-
Notifications
You must be signed in to change notification settings - Fork 95
MalwareAnalysis
Joxean edited this page Nov 22, 2016
·
1 revision
Pyew have many usefull features for malware analysis as it was written with this purpose in mind. The following are examples of malware analysis with some real samples.
I will take the sample with MD5 b6bd1640dcbd7b81970f8e4606b215e1. Simply, open it with Pyew:
$ pyew b6bd1640dcbd7b81970f8e4606b215e1
PE Information
Sections:
UPX0 0x1000 0x40000 0
UPX1 0x41000 0x2f000 191488
.rsrc 0x70000 0x2000 7680
Entry Point at 0x2ede0
Virtual Address is 0x46f9e0
Code Analysis ...
0000 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 MZP.............
0010 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ................
0040 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 ........!..L.!..
0050 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 This program mus
0060 74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57 t be run under W
0070 69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00 in32..$7........
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 50 45 00 00 4C 01 03 00 EB BF 70 4B 00 00 00 00 PE..L.....pK....
0110 00 00 00 00 E0 00 8F 81 0B 01 02 19 00 F0 02 00 ................
0120 00 20 00 00 00 00 04 00 E0 F9 06 00 00 10 04 00 . ..............
0130 00 00 07 00 00 00 40 00 00 10 00 00 00 02 00 00 ......@.........
0140 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................
0150 00 20 07 00 00 10 00 00 00 00 00 00 02 00 00 00 . ..............
0160 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 .....@..........
0170 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
0180 48 1A 07 00 C4 01 00 00 00 00 07 00 48 1A 00 00 H...........H...
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01C0 98 FB 06 00 18 00 00 00 00 00 00 00 00 00 00 00 ................
01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01F0 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00 ........UPX0....
When a PE file is opened with Pyew it starts the code analysis, shows section's names and the first block's hexadecimal dump. Checking the 1st block and section's names it seems the file is packed with UPX but to be sure we can check with Pyew executing the command "packer":
[0x00000000]> packer
MSLRH V0.31 -> emadicius
UPX -> www.upx.sourceforge.net
Anyway, just to be sure, we will check how many functions did Pyew found and the code at entry point:
[0x00000000]> print len(pyew.functions)
2
[0x00000000]> s ep
[0x0002ede0:0x0046f9e0]> c
0x0002ede0 ; FUNCTION start
0x0002ede0 (01) 60 PUSHA
0x0002ede1 (05) be 00104400 MOV ESI, 0x441000
0x0002ede6 (06) 8dbe 0000fcff LEA EDI, [ESI-0x40000]
0x0002edec (0a) c787 88570500 047424b6 MOV DWORD [EDI+0x55788], 0xb6247404
0x0002edf6 (01) 57 PUSH EDI
0x0002edf7 (03) 83cd ff OR EBP, -0x1
0x0002edfa (02) eb 0e JMP 0x0002ee0a ; 1
0x0002edfa ----------------------------------------------------------------------
0x0002edfc (01) 90 NOP
0x0002edfd (01) 90 NOP
0x0002edfe (01) 90 NOP
0x0002edff (01) 90 NOP
Yes, it's an UPX packed file. I will unpack it with the upx tool and open the unpacked sample (md5 fdbfe5494841163e7e74b0e541584d47):
$ pyew fdbfe5494841163e7e74b0e541584d47
PE Information
Sections:
.text 0x1000 0x53740 342016
.itext 0x55000 0x774 2048
.data 0x56000 0x1aac 7168
.bss 0x58000 0x4cd0 0
.idata 0x5d000 0x24d6 9728
.tls 0x60000 0x34 0
.rdata 0x61000 0x18 512
.reloc 0x62000 0x5890 23040
.rsrc 0x68000 0x4800 18432
Entry Point at 0x54314
Virtual Address is 0x455714
Code Analysis ...
0000 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 MZP.............
0010 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ................
0040 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 ........!..L.!..
0050 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 This program mus
0060 74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57 t be run under W
0070 69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00 in32..$7........
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 50 45 00 00 4C 01 09 00 EB BF 70 4B 00 00 00 00 PE..L.....pK....
0110 00 00 00 00 E0 00 8F 81 0B 01 02 19 00 40 05 00 .............@..
0120 00 E6 00 00 00 00 00 00 14 57 05 00 00 10 00 00 .........W......
0130 00 60 05 00 00 00 40 00 00 10 00 00 00 02 00 00 .`....@.........
0140 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................
0150 00 D0 06 00 00 10 00 00 00 00 00 00 02 00 00 00 ................
0160 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 .....@..........
0170 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
0180 00 D0 05 00 D6 24 00 00 00 80 06 00 00 48 00 00 .....$.......H..
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01C0 00 10 06 00 18 00 00 00 00 00 00 00 00 00 00 00 ................
01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01F0 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 .........text...
This sample appears to be non packed (a file packed many times is very typical in malware) but anyway we will check again with the command "packer":
[0x00000000]> packer
Borland Delphi 3.0 (???)
Borland Delphi 4.0
Borland Delphi v3.0
Borland Delphi v6.0 - v7.0
BobSoft Mini Delphi -> BoB / BobSoft
OK, it's a binary compiled with Delphi. I will check how many functions did Pyew found:
[0x00000000]> len(pyew.functions)
191
Wow, a lot of functions! It's clear that the file is not packed anymore. I will check if any AV detects it with VirusTotal:
[0x00000000]> vt
File fdbfe5494841163e7e74b0e541584d47 with MD5 fdbfe5494841163e7e74b0e541584d47
-------------------------------------------------------------------------------
F-Secure : Trojan.Crypt.Delf.AH
NOD32 : Win32/Spy.Banker.SYR
F-Prot : W32/Trojan2.MFIB
VIPRE : BehavesLike.Win32.Malware.wlk (mx-v)
Sophos : Mal/Behav-053
Norman : W32/Malware
VBA32 : Trojan.Win32.Delf.tqg
Avast : Win32:Rootkit-gen
nProtect : Trojan.Crypt.Delf.AH
GData : Trojan.Crypt.Delf.AH
Kaspersky : Trojan.Win32.Delf.tqg
BitDefender : Trojan.Crypt.Delf.AH
Jiangmin : Trojan/Delf.rqc
Command : W32/Trojan2.MFIB
Prevx : Medium Risk Malware
Antiy-AVL : Trojan/Win32.Delf.gen
K7AntiVirus : Trojan
AVG : Generic16.CMPF
Emsisoft : Trojan.Win32.Delf.tqg!A2
Avast5 : Win32:Rootkit-gen
VirusBuster : Trojan.Delf!/HJlkg0/NKU
Yes, some AV detect it and named it as Trojan Delf.
I will open another PE sample (c9854b80847be57b5b3fc8f4d9b48ae2) and check if there is any URL inside it:
[0x00000000]> url
ASCII URLs
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL
http://sitenet2009.sitebr.net/jiban/arq1/contador1.php
http://olenda.110mb.com/ver/ver.dll
http://checkip.dyndns.org/
http://cartaonatal.com.sapo.pt/cartaonatal.com
http://cartao5878.com.sapo.pt/cartao.com
http://fotos01.xm.com/fotinhas.com
http://www.htmlbk.sitebr.net/arquivos/tabela.php
http://img14.imageshack.us/img14/5959/33037478hn9.jpg
http://img14.imageshack.us/img14/7920/15875636te4.jpg
http://img14.imageshack.us/img14/4269/68146837gu5.jpg
http://img14.imageshack.us/img14/4281/80988145iw0.jpg
http://img297.imageshack.us/img297/5940/80974141go7.jpg
http://img297.imageshack.us/img297/143/62456989vu8.jpg
http://img297.imageshack.us/img297/5586/28273530nz7.jpg
http://img297.imageshack.us/img297/228/61178722oj3.jpg
http://img14.imageshack.us/img14/8289/79331362hc1.jpg
http://img50.imageshack.us/img50/9314/85812725jc4.jpg
http://img14.imageshack.us/img14/160/limparkz9.jpg
There are a lot of them! I will check if all of them are still up and running:
[0x00000000]> chkurl
Checking http://img50.imageshack.us/img50/9314/85812725jc4.jpg ... OK
Checking http://img297.imageshack.us/img297/228/61178722oj3.jpg ... OK
Checking http://www.htmlbk.sitebr.net/arquivos/tabela.php ... OK
Checking https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL ... OK
Checking http://img297.imageshack.us/img297/143/62456989vu8.jpg ... OK
Checking http://img14.imageshack.us/img14/4281/80988145iw0.jpg ... OK
Checking http://img297.imageshack.us/img297/5586/28273530nz7.jpg ... OK
Checking http://cartao5878.com.sapo.pt/cartao.com ... OK
Checking http://img14.imageshack.us/img14/7920/15875636te4.jpg ... OK
Checking http://img297.imageshack.us/img297/5940/80974141go7.jpg ... OK
Checking http://img14.imageshack.us/img14/8289/79331362hc1.jpg ... OK
Checking http://sitenet2009.sitebr.net/jiban/arq1/contador1.php ... OK
Checking http://img14.imageshack.us/img14/5959/33037478hn9.jpg ... OK
Checking http://img14.imageshack.us/img14/4269/68146837gu5.jpg ... OK
Checking http://fotos01.xm.com/fotinhas.com ... OK
Checking http://cartaonatal.com.sapo.pt/cartaonatal.com ... OK
Checking http://olenda.110mb.com/ver/ver.dll ... OK
Checking http://checkip.dyndns.org/ ... OK
Checking http://img14.imageshack.us/img14/160/limparkz9.jpg ... OK
We can check, too, if any of the URLs found seems to be bad with the command "chkbad" (using the list from malware.com.br).