5 Focuses on Malware Analysis

Malware, Reverse Engineering Leave a comment

I would like to share some experiences on malware analyses that might help to focus your attention. Basically, the key on malware analysiss is time and determination. We need to manage our focus in order to develop an effective progress.

Here are 5 focuses

File System Modification

We need to be able to understand what the malware is trying to achive with the file system. Is there any file system being modified or created. or any new file created in the specific path. We need to put our eyes on the below API call in the code

We can see that above the malware tries to create file in the Windows\system32 and TEMP directory

Registry Modification

We can see the below API being used by the malware to persistent in the operating system by registering in certain keys by using several API below

Network Traffic Generated

We need to also check that windows API that is being used 

@42ae0f: push esi
@42ae10: push eax
@42ae11: push edx
@42ae12: push ecx
@42ae13: call dword ptr [00471468h] ;InternetReadFile@WININET.DLL

During analysis of the code in the assembly code, we can find that there is a call to InternetReadFile API windows 

BOOLAPI InternetReadFile(
  HINTERNET hFile,
  LPVOID    lpBuffer,
  DWORD     dwNumberOfBytesToRead,
  LPDWORD   lpdwNumberOfBytesRead
)

Below is the ability for the application to receive connection 

@401e00: sub esp, 10h
@401e03: push esi
@401e04: push 00000006h
@401e06: push 00000001h
@401e08: push 00000002h
@401e0a: call 00404E04h ;socket@WS2_32.DLL
@401e0f: mov esi, eax
@401e11: cmp esi, FFFFFFFFh
@401e14: jne 00401E1Dh
@401e16: xor eax, eax
@401e18: pop esi
@401e19: add esp, 10h
@401e1c: ret
@401e1d: mov ecx, dword ptr [esp+1Ch]
@401e21: mov eax, dword ptr [esp+18h]
@401e25: push ecx
@401e26: mov word ptr [esp+08h], 0002h
@401e2d: mov dword ptr [esp+0Ch], eax
@401e31: call 00404E0Ah ;htons@WS2_32.DLL
@401e36: lea edx, dword ptr [esp+04h]
@401e3a: push 00000010h
@401e3c: push edx
@401e3d: push esi
@401e3e: mov word ptr [esp+12h], ax
@401e43: call 00404E16h ;bind@WS2_32.DLL
@401e48: cmp eax, FFFFFFFFh
@401e4b: jne 00401E5Ah
@401e4d: push esi
@401e4e: call 00404DECh ;closesocket@WS2_32.DLL
@401e53: xor eax, eax
@401e55: pop esi
@401e56: add esp, 10h
@401e59: ret
@401e5a: push 00000005h
@401e5c: push esi
@401e5d: call 00404E10h ;listen@WS2_32.DLL
@401e62: cmp eax, FFFFFFFFh
@401e65: push esi
@401e66: jne 00401E74h
@401e68: call 00404DECh ;closesocket@WS2_32.DLL
@401e6d: xor eax, eax
@401e6f: pop esi
@401e70: add esp, 10h
@401e73: ret
@401e74: call 00404DECh ;closesocket@WS2_32.DLL
@401e79: mov eax, 00000001h
@401e7e: pop esi
@401e7f: add esp, 10h
@401e82: ret

How does Malware do auto-start

We can analyse that if the malware will generate some change on the registry key in the below places to persist and autorun during host reboot

1)  HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute 
2)  HKLM\System\CurrentControlSet\Services  (start value of 0 indicates kernel drivers, which load before kernel initiation) 
3)  HKLM\System\CurrentControlSet\Services (start value of 2, auto-start and 3, manual start via SCM) 
4)  HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce 
5)  HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce 
6)  HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices 
7)  HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices 
8)  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 
9)  HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit 
10) HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell 
11) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell 
12) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 
13) HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 
14) HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx 
15) HKLM\Software\Microsoft\Windows\CurrentVersion\Run 
16) HKCU\Software\Microsoft\Windows\CurrentVersion\Run 
17) HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 
18) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 
19) HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 
20) HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load 
21) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows 
22) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler (XP, NT, W2k only) 
23) HKLM\Software\Microsoft\Windows NT\CurrentVersion\W

Does it launch any child/other process

We also need to understand the malware behaviour by analizing the interation with other application and operating system via some API related to execution like below. Usually malware will try to spawn and terminate certain process to hide it self from detection. It will also try to find some other process information to check if there is anti malware or debugger are active to do evasion.

So you need to put attention on below API calls during reversing the code


From the above artefact that the malware spawned several child process such as supay and cmd that executing bat file.

Above is the window API that we can refer in the code related to process creation

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s