Reverse Engineering Malware · • This file will include step-by-step instructions of how to...

Reverse Engineering Malware

Keith Cutajar & David Galea

Restricted use

Sli.do

• Download sli.do from the App Store

• #MALWAREMT

Basic rules of the game

• Malware Incident Handling cannot be undertaken effectively without a proper Incident Response Mechanism

• Reverse Engineering shouldn’t be done without a business scope

• The CSIRT team should identify the business scope and proceed for the analysis

• Having an Incident Response toolkit is vital!!

• Always use sandboxed environments or disconnected machines

• OSINT is important - have a live internet connection active on another machine close-by

• One of the primary scope of such an exercise is to get intel re: any Social Engineering mechanism used

Sli.do

Is your company’s Incident Response Procedure adequate to handle malware incidents?

Alpha Ransomware

Characteristics

• Ransomware

• Encrypts using RSA-2048 (AES CBC 256-bit encryption algorithm)

• Appends .bin as an extension to the encrypted files

• Requests circa 1.5 Bitcoin to decrypt files

• Common distribution type: Social Engineering (e.g. via links or attachments)

• Network propagation mechanisms: detected in some variants of the malware

• File size: circa 150-200kb

• Typical symptoms for detection: High CPU and RAM usage

Upon Installation

• It will create a random named executable in the %AppData% or %LocalAppData% folder

• Upon auto-execution, it will scan all drive letters

• Selective encryption: .docx, .xlsx, .pdf, etc. (see next slide)

• Changes file extensions to .bin

• Once encryption process has been completed, it will create a ‘ReadMe’ file in .txt and .html format

• ‘ReadMe’ file is placed in the Startup folder, so the contents are displayed upon user login

• This file will include step-by-step instructions of how to access the payment site and carry out the ransom payment

• Once infection is done, it will delete all Shadow Volume Copies that are on the affected computer

File types it targets

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12,

.qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl,

.hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp,

.sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor,

.psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge,

.kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4,

.sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js,

.css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d,

.rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw,

.3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf,

.dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc,

.odb, .odc, .odm, .odp, .ods, .odt

Sli.do

Have you ever been hit or affected by a Ransomware attack?

Tools which can be used – Process Analysers

November 18

Process Explorer

A powerful task manager and system monitor for Microsoft Windows. It provides the functionality of Windows Task Manager along with a rich set of features for collecting information about processes running on the user's system.

Source: http://technet.microsoft.com/en-US/sysinternals/bb896653

Process Monitor

A tool from Windows Sysinternals suite. It monitors and displays in real-time all file system activity on a Microsoft Windows operating system. It combines two older tools, FileMon and RegMon and is used in system administration, computer forensics, and application debugging.

Source: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Regshot

An open source tool allowing to quickly take snapshot of the registry and file system and then compare with the second one. Used to detect changes in system registry and file system (insertions, deletions, modifications).

Source: http://sourceforge.net/projects/regshot/

Tools which can be used – Network Analysis

Tcpdump

A popular command-line network traffic sniffer and analyser. It allows to capture network traffic to the file in PCAP format.

Source: http://www.tcpdump.org/

Wireshark

A popular network traffic analyser, very similar to Tcpdump but with additional graphic user interface and integrated sorting, filtering and statistical options.

Source: https://www.wireshark.org/

Tools which can be used – Malware Analysis (Static/Dynamic)

IDA Pro

The Interactive Disassembler (IDA) is a disassembler for computer software which generates assembly language source code from machine-executable code. It supports a variety of executable formats for different processors and operating systems. It also can be used as a debugger for Windows PE, Mac OS X Mach-O, and Linux ELF executables. A decompiler plug-in for programs compiled with a C/C++ compiler is available at extra cost.

Source: https://www.hex-rays.com/products/ida/

Sli.do

Have you ever used any of these tools for malware-related incident handling purposes?

Into the Dive - Architecture

November 18

Enko.exe

aisj

hi2

3hj

o2

1j3

12

oi3

u1

2lo

k3j

21

o3i

21j

oji3

ol2

1j3

o2

1ij3

jp[;

asd

e9

o8

23

uej

02

djs

aj0

93

ue

1j0

du

13

0u

32

1j1

2j1

e2-

eu

2e

Bullworker.dll Alpha.dll

Into the Dive - Enko.exe

• Enko.exe

• INVOKES:: Invokes Bullworker from resources (Decrypted) into memory Load()

Into the Dive - Bullworker

• Bullworker.dll

• ANTIS:: Check for Antis (Virtual Machines, Sandbox, Wireshark, and other tools..)

• ACCOUNT ELEVATION:: Attempts to elevate permissions to as Administrator

• Decrypts Alpha.dll from resources in memory

Into the Dive - Antis

Into the Dive - Account Elevation

Into the Dive - Alpha

• Alpha.dll

• KEY FOR ENCRYPTING FILES:: Gets Processor's ID and manipulate it using MD5

• STEALTH AND PERSISTENCE:: Runs under the hood as a Microsoft service “svchost.exe.”

• KILLS TASK MANAGER:: Kills any running Task Manager, uses a timer to continuously checking for new instances

Into the Dive - Encryption Key (process id)

Into the Dive - Encryption Key (md5)

Into the Dive - Stealth and Persistence

Into the Dive - Task Manager

Into the Dive - Alpha(1)

• Alpha.dll continues..

• FILES AND FOLDERS:: Look for all files and folders, apply Read Only to normal

• FILE TYPES:: Over 200+ including .docx, .xls, .sql

• SYMMETRIC ENCRYPTION:: CrytpoStream

• SETS BACKGROUND :: :)

• APOLOGISING:: “sorry for the inconvenience caused”

Into the Dive - Files Encryption

Conclusion

• Automated (UPDATED & MAINTAINED) anti-malware solutions are the

best method of defence against malware

• Malware reverse engineering is one of the most technical fields within Digital

Forensics

• Always have good contacts to whom you can reach for a reverse engineering

exercise