
not zero, the jump is taken. So this is taken.
30:42
That means conversely, if it is zero,
30:47
this falls through so we can hit space and say
30:52
if this is not taken
30:56
okay, if it the value is zero
30:57
then just falls through
31:00
to the next instruction
31:03
which is down here
31:07
so it can see
31:07
dysfunction
31:10
has something to do with these lists decryption.
31:14
So we can peek at it
31:15
really quickly
31:18
and say,
31:18
Okay,
31:22
there's an alphabet there and there's an alphabet there.
31:26
I'm just going to guess just by looking at it.
31:29
It's not really encryption off your vacation. It's really more of an encoding.
31:33
It does. A simple swap
31:36
can
31:37
don't click it
31:37
and dive into it.
31:45
Does the Basic Function prologue make space for its local variables as a push? Push, push?
31:57
This is interesting,
32:01
and it would take a few minutes to figure it out. It wouldn't be too hard.
32:06
We could even write our own version,
32:08
and we could decrypt the strings ourselves.
32:12
However, in the next video, I'm going to show you the easy way of doing that.

Up Next

Intro to Malware Analysis and Reverse Engineering

In this course you will learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries.

Instructed By

Instructor Profile Image
Sean Pierce
Instructor