Skip to content

Malware Analysis Examples

Jump to bottom
Maksim Shudrak edited this page Dec 12, 2017 · 9 revisions

Let us show two more examples (in addition to one example shown at the main page) when drltrace helps to reveal important information and significantly reduce amount of work required for malware analysis.

EmbusteBot

This example is based on this report.

The Brazilian cybercriminal scene is known for its affinity for Delphi-based malcode, and the sample we analyzed is no exception to the popular use of Delphi in Brazilian malware. The malware’s authors in this case employ a scheme where a benign executable is used to load a malicious DLL on the target endpoint to activate the payload. While in general, the sample doesn’t intensively use anti-research tricks, there is some encryption of sensitive strings in several important parts of the DLL, as well as time-based anti-research checks the malware performs.

The overall purpose of EmbusteBot is to:

  • Find out which browser window runs on the victim’s machine;
  • Match the window title with a list of banks it targets;
  • Take over the victim’s endpoint, use fake overlays in some cases;
  • Launch fraudulent transactions from the victim’s account.

EmbusteBot’s most likely delivery path lies in malware-laden email spam. The malware’s execution on target endpoints begins with dynamic loading of a malicious DLL to find out what browser the victim uses, and what’s on the active tab.

Let’s start EmbusteBot under drltrace:

drltrace.exe -logdir . -print_ret_addr – vdeis.exe

The sample will stop very early and in the log file we can clearly see that it requires vdeis2.dll to be in the C:\Users\Public\Media\.

PICTURE 1

If we place the DLL in the right directory, the malware initiates a search queue where it scans for specific window class names that represent targeted web browsing applications, such as Internet Explorer:

PICTURE 2

EmbusteBot checks for window classes of the top 3 most popular web-browsers, Internet Explorer (IEFrame in figure above), Google Chrome, Mozilla Firefox, checking if any appear on the victim’s screen’s foreground. The overall flow of events here is as follows:

  1. Get handle of a foreground window.
  2. Get class name of a foreground window.
  3. Compare class name with decrypted strings:
    • IEFRAME (Internet Explorer),
    • CHROME_WIDGETWIN_1 (Google Chrome),
    • MOZILLAWINDOWCLASS (Mozilla Firefox),
    • SUNAWTFRAME (Java),
    • APPLICATIONFRAMEWINDOW (Window 10 Applications),
    • BUTTONCLASS, MAKROBROWSER (generic bundled Internet browsers).
  4. If the class name contains one of the substrings, jump to step 5. If not, return to step 1 after a short pause.
  5. Get text title of a foreground window.
  6. Compare the title with an elaborate list of decrypted strings of 50 Brazilian bank names and banking web application names in the uppercase (CharUpperBuffW API call is used, see figure below). PICTURE HERE
  7. If the window title contains one of the above substrings and the activation file 171703.reg (depends on the current system date) presented in C:\Users\Public\Media (see figure below), the malware commences its malicious activity. If note, it returns to step 1 after a short pause. PICTURE HERE

Upon confirming that the victim is browsing their bank’s website, and an active window was successfully matched with a target bank, EmbusteBot collects general information about the infected endpoint’s OS (using API calls presented in figure below) and hardware environment in the following format:

MACHINE_NAME;Windows X Service Pack X(version X.X, BUILD XXXX XX-bit Edition)Disabled;XX-XX-XX-XX;Disabled;0.0.4

XX-XX-XX-XX is the MAC-address of a victim’s machine.

PICTURE HERE

The fun fact about UuidCreateSequential is that the API call was introduced by Microsoft to allow creation of UUIDs using the MAC address of a machine's Ethernet card. Thus, malware uses this API call to get a MAC address. It can be also used to detect VM (for example, VMware uses the Organizationally Unique Identifier (OUI) 00:50:56). The second fun fact, if we want to fool our malware and change MAC via the standard Windows interface it wouldn’t work. For some reason (probably it uses some low-level interface to get MAC), UuidCreateSequential returns a real MAC-address of Ethernet card. Thus, we should change it using the interface provided by our VM.

Then, the sample installs a hook procedure that monitors low-level keyboard events along with the screen capturing.

PICTURE HERE PICTURE HERE

NotPetya

Inspired by WannaCry ransomware campaign, NotPetya was first discovered in June 2017 and attracted huge media attention. The authors employed two schemes of propagation: the same EternalBlue/EternalRomance TODO:LINK exploits used in WannaCry TODO:LINK along with embedded Mimikatz TODO:LINK for stealing user and admin credentials.

Let’s try to get some technical details of this sample using drltrace:

drltrace.exe -logdir . -print_ret_addr – rundll32.exe perfc.dll,#1

The NotPetya main module is distributed as a DLL, we can simply execute it using rundll32.exe and apply an external script to select API calls that belongs to our DLL by specifying unique module id, listed in the module table at the end of the log file.

python filter_dlls.py drltrace.exe.rundll32.exe.00336.0000.log 45

The first part of the log, shows that NotPetya tries to adjust high level privileges (via AdjustTokenPrivileges API call) in the OS. The sample needs Shutdown, Debug and TCB privileges (to be able use low level OS features to re-write MBR TODO:link).

PICTURE HERE

The next part of the drltrace log file allows us to easily find a famous kill-switch for NotPetya. The sample will stop if PathFileExistsW(C:\Windows\perfc.dll) will return true.

PICTURE HERE

The actual malicious behavior starts few hundred lines after kill-switch. The sample opens PhysicalDrive0 and overwrite MBR.

PICTURE HERE

Moreover, NotPetya also encrypts all files stored in all sub directories of all available drives in the OS starting from C:\*``. As drltrace shows in Figure below, the sample generates a key using standard Windows CryptoAPI and enumerates files via FindFirstFile/FindNextFile```.

PICTURES HERE

Then if a file extension matches a certain pattern, the encryption takes place. The sample opens a file, maps it in the memory, encrypts it and saves it back on the disk. We can easily find which file extensions our sample wants to encrypt.

PICTURE HERE

Clone this wiki locally