A project done when going through "Concept And Techniques For Malware Analysis" module during my university
Performing Reverse Engineering on a Malware(.exe)
- Conduct the reverse engineering on Flare a windows 10 virtual environment
- IDA Pro
- Resource Hacker
Qns: Provide both the raw file offset of the EXE that contains the two config.
Ans: 1B610 and 1B640
Qns: Provide both the value of the config string in raw hex bytes.
Qns: Are you able to find these config string within IDA (Use hex view and search->Text). If not, please provide a brief explanation. (Hint - What does opening the PE file in IDAPro simulates in the PE file execution process)
No, the main functions of IDA Pro are debugger and disassembler. IDA Pro's opening of a PE file essentially emulates the disassembly of the binary code, code structure analysis, and the logic flow of the program.
Qns: Please provide a brief description (referencing addresses from IDA) including screenshots of the encoding algorithm used. Including the keys/value used for the encoding in hex.
The return value of the config string is the parameter for the function at 00402877.
The function encodes the string by adding ‘z’ to each char (located at 00401AB9) and then XOR with 0x19 (located at 00401AC6).
Qns: There are 2 algorithm to generate Service names for persistence. Please provide a brief description (referencing addresses from IDA) including screenshots.
IpServiceName parameter of API CreateServiceA is the return value of function sub_401FE0. Hence, highly likely the function contains the algorithm to generate the service name.
Firstly, it checks for registry date whether netsvcs exist using the handle HKEY_LOCAL_MACHINE under SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost which may be the potential target for the persistence to hide in blindsight.
The formatted string output is netsvcs_0x%d. It checks if there is an existing service name with the result of the query before, if not it will modify the variable that the format token will take in.
If no existing strings created before, it will overwrite with new netsvcs_0x%d. It may be for indexing purpose.
Within the same subfunction, first, it opens HKLM_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NTCurrentVersion\Svchost key and uses the key handle query on netsvcs service.
The parameter lpData variable that stored the query data is located at ebp+Data (004021BE)
GetSystemDirectoryA function data is in ebp+Buffer (00402236). Using the query data stored (004021BE) in Figure 10 as a condition and variable to loop and generate the service name by checking for null char (00402254) within the query data. It opens a key using HKEY_LOCAL_MACHINE and the subkey is the formatted output from wsprintfA (SYSTEM\CurrentControlSet\Services\%s), located at ebp+Subkey (0040225E).
If open fails, it closes the key, increments the condition variable, and repeats again. If opened successfully, it gets the file attribute of the dll under the system directory. If the file does not exist, it creates a service with the name as the query data in Figure 10 under path %SystemRoot%\System32\svchost.exe -k netsvcs to be able to access it.
Qns: Is it possible to statically extract the dropped DLL from the first sample server.exe. Please provide a brief description including screenshots.
By looking at resource editor tab, we can see that there is another exe embedded in the server.exe file
Using a resource hacker to extract the file and import it back to IDA to further RE.
Qns: What is the service DLL location that is stated after the service is created, provide a screenshot of this information. Are you able to find the DLL at this location, if not please provide an adequate explanation
Path= %SystemRoot%\System32\svchost.exe -k netsvcs
No, it may be because the mutex created does not exist which result in the code returning instead of flowing to the other branch that creates the service
Qns: Previously, the config string was found in part 1. Please elaborate on how this DLL obtains it config string again.
Using the same technique from server.exe, the dll search for the file with AAAAAA ASCII values which is part of the config string stated in part one. Then it creates and reads the file.
The malware enumerates host system information before sending the information to the C2 server at function sub_10009700. Please state the 2 of multiple data enumerated from the host.
Socket number and time since the system was started.