I’ve recently investigated malware that we received from a customer. The SHA-256 is: f4d9660502220c22e367e084c7f5647c21ad4821d8c41ce68e1ac89975175051.
This is not particularly complex malware from a technical point of view, but it illustrates some of the most common techniques used by malware authors to complicate dynamic (automated) and static (manual) analysis.
In order to detect the dynamic analysis environment, it creates a vector that contains a list of the following programs:
- “W32DASM”
The malware enumerates all windows on the infected system, and if any of them are found to belong to one of the programs listed above, the malware would enter a loop and wait for the program to exit. This is a primitive technique, but it is fairly easy and straightforward to implement in a code.
To complicate the static analysis, the malware implements two additional techniques:
1. Any significant strings in the malware are encrypted using a custom encryption scheme. This has the following implications for the malware authors and analysts:
- Command-and-control (C&C) domain(s) can be hard-coded in the malware. There is no need for malware authors to generate domain generation algorithms (DGA). Those DGAs can be good candidates for the signatures, and malware authors in some cases can incur significant “maintenance” costs for constantly changing DGAs.
- Application programming interfaces (APIs) used by the malware are resolved at runtime; the names of those APIs are decrypted at runtime, as well. This means that static analysis becomes meaningful only after analyst is able to understand the encryption scheme.
2. Communications to the C&C is encrypted using a custom scheme:
- Malware communicates to the C&C using custom-encrypted/obfuscated communication on top of regular HTTP. This allows malware authors to generate a fairly generic module that provides a low-cost solution for changing the communication scheme between the infected clients and the C&C. Additionally, real-time network analysis/monitoring can be rendered partially/totally ineffective.
Now let’s take a deeper look at the strings encryption scheme. For example, let’s look at the following string: “UHEOtTKwmsDb1J/2f8l/5w==”. This seems to be the base64 encoded string, but encryption scheme is slightly more complicated. As a first step, the malware generates a key from the hard-coded data. The key generation steps are as shown below:
Hard-coded string is taken: (1)
0386038 74 31 37 2E 30 38 2E 33 31 2E 46 43 30 36 31 37 t17.08.31.FC0617 0386048 2E 35 35 30 36 2E 35 35 30 36 2E 36 38 33 37 00 .5506.5506.6837.
The (1) is then base64 encoded: (2)
00386078 64 44 45 33 4C 6A 41 34 4C 6A 4D 78 4C 6B 5A 44 dDE3LjA4LjMxLkZD 00386088 4D 44 59 78 4E 79 34 31 4E 54 41 32 4C 6A 55 31 MDYxNy41NTA2LjU1 00386098 4D 44 59 75 4E 6A 67 7A 4E 77 3D 3D 00 AB AB AB MDYuNjgzNw==
Then, MD5 hash of (2), then calculated: (3)
0012F360 63 35 64 37 30 32 61 31 30 34 30 37 62 61 39 62 c5d702a10407ba9b 0012F370 37 32 62 33 61 35 66 35 30 30 37 37 36 66 38 36 72b3a5f500776f86
Next, the malware calculates an MD5 hash of the following hard-coded blob of data: (4)
.rdata:0043F2F0 72 36 78 41 34 46 5A 32+aR6xa4fz2omkmot db 'r6xA4FZ2OmKMOt0EfxM0F0LwhvpIIu5WQTwKI1SlFtpTj9o+voFRfPhMGgG0fiA3B' .rdata:0043F2F0 66 78 4D 30 46 30 4C 77+db 'fGHlSHbtQpji2hY0M1gKwLVvTXXlaGyU0BVDUaIMTOBXMaWu+ma0cwe3Z4kGkxn9A' .rdata:0043F2F0 68 76 70 49 49 75 35 57+db 'j9Ux0iFSNWLnj4IxWbVEPGQb6BtJ8 UNk0OZ2sgHP4PwcqIIsriRy0Whe2NKsnT9n' .rdata:0043F2F0 51 54 77 4B 49 31 53 6C+db 'WoxZ2LCunxF6lZtO0Wp7ZDKa3VihgWPGreePSOv7PG9 qINIupu+w0LSj3LJvZZJk' .rdata:0043F2F0 46 74 70 54 6A 39 6F 2B+db 'r9TiZWvBgrDDDpfEa5SBo6cHqvgj8NtdOiwT8V 8YeuGbjKtna6+CDFRm 8YC1icD' .rdata:0043F2F0 76 6F 46 52 66 50 68 4D+db 'gIYnkMnDd REwsITh4WCqHek+ wO4HPQBJuxapX9n0OQliWcYHWQWQ6eeeajVtQ2I' .rdata:0043F2F0 47 67 47 30 66 69 41 33+db '0gQjgFi6Nv3s3GN8wKw8 RUljQtjah71fB+IoXTIa0RNmwmLUpOyl CCoRy+Exo y' .rdata:0043F2F0 42 66 47 48 6C 53 48 62+db 'qLprerBsgZmfZ26f10oJJq YpgCSZI+jH9EJUSOWIr0FqF5V5OndeShwyEGeXky E' .rdata:0043F2F0 74 51 70 6A 69 32 68 59+db 'urMbnT FHKo8evJLsSMY9qDKMk3YMufdCT4EVre9NVROUFeKBjt5yWv+L7ZwPt1Z3' .rdata:0043F2F0 30 4D 31 67 4B 77 4C 56+db 'C0ECvCe0e0K1TPfb0Os9UrX090g N EybD0YwEiAK7FUyiC10pMlV9Ac8pTueQ37f' .rdata:0043F2F0 76 54 58 58 6C 61 47 79+db 'e0E5WO+SC0G22qityX9B7b0eRZ2xNV4kZ60N2r0NWbin2kdHK4P5Q9upswqPrL0cs' .rdata:0043F2F0 55 30 42 56 44 55 61 49+db 'SZr6UYr1yDOhAB0CEu+4As74Bn61P+UHPkQFmy4S BmMZKqh7v6ALVIbcJsEh5vGk' .rdata:0043F2F0 4D 54 4F 42 58 4D 61 57+db 'MqPSUXPk5tXVXBfFmnJOmi00rfEPBv7yFqfIqGC3KV4ipNm1quFDE4PLvD0oEtmBH' .rdata:0043F2F0 75 2B 6D 61 30 63 77 65+db '2TJLcxtWL30l2TIXS3tvLsS5BkR2dB OtWdnQXv 2toQ9wkER2dR8BOn04ttOu',0
The MD5 hash is: (5)
00386110 34 61 61 61 65 61 61 39 66 38 31 35 61 30 61 66 4aaaeaa9f815a0af 00386120 34 39 31 37 30 30 33 35 62 64 34 33 31 32 39 66 49170035bd43129f
(3) and (5) are concatenated: (6)
00386160 63 35 64 37 30 32 61 31 30 34 30 37 62 61 39 62 c5d702a10407ba9b 00386170 37 32 62 33 61 35 66 35 30 30 37 37 36 66 38 36 72b3a5f500776f86 00386180 34 61 61 61 65 61 61 39 66 38 31 35 61 30 61 66 4aaaeaa9f815a0af 00386190 34 39 31 37 30 30 33 35 62 64 34 33 31 32 39 66 49170035bd43129f
The MD5 hash of (6) is calculated, and this becomes the key for Tiny Encryption Algorithm (TEA) encryption: (7)
00386078 31 37 62 35 33 30 36 36 31 37 61 39 65 61 63 37 17b5306617a9eac7 00386088 36 61 39 38 66 66 62 38 61 31 37 39 35 66 30 61 6a98ffb8a1795f0a
At this point, preparation is finished and the malware is ready to decrypt strings. The decryption algorithm is as follow:
1. Take the encrypted string — for example, “UHEOtTKwmsDb1J/2f8l/5w==” — and apply a base64-like function to it.
2. Use TEA on the result of 1. The key is produced in (7).
3. Simple final loop to get the decrypted string:
.text:0041B9B0 0F BE 14 31 movsx edx, byte ptr [ecx+esi] .text:0041B9B4 F6 C1 01 test cl, 1 .text:0041B9B7 75 06 jnz short loc_41B9BF .text:0041B9B9 2B D1 sub edx, ecx .text:0041B9BB 03 D0 add edx, eax .text:0041B9BD EB 04 jmp short loc_41B9C3 .text:0041B9BF ; --------------------------------------------------------------------------- .text:0041B9BF .text:0041B9BF loc_41B9BF: .text:0041B9BF 2B D0 sub edx, eax .text:0041B9C1 03 D1 add edx, ecx .text:0041B9C3 .text:0041B9C3 loc_41B9C3: .text:0041B9C3 88 14 31 mov [ecx+esi], dl .text:0041B9C6 41 inc ecx .text:0041B9C7 3B C8 cmp ecx, eax .text:0041B9C9 72 E5 jb short loc_41B9B0
4. The decrypted string is:
00385FB8 57 53 41 53 74 61 72 74 75 70 00 00 00 00 00 00 WSAStartup......
The payload consists of the data gathered about the system and is separated by hard-coded strings from the “.data” section. This is a pretty standard scheme used by the malware. The payload generation scheme is described below:
Creates a pseudorandom string and concatenates is with “&” —for example, on the test system: (8)
debug180:00385ED8 26 44 6D 31 63 4C 3D 00 aDm1cl_0 db '&Dm1cL=',0
Adds hostname name and PID: (9)
debug180:00385F38 26 44 6D 31 63 4C 3D 69+aDm1clIiiii0000000013544 db '&Dm1cL=iiiii-000000001*3544',0
Creates additional pseudorandom string and concatenates it with hard-coded values: (10)
debug180:00386280 26 63 37 6A 72 4D 71 74+aC7jrmqt712 db '&c7jrMqt7=12',0
(8), (9) and (10) are concatenated: (11)
debug180:00385F38 26 44 6D 31 63 4C 3D 69+aDm1clIiiii0000000013544C7jrmqt712 db '&Dm1cL=iiiii-000000001*3544&c7jrMqt7=12',0
Hard-coded data is added to (11): (12)
debug180:00386248 26 44 6D 31 63 4C 3D 69+aDm1clIiiii0000000013544C7jrmqt712DateFverT17_08 db '&Dm1cL=iiiii-000000001*3544&c7jrMqt7=12&date=fVER: t17.08.31.FC06'
An MD5 hash of the string in (5) is calculated, and a sub-string of it is taken: (13)
debug180:00385B90 66 38 31 35 61 30 61 66+aF815a0af49170035 db 'f815a0af49170035',0
(13) is appended to (12):
00386248 26 44 6D 31 63 4C 3D 69 69 69 69 69 2D 30 30 30 &Dm1cL=iiiii-000 00386258 30 30 30 30 30 31 2A 33 35 34 34 26 63 37 6A 72 000001*3544&c7jr 00386268 4D 71 74 37 3D 31 32 26 64 61 74 65 3D 66 56 45 Mqt7=12&date=fVE 00386278 52 3A 20 74 31 37 2E 30 38 2E 33 31 2E 46 43 30 R: t17.08.31.FC0 00386288 36 31 37 2E 66 38 31 35 61 30 61 66 34 39 31 37 617.f815a0af4917 00386298 30 30 33 35 00 00 00 00 00 00 00 00 00 AB AB AB 0035.
Information about the major/minor operating system versions and build is added to the payload: (14)
00385ED8 26 44 6D 31 63 4C 3D 69 69 69 69 69 2D 30 30 30 &Dm1cL=iiiii-000 00385EE8 30 30 30 30 30 31 2A 33 35 34 34 26 63 37 6A 72 000001*3544&c7jr 00385EF8 4D 71 74 37 3D 31 32 26 64 61 74 65 3D 66 56 45 Mqt7=12&date=fVE 00385F08 52 3A 20 74 31 37 2E 30 38 2E 33 31 2E 46 43 30 R: t17.08.31.FC0 00385F18 36 31 37 2E 66 38 31 35 61 30 61 66 34 39 31 37 617.f815a0af4917 00385F28 30 30 33 35 09 7C 09 4E 54 3A 20 36 2E 31 2E 37 0035.|.NT: 6.1.7 00385F38 36 30 31 00 00 00 00 00 00 00 00 00 00 AB AB AB 601.
Locale information is added to (14): (15)
00385ED8 26 44 6D 31 63 4C 3D 69 69 69 69 69 2D 30 30 30 &Dm1cL=iiiii-000 00385EE8 30 30 30 30 30 31 2A 33 35 34 34 26 63 37 6A 72 000001*3544&c7jr 00385EF8 4D 71 74 37 3D 31 32 26 64 61 74 65 3D 66 56 45 Mqt7=12&date=fVE 00385F08 52 3A 20 74 31 37 2E 30 38 2E 33 31 2E 46 43 30 R: t17.08.31.FC0 00385F18 36 31 37 2E 66 38 31 35 61 30 61 66 34 39 31 37 617.f815a0af4917 00385F28 30 30 33 35 09 7C 09 4E 54 3A 20 36 2E 31 2E 37 0035.|.NT: 6.1.7 00385F38 36 30 31 09 5B 65 6E 2D 55 53 5D 00 00 AB AB AB 601.[en-US]
Global memory information and system-time information is added to (15): (16)
00386248 26 44 6D 31 63 4C 3D 69 69 69 69 69 2D 30 30 30 &Dm1cL=iiiii-000 00386258 30 30 30 30 30 31 2A 33 35 34 34 26 63 37 6A 72 000001*3544&c7jr 00386268 4D 71 74 37 3D 31 32 26 64 61 74 65 3D 66 56 45 Mqt7=12&date=fVE 00386278 52 3A 20 74 31 37 2E 30 38 2E 33 31 2E 46 43 30 R: t17.08.31.FC0 00386288 36 31 37 2E 66 38 31 35 61 30 61 66 34 39 31 37 617.f815a0af4917 00386298 30 30 33 35 09 7C 09 4E 54 3A 20 36 2E 31 2E 37 0035.|.NT: 6.1.7 003862A8 36 30 31 09 5B 65 6E 2D 55 53 5D 09 7C 09 4D 45 601.[en-US].|.ME 003862B8 4D 3A 20 33 35 38 34 4D 09 7C 09 47 4D 54 28 2D M: 3584M.|.GMT(- 003862C8 38 29 00 00 00 00 00 00 00 00 AB AB AB AB AB AB 8).
This data in (16) is then encoded using the following algorithm — “Dm1cL,” a randomly generated key for xor — and is HTML-escaped:
.text:00415DA5 next_character: .text:00415DA5 8B C3 mov eax, ebx .text:00415DA7 3B DA cmp ebx, edx .text:00415DA9 73 1B jnb short loc_415DC6 .text:00415DAB EB 03 jmp short encode_character_loop .text:00415DAB ; --------------------------------------------------------------------------- .text:00415DAD 8D 49 00 align 10h .text:00415DB0 .text:00415DB0 encode_character_loop: .text:00415DB0 .text:00415DB0 8B 16 mov edx, [esi] .text:00415DB2 8A 14 02 mov dl, [edx+eax] .text:00415DB5 8B 7D 0C mov edi, [ebp+object] ; loop through all characters in the randomly ; generated string, xor'ing it with given character .text:00415DB8 30 14 0F xor [edi+ecx], dl .text:00415DBB 8B 56 04 mov edx, [esi+4] .text:00415DBE 40 inc eax .text:00415DBF 3B C2 cmp eax, edx .text:00415DC1 72 ED jb short encode_character_loop .text:00415DC3 8B 7D 10 mov edi, [ebp+size] .text:00415DC6 .text:00415DC6 loc_415DC6: .text:00415DC6 41 inc ecx .text:00415DC7 3B CF cmp ecx, edi .text:00415DC9 72 DA jb short next_character
The xor’ed and escaped data is: (17)
00386780 44 6D 31 63 4C 3D 25 35 45 25 35 45 25 35 45 25 Dm1cL=%5E%5E%5E% 00386790 35 45 25 35 45 25 31 41 25 30 37 25 30 37 25 30 5E%5E%1A%07%07%0 003867A0 37 25 30 37 25 30 37 25 30 37 25 30 37 25 30 37 7%07%07%07%07%07 003867B0 25 30 36 25 31 44 25 30 34 25 30 32 25 30 33 25 %06%1D%04%02%03% 003867C0 30 33 26 63 37 6A 72 4D 71 74 37 3D 25 30 32 25 03&c7jrMqt7=%02% 003867D0 30 31 26 64 61 74 65 3D 72 42 51 46 2E 34 25 36 01&date=rBQF.4%6 003867E0 30 25 32 35 25 32 33 25 33 41 25 32 34 25 32 43 0%25%23%3A%24%2C 003867F0 25 33 41 25 32 37 25 32 35 25 33 41 52 57 25 32 %3A%27%25%3ARW%2 00386800 34 25 32 32 25 32 35 25 32 33 25 33 41 72 25 32 4%22%25%23%3Ar%2 00386810 43 25 32 35 25 32 31 75 25 32 34 75 72 25 32 30 C%25%21u%24ur%20 00386820 2D 25 32 35 25 32 33 25 32 34 25 32 34 25 32 37 -%25%23%24%24%27 00386830 25 32 31 25 31 44 68 25 31 44 5A 25 34 30 2E 34 %21%1Dh%1DZ%40.4 00386840 25 32 32 25 33 41 25 32 35 25 33 41 25 32 33 25 %22%3A%25%3A%23% 00386850 32 32 25 32 34 25 32 35 25 31 44 4F 71 7A 39 41 22%24%25%1DOqz9A 00386860 47 49 25 31 44 68 25 31 44 59 51 59 2E 34 25 32 GI%1Dh%1DYQY.4%2 00386870 37 25 32 31 25 32 43 25 32 30 59 25 31 44 68 25 7%21%2C%20Y%1Dh% 00386880 31 44 53 59 25 34 30 25 33 43 39 25 32 43 25 33 1DSY%40%3C9%2C%3 00386890 44 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D
Firstly, variations of the same techniques described above can be found in many modern malware families. This allows malware authors to hit three targets with one shot. It is a pretty simple encryption scheme, and provided decent design on the part of malware authors, it allows them to change it relatively efficiently. Secondly, it can slightly complicate dynamic and static analysis. Thirdly, it provides an efficient tool for creation of new variants of the same malware that is able to bypass antivirus signatures.
A collection with the relevant malware file hash, malicious domains and IP addresses is available on X-Force Exchange here. Additionally, the list of hard-coded C&C domains found in the malware is provided below:
“76TtKl8ZwW6MU29wmPDtT1QNcj5UDbqn/KIVj42N4ZYkZEPTS6ByTw==” / “hxxp[:]//www[.]n-fit-sub.com/ec/index[.]php”
1353A08 79 36 69 45 2B 70 36 6D 31 53 78 78 2B 56 70 38 y6iE+p6m1Sxx+Vp8 1353A18 70 4F 42 6F 50 42 53 6C 48 47 42 34 35 56 76 6E pOBoPBSlHGB45Vvn 1353A28 64 2F 6C 53 69 78 67 58 68 6F 41 48 61 61 32 66 d/lSixgXhoAHaa2f 1353A38 73 39 39 6A 51 67 3D 3D 00 00 00 00 00 00 00 00 s99jQg==........
013565F8 68 74 74 70 3A 2F 2F 6A 70 2E 76 69 72 68 75 62 http://jp.virhub 01356608 2E 62 69 7A 2F 70 61 67 65 73 2F 23 23 23 23 2E .biz/pages/####. 01356618 68 74 6D 6C 00 00 00 00 00 AB AB AB AB AB AB AB html
01351CE0 62 59 6E 43 7A 30 36 4F 78 66 4A 74 79 44 47 4B bYnCz06OxfJtyDGK 01351CF0 4F 42 2B 73 62 47 57 58 67 69 32 4A 4B 48 58 75 OB+sbGWXgi2JKHXu 01351D00 75 45 4C 6C 77 37 55 31 78 59 63 6B 53 6B 4C 77 uELlw7U1xYckSkLw 01351D10 6A 50 67 66 48 34 65 35 4B 36 59 6F 4E 4C 69 73 jPgfH4e5K6YoNLis
01355F88 68 74 74 70 3A 2F 2F 77 77 77 2E 73 61 6B 75 72 http://www.sakur 01355F98 61 6E 6F 72 65 69 2E 63 6F 6D 2F 6A 61 2D 6A 70 anorei.com/ja-jp 01355FA8 2F 64 65 66 61 75 6C 74 2E 61 73 70 78 00 00 00 /default.aspx...