33
Reverse Engineering Malware Keith Cutajar & David Galea Restricted use
Reverse Engineering Malware
Keith Cutajar & David Galea
Restricted use
Sli.do
• Download sli.do from the App Store
• #MALWAREMT
Basic rules of the game
• Malware Incident Handling cannot be undertaken effectively without a proper Incident Response Mechanism
• Reverse Engineering shouldn’t be done without a business scope
• The CSIRT team should identify the business scope and proceed for the analysis
• Having an Incident Response toolkit is vital!!
• Always use sandboxed environments or disconnected machines
• OSINT is important - have a live internet connection active on another machine close-by
• One of the primary scope of such an exercise is to get intel re: any Social Engineering mechanism used
Sli.do
Is your company’s Incident Response Procedure adequate to handle malware incidents?
Alpha Ransomware
Characteristics
• Ransomware
• Encrypts using RSA-2048 (AES CBC 256-bit encryption algorithm)
• Appends .bin as an extension to the encrypted files
• Requests circa 1.5 Bitcoin to decrypt files
• Common distribution type: Social Engineering (e.g. via links or attachments)
• Network propagation mechanisms: detected in some variants of the malware
• File size: circa 150-200kb
• Typical symptoms for detection: High CPU and RAM usage
Upon Installation
• It will create a random named executable in the %AppData% or %LocalAppData% folder
• Upon auto-execution, it will scan all drive letters
• Selective encryption: .docx, .xlsx, .pdf, etc. (see next slide)
• Changes file extensions to .bin
• Once encryption process has been completed, it will create a ‘ReadMe’ file in .txt and .html format
• ‘ReadMe’ file is placed in the Startup folder, so the contents are displayed upon user login
• This file will include step-by-step instructions of how to access the payment site and carry out the ransom payment
• Once infection is done, it will delete all Shadow Volume Copies that are on the affected computer
File types it targets
.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12,
.qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl,
.hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp,
.sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor,
.psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge,
.kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4,
.sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js,
.css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d,
.rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw,
.3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf,
.dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc,
.odb, .odc, .odm, .odp, .ods, .odt
Sli.do
Have you ever been hit or affected by a Ransomware attack?
Tools which can be used – Process Analysers
November 18
Process Explorer
A powerful task manager and system monitor for Microsoft Windows. It provides the functionality of Windows Task Manager along with a rich set of features for collecting information about processes running on the user's system.
Source: http://technet.microsoft.com/en-US/sysinternals/bb896653
Process Monitor
A tool from Windows Sysinternals suite. It monitors and displays in real-time all file system activity on a Microsoft Windows operating system. It combines two older tools, FileMon and RegMon and is used in system administration, computer forensics, and application debugging.
Source: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Regshot
An open source tool allowing to quickly take snapshot of the registry and file system and then compare with the second one. Used to detect changes in system registry and file system (insertions, deletions, modifications).
Source: http://sourceforge.net/projects/regshot/
Tools which can be used – Network Analysis
Tcpdump
A popular command-line network traffic sniffer and analyser. It allows to capture network traffic to the file in PCAP format.
Source: http://www.tcpdump.org/
Wireshark
A popular network traffic analyser, very similar to Tcpdump but with additional graphic user interface and integrated sorting, filtering and statistical options.
Source: https://www.wireshark.org/
Tools which can be used – Malware Analysis (Static/Dynamic)
IDA Pro
The Interactive Disassembler (IDA) is a disassembler for computer software which generates assembly language source code from machine-executable code. It supports a variety of executable formats for different processors and operating systems. It also can be used as a debugger for Windows PE, Mac OS X Mach-O, and Linux ELF executables. A decompiler plug-in for programs compiled with a C/C++ compiler is available at extra cost.
Source: https://www.hex-rays.com/products/ida/
Sli.do
Have you ever used any of these tools for malware-related incident handling purposes?
Into the Dive - Architecture
November 18
Enko.exe
aisj
hi2
3hj
o2
1j3
12
oi3
u1
2lo
k3j
21
o3i
21j
oji3
ol2
1j3
o2
1ij3
jp[;
asd
e9
o8
23
uej
02
djs
aj0
93
ue
1j0
du
13
0u
32
1j1
2j1
e2-
eu
2e
Bullworker.dll Alpha.dll
Into the Dive - Enko.exe
• Enko.exe
• INVOKES:: Invokes Bullworker from resources (Decrypted) into memory Load()
Into the Dive - Bullworker
• Bullworker.dll
• ANTIS:: Check for Antis (Virtual Machines, Sandbox, Wireshark, and other tools..)
• ACCOUNT ELEVATION:: Attempts to elevate permissions to as Administrator
• Decrypts Alpha.dll from resources in memory
Into the Dive - Antis
Into the Dive - Account Elevation
Into the Dive - Alpha
• Alpha.dll
• KEY FOR ENCRYPTING FILES:: Gets Processor's ID and manipulate it using MD5
• STEALTH AND PERSISTENCE:: Runs under the hood as a Microsoft service “svchost.exe.”
• KILLS TASK MANAGER:: Kills any running Task Manager, uses a timer to continuously checking for new instances
Into the Dive - Encryption Key (process id)
Into the Dive - Encryption Key (md5)
Into the Dive - Stealth and Persistence
Into the Dive - Task Manager
Into the Dive - Alpha(1)
• Alpha.dll continues..
• FILES AND FOLDERS:: Look for all files and folders, apply Read Only to normal
• FILE TYPES:: Over 200+ including .docx, .xls, .sql
• SYMMETRIC ENCRYPTION:: CrytpoStream
• SETS BACKGROUND :: :)
• APOLOGISING:: “sorry for the inconvenience caused”
Into the Dive - Files Encryption
Conclusion
• Automated (UPDATED & MAINTAINED) anti-malware solutions are the
best method of defence against malware
• Malware reverse engineering is one of the most technical fields within Digital
Forensics
• Always have good contacts to whom you can reach for a reverse engineering
exercise
