Due to popular demands I’ll continue this reverse engineering course on radare2 by focusing a little bit more on Malware analysis as it is a huge field where reverse engineering skills play a huge role. We will start with the very basics and move up from there. And we will use the many tools of The FLARE-VM by MANDIANT along with radare2 on Windows 10. We will start by using mostly open source tools that focus on retrieving general information on the malwares and IoCs then move to radare2 to do the heavy reverse engineering. So don’t worry if we don’t use r2 a lot during the first two or three parts, things will get harder later on.
Let’s start by refreshing a couple of general ideas: We’ll talk about static and dynamic analyses. The static one relates to analyzing the program without having to actually execute it freely. In this kind of analysis we’ll focus on disasembling the program, trying to figure out its algorithm(s), the actions it performs and detecting relevant signatures. Generally we’ll look at:
- Its capabilities (what can it do?)
- Any files it may drop/download
- Any files it may create
- Command and control mechanisms
- Of course, it’s algorithm(s)
- And any relevant IoC we can gather
We’ll use that information to perform risk assesment and try to articulate a response/defense.
On the other hand dynamic analysis we’ll focus on letting the program run and examining the actions it performs on the machine, such as the network traffic it emmits, the files and reg keys it creates and actions such as that.
Intro to static analysis
Today we’ll focus on the static analysis part. We will be analysing the The following program (password=infected) which is a very simple data stealer for Windows written in C#.
As the malware we are going to analyse today is written in C# we can use the DNSPY tool, included inside the FLARE-VM Windows box. So firstly, right click on the executable information (or use rabin2 -i) to discover that our malware is x32, then we drag it into dnspy(x86) to start analysing it:
We move to ziraat_limpi (program info) and we see the following basic info:
“MiniTool Power Data Recovery”. So by now we can kinda know that the program tries to mask as a helpdesk/data recovery tool. We can now jump into “GonnyCam.Main”, the entry function.
So the program starts hard, a keylogger! It basically starts a keylogger by using keyhoooks. If we scroll down a little bit, we’ll see the program’s “main”:
So in Main() we clearly identify a set of parallel threats the program starts. Because of this structure, we may think that the authors used some kind of template to write their app. Overall I would pay attention to several threads in here: RecordKeys, ClipboardLogging, ScreenLogging, DownloadAndExecute, ExecuteBindedFiles and especially PasswordRecovery.
We can also look at the left side of dnspy and look at the program’s functions. We’ll notice something interesting:
As we see, there is a particular function, that has been obfuscated to difficult the analysis, so let’s note it as it will be interesting later on. We can also detect a couple of interesting resources attached to the program:
If we try to dig inside them, we’ll see they look like they are encrypted:
Let’s note that and go back to the main loop. We’ll see that most of the threads on the main loop are empty, confirming our hypothesis that the program has been created from some kind of template:
The KeyLogger functionality
If we move to GetCurrentWindow, we’ll see that the keylogger comes into play:
Basically it detects if there is an active window and starts tracking its data that is, window title, the time and the keystrokes for that window. Probably to track passwords and private data knowing if the victim is browsing a bank, a social network or whatever app of interest. We also see a KeyStrogLog in there. Let’s dive into it, by finding where it is referenced;
By following it on the program, we see that it gets send to SendLog(). What is it? Let us see:
Command and control server
It starts with a webclient, references a “Link” and builds what it looks like a post request. So we see it is basically the program module for doing the communication with the command and control server (C2).
We also see it may perform different calls to the server depending if the request is related to sending a password, the clipboard, keystrokes among others.
And where does it send it?
By following “P_link” on the code, we quickly identify the “ziraat-helpdesk” website. That is the command and control URL.
Moving forward past the KeyLogger threat, we can identify other interesting threads such as the ClipboardLogging. That basically detects whether the clipboard is empty or not and if it is, then uses SendLog to deliver its contents:
Password extraction
And the most interesting thread in my opinion, the PasswordRecovery thread:
At this point we can easily guess that it tries to extract login data from services such as Outlook, ThunderBird and the like. Also passwords from most popular browsers such as Chrome or Firefox and downloa dapps like Filezilla or JDownloader and social networks such as PalTalk (popular in turkey).
Following the actions performed by the mail recovery call, we get to the ReadMail() function, very subtile.
If we dig into it we’ll see something like a key being retrieved along with a weird function call and GetExecutingAssembly, a function that can be used to run a program for memory. So At this point we may kinda guess that the program may decrypt some chunk of data being shellcode or a secondary malware and then running it. We also see “RecoverMail” so no mistery.
As we see the code at this point is obfuscated, we can de-obfuscate it by using de4dot.exe that deobfuscates most of the C# code.
Obfuscation and embedded binaries
Going back to it in the clean version we see RSMDecrypt. So we have new evidence for our hypothesis.
By analysing RSMDecrypt we quickly see that it basically AES decrypts the chunk and returns it into a byte array. At this point we can place a breakpoint in there to see what it actually decrypts, so maybe we can dump it into the disk and analyse it on r2.
So placing a breakpoint and executing it we see something that looks like a Windows PE (notice the 0x4D, 0x5A the magic MZ bytes). We can inspect the memory dump by right clicking it and clicking show memory region.
And voilà, it is. We can now select the whole memory region and save it into a file:
And we can now open that exe in radare2 to, for example, inspect the strings. To quickly discover references to mail/password services:
Quickly, references to “NirSoft” start to appear:
Only to be confirmed by rabin2:
At this point we can go reverse engineer this exe, but we can just go enter nirsoft’s website to see that this is a password/mail recovery tool that has been embedded inside this malware to be called for retrieving that data and send it to the C2 server along with the keystrokes and the clipboard info.
If we proceed, we’ll discover that the same thing is done with the “passwordrecover” call, it dumps another nirsoft program and calls it. Other calls retrieve personal info in a similar but most direct way by copying disk files / reading reg keys.
Conclusions
The program we will call “ziraat_stealer” starts by setting up a keylogger by hooking thestrokes that information is send to a command and control server identified at “ziraat_helpdesk” along with the information of the window where the keystrokes are written by the user. It also monitors the clipboard for content and sends it to the C2 server. The malware tries to access the stored mail and password data on popular services such as ThunderBird, Outlook, Chrome, Firefox or Internet explorer and Safari among others. It does that by using password and mail recovery tools from the NirSoft company which are encrypted and embedded inside the executble and decrypted and executed on memory once it starts, to avoid detection. The malware also tries to recover data from popular download apps and social networks.
By noting that it tries to recover data from “PalTalk” being an app very popular in Turkey as well as impersonating the traffic from “Ziraat bank” (an agricultural bank of Turkey) we can believe that this malware may be (may have been) used in campaigns in Turkey.
Reverse engineering x64 binaries with Radare2 - Defeating stack canaries
Reverse engineering x64 binaries with Radare2 - Dealing with ASLR
