Basic Static Analysis Part 5

Video Activity

In this module, we'll cover some basic malware tricks and dive deeper into the string obfuscation concept. You'll learn both the easy as well as the hard way for string obfuscation. The hard way includes fully reverse engineering the code, re-implementing it, and then applying the same process to the strings. While the easy way uses the native code...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9
Video Description

In this module, we'll cover some basic malware tricks and dive deeper into the string obfuscation concept. You'll learn both the easy as well as the hard way for string obfuscation. The hard way includes fully reverse engineering the code, re-implementing it, and then applying the same process to the strings. While the easy way uses the native code and executes it. We'll demonstrate a hybrid method, combining both static as well as dynamic analysis for de-obfuscation of strings.

Video Transcription
00:03
>> Welcome to the Cybrary. My name is Sean Pierce.
00:03
I'm the subject matter expert for
00:03
introduction to malware analysis.
00:03
Today we are going to be going over the basics
00:03
of static analysis part 5,
00:03
more on the basic malware tricks.
00:03
Last time we were talking about
00:03
Obfuscated Strings and I said
00:03
I was going to show an easy way to deal with them.
00:03
The hard way is to fully reverse engineer the code,
00:03
really understand what's going on,
00:03
and then re-implement it to write
00:03
your own Python or assembly code to do the same process
00:03
to those strings you want to deobfuscate
00:03
and if you are rewriting
00:03
>> the assembly code just for fun,
00:03
>> and I have done that before,
00:03
you start to feel like you can just copy and
00:03
paste most of it and then you start thinking,
00:03
well, why can't I just run
00:03
the code and you can't and that is the easy way.
00:03
To use the native code and the malware to
00:03
do the deobfuscation because they have to do it right.
00:03
Anyways, it's unlikely that they
00:03
have some super tricky code doing
00:03
something crazy during the
00:03
>> deobfuscation of some string.
00:03
>> We're going to look at this.
00:03
Last time we were here,
00:03
we were looking at
00:03
this decrypt string function that we had named.
00:03
We don't know for sure if it's doing
00:03
that but it looks pretty obvious that
00:03
it is and we started to look at this and we said,
00:03
okay, maybe it's not really encryption.
00:03
Encryption is more like some
00:03
>> encoding but whatever it is,
00:03
>> it's obfuscating these strings
00:03
so that we can't easily see it.
00:03
We could right-click and run our little strings
00:03
command and whatever these
00:03
are going to be won't show
00:03
up so that's why malware authors do it.
00:03
We can jump over to where we last had
00:03
our VM and we can see the bot builder is
00:03
right here but we're interested in
00:03
the spine area and I haven't
00:03
modified the binary in any way
00:03
and I'm just going to right-click here
00:03
and say extract a ladybug 2.0.
00:03
1.1 is still pretty popular.
00:03
2.0 has some improvements but a lot of plugins still
00:03
work with 2.0 or excuse me.
00:03
A lot of plugins still work with 1.1.
00:03
We're just going to start executing.
00:03
Before I execute, I always check
00:03
the network settings to make sure it's not connected,
00:03
it is connected but a host-only network
00:03
can't go anywhere.
00:03
I'm going to drag and drop this sample
00:03
onto Ali and Ali will begin executing it.
00:03
It'll load up the libraries which is
00:03
what that loading was and it
00:03
will analyze them just like it analyzed
00:03
this bit of code and
00:03
I'm going to make this a little more readable.
00:03
Options. The default appearance is terminal 6,
00:03
and code highlighting, Christmas tree.
00:03
I'd like to pay attention to jumps and calls.
00:03
Let's try that out. Didn't really help much.
00:03
Want to make it more readable for people.
00:03
Slow screen resolution.
00:03
Six, change.
00:03
That's easier to read.
00:03
Even if we are a little scrunched up.
00:03
Ali debugger that will
00:03
execute one instruction at a
00:03
time and will by default break
00:03
on the module that you've loaded.
00:03
The module, it's in the PE file
00:03
and that's where it is right now
00:03
and we can see that this memory address here,
00:03
that's the memory where this executable said,
00:03
I prefer to be loaded at this address
00:03
and that's encoded in the PE header,
00:03
the container for the EXE file and IDA also
00:03
looks at that and also tries to
00:03
do its addressing in a similar manner.
00:03
We can use that to our advantage.
00:03
We press Space here and we can get more an older type
00:03
of view where it's just a linear view of
00:03
the code and we can go here
00:03
where we see this perimeter
00:03
of this obfuscated string being
00:03
pushed and we see it's at this address that's in
00:03
the text section and we can flip back over to Ali.
00:03
Where is Ali? Of course.
00:03
I can hit Control G for go and I can say,
00:03
just paste that address and say zero x
00:03
because it's a hex address and jump straight there.
00:03
We want the code to execute and to this location.
00:03
Most of the time, F2 will
00:03
just put a software break-point
00:03
there and I've mentioned them before.
00:03
I've mentioned that it's actually an int three
00:03
or the hex CC where it goes,
00:03
where as soon as I hit F2 hear,
00:03
it went into that address
00:03
and changed out the instruction.
00:03
Some malware will look for this and
00:03
attempt to do something strange
00:03
if it found a break-point there.
00:03
A better way to do it is by using hardware breakpoints.
00:03
We can do that here.
00:03
I can find a
00:03
break-point
00:03
and we can say hardware break-point upon execution.
00:03
Hardware breakpoints are a bit different in
00:03
that there is no changing of the instruction.
00:03
The malware can't see that the code is changed at all
00:03
because it hasn't but instead, this address,
00:03
this 131453A0 address, was put inside
00:03
the CPU and the Ali debug said,
00:03
whenever this address is executed,
00:03
just stop the program right
00:03
there and hand control back over to me.
00:03
The three software break-point
00:03
except we're not actually
00:03
changing the code. It's a bit better.
00:03
The gatches, there's
00:03
only four hardware breakpoints in the CPU.
00:03
It can only hold four addresses.
00:03
There's actually I think eight debug registers
00:03
but I think we can only use four of them at
00:03
a time. I'm going to hit run.
00:03
My program will run to this and it stopped here.
00:03
You may be wondering what's going on down here
00:03
and it says it's analyzing this and that.
00:03
You'll remember it can flip back over to our data here.
00:03
Remember, up here,
00:03
to resolve all the functions down here I had to
00:03
load in several libraries, so blurred.
00:03
I got the address to NTDLO because
00:03
NTDLO has always loaded into every single process.
00:03
I don't think it's possible not to have it in there.
00:03
It alerted and this and
00:03
whatever the dependency DLLs were to those DLLs.
00:03
As soon as they were loaded in,
00:03
Ali started to analyze them
00:03
just in case we want to jump into one of
00:03
those DLL but the end result
00:03
is the break-point triggered
00:03
and it stopped at this location.
00:03
With Ali, we can see that it's going to push,
00:03
push, do a move,
00:03
and then a call and that
00:03
call is with what we named decrypt an IDA.
00:03
>> We see Redkey delete
00:03
that was clean up from the last function.
00:03
See how much easier it is to read it and
00:03
all that which key deletes would be from there.
00:03
I want to do Dynamic Analysis with [inaudible] and then
00:03
stack analysis with IDA.
00:03
We can do a push
00:03
and then over on the lower right-hand side,
00:03
we have this stack window.
00:03
The top of the stack is the top of this Window.
00:03
The lower memory address is up here.
00:03
If that makes any sense.
00:03
If it doesn't quite make sense,
00:03
it's okay, just play with it
00:03
a bit more and get the hang of it.
00:03
But it is important, as we saw
00:03
with the beginning of this executable,
00:03
it manipulated the stack to use
00:03
a return function or a return instruction to jump
00:03
to its real main code as opposed
00:03
to just a jumper or call
00:03
instruction as an effort to fool these assemblers.
00:03
But I didn't catch that pretty fast.
00:03
There's some older malware.
00:03
Anyways, so we saw that
00:03
it's about to push another argument onto the stack.
00:03
If we flip back over to IDA,
00:03
we see that this is
00:03
referenced a few other places
00:03
that is pushed in as a primary here,
00:03
and the address is moved into an EAX here and ESI here,
00:03
and another EAX here and some different functions.
00:03
We could dive into those and try to figure out what
00:03
exactly is going on here or where this thing came from.
00:03
But I'm willing to bet,
00:03
since there's two things going
00:03
into this decryption function,
00:03
and it doesn't look like EAX is messed with,
00:03
or modified, or stored anywhere else.
00:03
I would say this is an input
00:03
and this is actually an output.
00:03
It's handing in an address
00:03
where right now it's filled with
00:03
all zeros and later is
00:03
probably going to be filled with the decrypted address.
00:03
I don't know for sure, but with ALI we can find out.
00:03
I'd like to right-click and say,
00:03
"Follow and Dump" right here.
00:03
I want to say Immediate Constant.
00:03
It looks at the constant in this instruction,
00:03
and so it's okay, that's an address and I
00:03
say just go to that address.
00:03
We could try to figure out where exactly it is,
00:03
either in the text section or the resource section,
00:03
or if it's in the heap or whatever.
00:03
But right now it doesn't really matter to me.
00:03
I just want to see what happens.
00:03
I'm going to say step over,
00:03
it's going to do that move.
00:03
Then now we're on the call instruction.
00:03
I'm just going to say step over again.
00:03
If I want to say step in,
00:03
we could actually go through the decryption process.
00:03
But [LAUGHTER] we see here
00:03
that we just stepped over and boom,
00:03
out pops this string.
00:03
We can even see up here that ALI
00:03
has looked at that reference again and said,
00:03
"This is not change, this is now an ASCII string."
00:03
We now know that this string was a few skated,
00:03
and it was easily just df few skated.
00:03
We don't know the algorithm,
00:03
but we don't really care.
00:03
We have this, which is what we wanted.
00:03
We can take
00:03
that copy
00:03
somewhere.
00:03
It's a little trickier with
00:03
list because sometimes you just want to copy the hex,
00:03
sometimes you just want to copy the memory address,
00:03
sometimes you just want to copy the string.
00:03
I need a copy.
00:03
I'm going to try that.
00:03
Moped, but didn't really work.
00:03
I'm just going to open up IDA.
00:03
We can say this string.
00:03
We can hit "N" to rename the string.
00:03
Falling out of convention when we
00:03
start an ASCII string with A,
00:03
and we're going to say software
00:03
Microsoft Windows
00:03
T/current fashion/on sole/namespace.
00:03
These characters are probably illegal with IDA naming.
00:03
I have to replace the slashes with underscores.
00:03
That's a register key. I'm going to say registry key,
00:03
it's going to complain that it's a bit long and it's
00:03
got to make the columns a bit longer.
00:03
But there's some illegal character.
00:03
The bad character is,
00:03
I don't know. Maybe a space.
00:03
I don't know. We can continue this process.
00:03
We can see that passes on
00:03
another parameter because
00:03
>> it's calling the same function,
00:03
>> it's probably under the same thing and there's
00:03
another registry key that has just come out,
00:03
and we can do the same thing.
00:03
There's another path that looks like
00:03
some file, 0XDEAD.DMP.
00:03
Can do that. Another ASCII string of salt.
00:03
We can see in here,
00:03
in the same memory space,
00:03
memory location that all the strings
00:03
were allocated next to each other.
00:03
This function is not supported by
00:03
Windows 9x. That's interesting.
00:03
If we were fully reversing this malware,
00:03
and we knew we're going to spend a whole day on it,
00:03
I would say record everything,
00:03
take down everything and really document it,
00:03
because documenting is the key
00:03
to really understanding how malware works.
00:03
Even if it's documenting
00:03
something that you don't think is
00:03
very important because you've
00:03
gone through the trouble of finding that out,
00:03
and it couldn't become helpful later.
00:03
Bookmarks are also very useful,
00:03
but I haven't put them here yet.
00:03
This function, or it was 0XDEAD-DMP.
00:03
That's the easy way of going about decrypting strings.
00:03
If you play with IDA a lot,
00:03
and you seem to be doing this a lot,
00:03
then I would suggest a plug-in put out by fire,
00:03
I believe, because they do a lot of
00:03
>> reverse engineering,
00:03
>> and it basically uses
00:03
the debugging component of IDA
00:03
and when you select a function,
00:03
you can just say run
00:03
this function with these parameters,
00:03
and it'll automatically decrypt something for you.
00:03
Of course, this is dangerous if
00:03
you're running real malware system.
00:03
But most decryption functions do just that,
00:03
just encryption because
00:03
a malware author had to make this,
00:03
and he had to make it modular and functional for him
00:03
or her to be keep track
00:03
of logically separating out functionality.
00:03
It's uncommon that a decryption function
00:03
would do anything else but decryption,
00:03
but it is possible.
00:03
I would err on the side of caution and if you want to,
00:03
you can run IDA inside your debugger or inside
00:03
a VM and just be cautious.
00:03
That's it for this video.
00:03
Once again, we were dealing with
00:03
obfuscated strings and instead
00:03
of reverse engineering the code,
00:03
we use a hybrid analysis,
00:03
leveraging both static and dynamic techniques to
00:03
very quickly DFT escaped
00:03
strings and aid in our analysis further.
00:03
If I were you, I would check into where else
00:03
that 0XDEAD.DMP file was being
00:03
referenced and see if that is a mechanism I wish
00:03
and our author used to avoid infecting themselves.
00:03
Sometimes, that is the case.
00:03
Our authors usually keep something in
00:03
their code to keep from infecting themselves.
00:03
Be it a registry key or something else,
00:03
filename, process name, a machine name.
00:03
These are indicators of not compromise, but authorship,
00:03
because malware authors will frequently use
00:03
the same file names over and
00:03
over again across different malware families.
00:03
Thanks for watching. Next class we'll be
00:03
covering more static analysis,
00:03
where we will be going through and enumerating
00:03
the capabilities of the malware.
00:03
>> I hope to see you then.
Up Next