Welcome to Sigh Bury. My name is Sean Pierce on the subject matter expert for introduction to malware analysis. Today we're gonna be covering mortar
Stack announces, particularly part six, where we're gonna enumerate the capabilities of the illusion bought that we were looking at the last few videos.
when we were doing this
capability in numerous Shin earlier, we were kind of looking at
only the dynamic analysis and saying, OK, well, we see its might find the registry and opening up a firewall rules we know has that capability. We know it's going to the i. R. C. We know it's can take commands from there we opened up theologian bought builder. We saw some other capabilities there, but none of that
what it says. It means
I might sound a little silly, but I've dealt with playing our plenty of builders and controllers where there's unimplemented functionality either in the sample or in the builder or the controller where it may say it can communicate over http or may say can, uh,
funnel traffic over D. N s.
But it can't actually maybe, uh,
the mile author for have to put it in or he wanted to say had that capability, but it actually didn't so he could sell it at a higher price. Whatever the deal is who really can't trust,
uh, what an interface says or what it might even look like it's doing. I've seen samples out there that will try to communicate over
http or some other method, and the controller can't actually understand it, so it looks like it could do it. But you can't take the word
count on that. Uh, actually being there. And as our analysts, we think,
Well, we're not often going to
get the controller. We're not often going to get the source code or,
you know, the builder. So that's compa moot point. And it's not because we do have the sample. And earlier we were looking at
what functions was calling to guess at the functionality.
But we can actually dig down into the code and see
what the Mauer author has actually put in there.
And we can say OK, definitely for sure.
It makes a post request,
uh, it doesn't do anything with the response. It gets back. It just mean it moves on so we know it can't actually receive information from from a get request. We can say that for sure.
it can be a little tricky sometimes, especially with the sophisticated actor,
can be very tricky. It could be hard to read and with a lot of junk code in there because some our authors will fill their their malware with
useless assembly That won't do anything. And it gets a little confusing to look at.
they can hide some clever
some clever instructions strung together that will
dynamically call something that doesn't look like code And do something you may not expect.
For instance, there was a piece of malware that
a webpage. Do like in a standard. Http, get request. And it would look for certain strings on the Web page and go on his business. But a lot of our analysts missed the fact that it would go and find an image later on that Web page. I think, in the
the temporary Internet files,
decrypt a hidden configuration
inside an image, and they're using a form of steganography, which means that they hide an image or that they hide information
A supposed toe cryptography which scrambles the information.
And inside this configuration, inside this image
there was Maurin Formacion that
a lot of analysts were missing.
it can be tricky unless you have, like, a whole and complete understanding the code, which you really can't all the time.
there's even Maur functionality that may be hidden
and say, Ah, downloadable component. So
we will look at this malware and we will find that there is a download and execute command.
go to your superior or if you're superior, comes to you and says,
Hey, I know you analyze this piece, um, our can it do something like
wiped the master boot record
in having analyzed that you can say no, doesn't have that capability and then turn around.
You know, a few days later, you're Boston's back says, Hey, you know that malware infected one of our machines and the master book record got wiped
execute herbal in this piece of malware, like most other pieces of malware, there's the ability to download and execute
well, you can't say Okay, it doesn't have that capability. Someone else can easily
add more capability by downloading
And even if it's not,
just download and execute this wiper, which you can easily download from all over the Internet.
malware families out there that are more sophisticated,
the really maoren Elsa. They're really malware platforms. So
done proof of concept stuff where you basically it's just
ah, platform for going to a committed control server and downloaded in an encrypted module, which is
has a persistence mechanism or downloads. Another module after that, which has a commanding control server,
functionality mechanism or down was another component. And that's an FTP server function out or
So if a malware analysts were to ever find my execute a ble on disk,
they would just find this kind of platform. They would just find, like on Lee a small amount of code, which would just go out to an I p address and download some things in decrypt. Um, and so they would need my commanding control, sir, to be up in order to get those components and with a lot of
a lot of this malware
tends to be more targeted, and the commanding control servers are quickly taken down from our author thinks that their operation was burned.
and this is not uncommon, especially with
malware that has been infecting
a particular company.
Like if a our author wants to
just do pos infections where point of sale systems are only gonna be within a certain i p r i p address range. And he restricts that, too. Uh,
the restricts downloads of his malware or component tree
to that. And then as soon as he sees another I p address tryingto get those components, he thinks, oh, well, they've put it in my mouth, were in the sandbox. Uh, I'm bringing down the whole operation and moving to another command and control server and
et cetera, et cetera. And that actually does happen. And if you ever do any botnet tracking
where you get a piece of spam and you say, Oh, I wonder what this is you popped into about where analysis machine,
you'll notice that the command and control server is already dead, if especially if you get the piece of spam
a few days late or even a few hours late sometimes
because in our authors don't want to burn their commanding control infrastructure
well, static and dynamic analysis toe enumerates capabilities. But you really shouldn't say
this power on Lee has his capabilities
you. And if you do, you should say, Hey, it can download and execute things. It's a common function,
a high sophistication actor could be using
this lower sophistication tool as initial beachhead
then download and execute something else that's much more
dangerous. It's much more capable. So determining,
you know, intent is important and people behind this. But, uh, when you're doing your mouth or analysis,
that's easy to say. Oh, look, this code
definitely won't do this, or it definitely does do this.
Having said that, let's jump right in
twill your last word,
which was we were decrypting these strings,
so I'm gonna pause this Veum
right when it was decrypting the machines, I'm gonna put it away
and jump back to my either here.
as I said in my period slide,
uh, document everything and if I was being a good
reverse engineer and I had all day to work on this. And I wasn't just making a video. I would say
this would be My next step is to go through these and label them and properly document them.
And one method to determine capabilities of a piece of malware is to follow each of these
functions on dhe, see where they're cold and classify
all of the function calls. And you could burn through each of these subroutine calls and you could say, OK, this is this. This is this. This is maybe this. I'll come back to this if I have time, etcetera, etcetera,
a better way to do that. A better way to determine capability
is by going toe where the command processing happens where the configuration processing happens. So the Mauer author wants to control a machine with this piece of malware
or steal data or whatever his goal is that you usually will be able to determine
after analyzing the malware.
be able to command this pot usually.
So I'm gonna go over here,
toe open sub views and then strings,
and I'm gonna look for
help. I figure that this smaller author has built in some kind of help menu,
and they will be controlling it from the IRC so they could just give it some commands
and that hasn't turned up anything.
So I'm just gonna look for
Go back open sub you
So I'm gonna go through. I'm gonna say, Okay, they don't have a help menu. Or maybe maybe it's encrypted or whatever. Um,
but I do know that it has some capabilities. Like they can open up some something called a D C. C. Show. I can download and executes download something, download and execute something.
and that's probably a command that ah, mouth would want toe remotely execute. So I'm gonna double click and jump to where the string is.
I can see that is referenced
by pressing X. I can see that the string is referenced at this location and only this location.
So looks like, uh, in this subroutine and dysfunction,
there's the option to download and execute something.
Looks like K B is showing you a meter
of how fast it's downloading executing something.
And we could dig into that and see exactly what's going on.
I'm gonna say down mood
Say display Dunnellon. Excuse mine.
So I know this has to be called from somewhere. That's probably
because this probably isn't
the command processing subroutine with configuration process of the team that I'm gonna say. Okay, it's probably called from that or something is calling it that will call this eventually.
So I'm gonna climb on up this ladder and say, OK,
is calling a few things
I could scroll over.
It's another function I haven't resolved yet, But I could, in fact,
looks like it's called a lot. So I'm just gonna go ahead and help myself and say
press X and say, OK, it's one. I just go ahead and figure this out.
So I moved into by T x T X is last modified by get Prock address, which was the parameter to get the Skip Prague address was ws print f
going back to that logic to be a sprint up was pushed onto the stack where
get Prague addresses called and
modified GX. So this is
we don't know this is
another. This is a good way to document
You see where this is called from and being out. So over in the lower left hand side,
there's a lot of code here. We can even hit our control key
and scroll wheel, and we can zoom out.
We can get a much larger picture of what's going on here
so we can see that there's a lot of stuff going on here. We can zoom in and see uh,
a lot of error messages about socks, proxies, FTP,
all this other stuff.
So that's cool. That's useful on. If we wanted to see,
you know, usage is she be flood. We can just click where this, uh,
code came from where this control flow came from. We could just double click the Arab. It'll jump a straight toe where that line was leading. That jump was coming from.
But I'm interested in the capabilities of this malware if you'll remember, and I want to quickly be able to say OK, can do this. This this this. So I want to look at the commands that, um, our author could give it
or the botnet herder or the controller.
this. I take this kind of broad sort of you.
I can see that there's an interesting set of instruction
or on interesting control flow happening here,
where if it's not one thing, then it'll do another little thing,
and all these jumps will jump off into their own respective columns.
So I'm willing to bet that
each one of these little boxes is simply just testing it. And you can see here by hovering over it.
issue these little columns is testing.
Ah, to see if a certain string is, uh,
in a certain memory location, probably,
You know, it gets in Ah,
a string from the IRC
program. This is probably ah, while true.
kill yourself. Command
It is constantly checking to see which command it received on the command line.
I can quickly zoom in and see if that's the case.
You can say beep is like, Okay, that might sound like a command. Jump over here and say ftp stop. That does sound like command. Jump over here. Uh, t p d. It's or it sounds like a command.
Stop. All that definitely sounds like a command.
And do another chump socks. Five stopped. Yeah, this seems like this command tree.
So if if I were a betting man, I would say, OK, this is probably a switch statement,
But then again, I know usually catches switch statements pretty easily. So
else if else if else kind of situation,
because it doesn't really matter. We have a list of functions here.
we're documenting everything
keep, like a note pad open. I'm following these functions down to the end.
Okay, So in his escape and go back to where it was
so I can see here. Web admin, just boat is higher. CME in just above that is higher. See admin Guinan
with admin. So that seems to be the That seems to be all for
the commands, at least right here.
So I was open up. No pad.
and I just start copying and pasting.
another thing I would do I'll see where this string is kept
all the other commands strings were there. So I can easily just copy paste.
Looks like a lot of them were there,
I can't guarantee that they're gonna be in the proper order.
That sounds interesting.
Config. That sounds interesting. In case we, uh,
got onto the IRC channel where the spot is hiding,
maybe we can reconfigure the bots.
I think technically, that would be illegal because you are still running
instructions on a machine which you have not been authorized
But some security researchers do it anyway. And some people, like from Microsoft,
go. And when they take down a botnet, they will, ah,
get law enforcement on their side and walk into a data center and say, Hey, uh,
this is used for criminal use. We're going to help shut down.
I am not one of those people. And so I do not suggest
even if you have good
intentions, I would not suggest,
uh, going on to a, uh,
and trying to, like, take down the botnet.
even if you have the best intentions in mind and
you're seeing bad stuff happens all the time
there could be security researchers or law enforcement
also doing what you're doing.
But they're listening on the channel to see if they can
get to the author or the lot that hurt her or whatever else, because they will do that as well.
I can do this for a while. It looks like this is, uh
this baht supports a lot of commands.
tell someone or do it myself
verification purposes. I could tell someone to run these commands and make sure they actually do what? What you would think they do this ftp ftp d
might start an FTP server, but it might only do it on on Lennox.
he's usually demon or Damon.
maybe it runs better
on Lennox, You might think. OK, what? It's a p ete or it's ah P file in the XY file.
What makes you think you would,
running ftp server on Lennox? And it's like
you know, with the source code, you can re compile a piece of malware like any other program and made the author made it so that, uh, you could just easily re compile for Lennox.
that from Shelly doesn't exist. Someone does, because it may just call the command line equivalent to start an FTP server
which may not exist on your version of windows.
So, like I said, we can We can do this for a while,
and it would be a much better indicator of capabilities,
then just looking at the functions and guessing.
uh, we could pass these things over to someone and say, Hey,
while I'm doing this, fire up the
the baht connect to make a fake Arthur C channel, connect to it and just start running these commands and see what happens.
eyes pretty common Mauer functionality,
and I might dig into it
like, uh, this version function,
and I would say, Okay, so
this function gets called immediately after it,
uh, what happens there? Is there anything important? Does it just set some flags? It checked to see if there's some information that's just return the version on. And what happens
jump, not zero loop. If it that doesn't take that
looks like it just prints something. So it's like, OK, so probably
this condition probably will print the version number out to the strength out to the screen.
And if it takes this path, it tries to see if it's, um
which I'm gonna just name right here, is, uh, input
Filter out the quotes later,
Shut down. That's interesting.
no where to go. I'm just named. This
Command. Whether that *** that shuts down the baht or if it shuts down the, uh,
computer, I don't know.
I see Impey floods stop.
and we can see where we are
We can see that we're probably right about there, so there's probably, ah, number of other command or probably right about here. There's probably
I want to say 10 15 other commands that we could have new Marie.
but the important part is
yeah, so we got quite a ways to go. Important part is
and furthermore, we can verify that the code actually exists to implement that functionality.
the implemented code is there to fulfill that capability.
And if you're looking at this, if you're reading this all day, it's a very detailed view, and it's easy to get lost and forget things. So I don't provides a pretty cool tool.
And let's take this column, for instance.
tests the input command against the string kill. And it'll call this function,
which looks very simple so we can dive into it for just a second.
And it seems to test something to arguments that are passed into it on E. C X and E T X.
it's probably testing for validity is probably testing to see to make sure they're not just empty strings
and acts. It seems like it's called all over the place.
It was probably important that we get out of the way this analysis, how the way
So it takes in two strings,
which were e x e x, the input command
So I'm gonna call this string compare.
So if we look at string, compare if we Google that
I'm willing to bet if we return zero, it's, uh,
characters until the first knoll bite.
I just happen to know that's true, because I've done this before.
Uh, and the output is putting t a X So test instruction test to see if the X is zero
by saying he actually ex pop and jumps if it's not zero. So it continues on its path of checking
against other commands. If it is,
if it is not zero. So if it is zero, it is that command. So this logic makes a bit more sense here. And
the functionality I was telling you that I did does that's really cools. We know that this code
will have some kind of kill
functionally built into it.
or process killing functionality and built into it, we can see here that unable to kill process with process i d process has been killed. We can see that there's, ah, positive and a negative tow this outcome.
And so we know what this coat does fairly Sure. So
something cool that we can do to can't get out the way while we're still reversing these other things is we hold down control and we can select
And we can right click and say group nodes.
We can say we can label it for kill process.
So here is grouped always all these, uh,
And let's include this here.
No Oneto, same name, kill
So that looks pretty clean.
And we can continue the same effort here. We can look at this command above it. Kill all
we can keep going down that path. And obviously we're not catching all all the related blocks because if you look down here, there's some error conditions. Like, uh, it's like, Oh, you didn't
pass in the parameter. So this is the usage for that thing on oh, unable to do it or oh, it worked. We could group the's in as well.
And we can continue on this path until we have all of these
trees. These columns of command functionality.
But command functionality Combs, I guess, uh,
accounted for. And if we find something that's out of the ordinary or something that doesn't make a whole lot of sense, we can investigate that further,
but we can effectively group things, and we don't have such a detailed view of
what every little instruction is doing. And that's really the rabbit hole that you'll get into when you're doing reverse. Engineering is,
uh, since you have such a detailed view and you can say, Oh
yeah, I can I can jump in tow this function I can completely figure out what it's supposed to be doing and it's really important because it's called by all these other things and like, Oh, look, I can go and resolve it again and see exactly what's going on and,
yeah, that's great. But
for now, determining capability and capability only to, uh,
capability will lead to risk to your organization elite impact. And
maybe if you're good, it'll lead to attribution to intent, and it will lead to you being, you know, very valuable to your team.
if you have an incident,
unless your I r. Guys really clever.
The Mount where Kai is the person that really understands was going on behind the scenes.
And there is a trend
that ah, lot of bad guys
are trying to avoid mount work. Because of this, they try to do what's called living off the land and only doing things that, uh,
that don't leave any forensic evidence. Like, you know,
they dropped a piece of malware that does a, uh, just launches a reverse command shell. So then they could execute man's without
anyone seeing that. Um, but,
you know, um, most Mauer most most hackers still use malware. It's a
no and all of the breaches, you know,
97% of time of leaves of rising breach report said malware was present, So
our analysts definitely have, ah,
and they're definitely needed.
uh, finding the command processing subroutines on door the configuration processing separate teens because that's where you're gonna find a lot of, uh,
how you can enumerate a lot of the capabilities of a piece of malware.
while reversing out just documenting everything. Use good variable names, just like it's as if you're writing software because you almost argue you're taking it apart. You're discovering it,
and to fully enumerates capabilities, I would say tests the software. Afterwards, a zay mentioned they're playing times where malware has had bugs or compatibility issues.
They simply just do not implement the functionality. If they say they do. And special note, there's there's no undo. And Ida Oh, I'm sorry.
and keep in mind when you're in humoring functionality, Mauer can extend its own functionality by downloading, executing new code or having some hidden feature in it that you might miss and all those function called lala Hundreds or thousands of function calls. There could be just some instruction in there that
that jump into what appears to be data but is actually shell code.
even strings strings candy Shell Co. They can be executed ble exit a *** machine code. I know a guy who published a black hat paper
generating his program would write
English language show code so that ah, string that looked like a normal English string could be executed.
Exit E six shell code. So
can enumerate functionality in malware a lot of times. Keep in mind that it can extend its functionality, and it's not a for sure thing.
And keep in mind there's no undo in Ida
Might be flabbergasted by that. But seriously, if I,
tell Ida to analyze something as data and stuck code.
It would break a lot of things on the newer versions of Ida. You can kind of do a snapshot of
your current IDA database, and that might save you from something catastrophic. But you might have to redo a lot of analysis on I have messed up.
My house is pretty good. Sometimes I just had to start over because it would have been too much of a pain, too,
to try to fix the damage I had done.
So a za recap for in general static Reverse Engineering showed this
before, but I highly suggest the Ida Pro Book. That's the unofficial version, because the developers of Ida, uh, other good and brilliant and will respond the emails very quickly because,
you know, they only sell Ida. That's all they do. And, ah,
the female mayday Malone right back there. They're really nice and good. They never wrote a book about how to use it, and someone did. And it is actually a really good introduction to not just idle but reverse engineering general, because I does an extremely powerful tool
and we've barely scratched the surface of what it's capable of If you get the official. If you get the
I want to stay professional version But it's actually the pay for version because I do pro is free by default. You can't save your analysis unless you use a kn older version like Ida five point something you can actually save your analysis. Your i. D b file in the newer version can't unless you pay for it
or in the in the newer version, you cannot save your analysis unless you pay for it. Um, that's, like
6 $700 or something. Uh,
try to crack it or torrent it.
You will be put on a blacklist and they will never sell yourself to her again.
Or I think when you work for you there, uh, I don't remember the rules on that, but it's a big No, no, don't do that.
and, uh, or download or use crack copies
because the i d be files are actually signed Flush,
encrypted. I think so. Uh,
if you even make if you if you get a version a cracked version of Ida Ah, and you save
your analysis, you're disassembly
of a file no one else with Ida can even open that because that
cracked version will be blacklisted
and no other version of Ida can open it.
There are ways around it, but I wouldn't suggest it.
Um, another really good book for reverse engineering is reversing Secrets of reverse Engineering is a bit old, but it's it's really good. I like it a lot,
and there's plenty of tutorials online out there for reverse engineering. A lot of
mainly built around a crack means which are
little programs written by re foreseen. Reverse engineer enthusiasts
toe kind of stump each other.
And those are pretty good. And I
also would suggest going to past C TF websites, capital fly websites, usually their hacker competitions, Jeopardy style, where they choose a category and a level, and they go and try to solve the problem. There's usually reverse engineering challenges in there where
you're trying to get a program to do something or find a vulnerability, you're decrypt a string or or whatever the case is, and those could be excellent. Excellent learning experiences.
cork, am I or quirky me?
is fantastic for explain like P E headers because he really takes the part and goes through the binary.
if you really want to understand
the code is organized
when you're looking at it,
uh, I would definitely suggest that,
but honestly, it's not very necessary until you get into some of the more tricky stuff.
I would also suggest open security training info on my miter. They haven't intro to X a six. They also dive into other
architectures like arm and X 64 which, if you get the pay for version of Ida well, actually not just do Exit E six, but it'll do tons of architectures, the main one most popular, one being x 64
and armed. Because a lot of reverse engineers don't just reverse engineer windows executed ALS. Also in reverse. Engine your firm where
from, uh, routers from
toys from cell phones. Switch is lots of
computers that most people don't think of as computers
on. Also, just say, you know, it's it's good to read the Wikipedia entries for the X 86 assembly language and the X 86 calling conventions. They're very approachable. They're very easy to read and have lots of examples.
And if you really want to get into writing a simply love assembly language, I would suggest the art of assembly language.
and other than that, that's that's plenty of information for you to get started. I hope you
watch the next video again. My name is Shawn,
and, uh, catch you later.