Jump to content
Tuts 4 You

VM aware malware + Custom protection?

Fizban

By Fizban
in Malware Reverse Engineering

 Share

Recommended Posts

Fizban

Fizban

Posted
Posted (edited)

Hi everyone!

I have received a file from a friend asking me if i could maybe help him analyze this file.

Since i'm still new to this, i thought of maybe asking you guys before i endanger my PC :P

I have tried to firstly run this sample in VM but it seem to detect the VM.

Secondly, i have tried running it with Olly, but it uses some kind of VB protection that is WAY out of my league..

Third, since i saw VB (and PEiD also said it's Microsoft Visual Basic 5.0 & 6.0) i tried running it with SmartCheck but run into a wall of errors saying something about the program is using p-code...

Anyway, since this file is really out of my league, i thought i would ask the experts here and maybe contribute something interesting to the community :)

If it is something well known, i would appreciate it if you could let me in on the characteristics and how did you came to the conclusion that it is indeed something well know. (Maybe my tools are not enough...)

I appreciate the help!

**WARNING!!! THIS IS MALWARE!!! PROCEED WITH CAUTION!!!**

password: infected

sample.zip

Edited by Fizban
Aguila

Aguila

Posted
Posted

I only briefly looked at the sample because I don't have much time. I hope I can guide you in the right direction, learning by doing ;)

It is compiled in VB6 p-code so smartcheck can't display any helpful information and p-code + malware is quite a pain to analyze. It hasn't any special protection. You should use a p-code debugger then it is much easier to go through the code e.g. WKT Debugger. If you don't use it already: VB Decompiler is extremely useful: vb-decompiler.org

The file is detecting vmware, virtualpc, etc. but it is easy to bypass you just need to change the string to something different. Well the strings are all encrypted but if you use WKT Debugger and step through you can't miss it because you clearly see e.g. the "*VMWARE*" string (* is a wildcard in vb6).

Actual this target is not very interesting because I think it is just some copy&paste source malware. The VM detection is pretty similar to this well known public vb6 source code:

Option Explicit
Private Declare Function GetModuleHandleA Lib "kernel32" (ByVal lpModuleName As String) As Long
Private Declare Function GetTickCount Lib "kernel32" () As Long
Private Declare Function RegOpenKeyExA Lib "advapi32.dll" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Private Declare Function RegQueryValueExA Lib "advapi32.dll" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, lpData As Any, lpcbData As Long) As Long
Private Declare Sub Sleep Lib "kernel32" (ByVal lngMilliseconds As Long)
Private Declare Sub ExitProcess Lib "kernel32" (ByVal uExitCode As Long)Public Sub sAnti()
Dim aUsers(6)       As String
Dim aComputers(3)   As String
Dim aDlls(1)        As String
Dim aHDDs(3)        As String
Dim aSerials(1)      As String
Dim sUser           As String * 255
Dim sComputer       As String * 255
Dim sWinSerial      As String
Dim bFound          As Boolean
Dim lBefore         As Long
Dim lAfter          As Long
Dim lhKey           As Long
Dim sBuffer         As String
Dim lLen            As Long
Dim i               As Long
Dim oSet            As Object
Dim oObj            As Object'initialize strings and arrays
aUsers(0) = "Sndbx"
aUsers(1) = "tester"
aUsers(2) = "panda"
aUsers(3) = "currentuser"
aUsers(4) = "Schmidti"
aUsers(5) = "andy"
aUsers(6) = "Andy"aComputers(0) = "AUTO"
aComputers(1) = "VMLOG"
aComputers(2) = "NONE-DUSEZ"
aComputers(3) = "XPSP3"aDlls(0) = "SbieDll.dll"
aDlls(1) = "dbghelp.dll"aHDDs(0) = "*VIRTUAL*"
aHDDs(1) = "*VMWARE*"
aHDDs(2) = "*VBOX*"
aHDDs(3) = "*QEMU*"aSerials(0) = "55274-339-6006333-22900"
aSerials(1) = "76487-OEM-0065901-82986"sUser = Environ("username")
sComputer = Environ("computername")'Username Detections
For i = 0 To UBound(aUsers)
    If Left(sUser, Len(aUsers(i))) = aUsers(i) Then bFound = True
Next i'Computername Detections
For i = 0 To UBound(aComputers)
    If Left(sComputer, Len(aComputers(i))) = aComputers(i) Then bFound = True
Next i'Dll Detections
For i = 0 To UBound(aDlls)
    If GetModuleHandleA(aDlls(i)) Then bFound = True
Next i'Emulator Detections, Method by ChainCoder
lBefore = GetTickCount
Sleep 510
lAfter = GetTickCount
If (lAfter - lBefore) < 500 Then bFound = True'HardDrive Detections, Method by Cobein
If RegOpenKeyExA(&H80000002, "SYSTEM\ControlSet001\Services\Disk\Enum", 0, &H20019, lhKey) = 0 Then
    sBuffer = Space$(255): lLen = 255
    If RegQueryValueExA(lhKey, "0", 0, 1, ByVal sBuffer, lLen) = 0 Then
        sBuffer = UCase(Left$(sBuffer, lLen - 1))
        For i = 0 To UBound(aHDDs)
            If sBuffer Like aHDDs(i) Then bFound = True
        Next i
    End If
Call RegCloseKey(lhKey)
End If'Windows Serial Detections
On Error Resume Next
Set oSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf(Split("Win32_OperatingSystem,SerialNumber", ",")(0))
sWinSerial = ""
For Each oObj In oSet
    sWinSerial = oObj.Properties_(Split("Win32_OperatingSystem,SerialNumber", ",")(1)) 'Property value
    sWinSerial = Trim(sWinSerial)
Next
For i = 0 To UBound(aSerials)
    If sWinSerial = aSerials(i) Then bFound = True
Next i
Fizban

Fizban

Posted
  • Author
Posted

Hey k11!

Sorry for the late reply, had a major exam to study for and had to "suspend" any "hobbies" for a week or so :)

Thank you so much for the point in the right direction, i still new to this and so i had no idea what VB tools there are out there..

Since i'm starting pretty much from scratch, i'm currently familiar with only regular languages like C++, C, etc.. and haven't really got into VB beside the SmartCheck that was in Lena's tutorials :D

I actually managed to pass the protections it had by placing a BP on ".DllFunctionCall" and slowly getting to the point where it kicked me off.

Then i noticed the *VMWARE* string and noticed that it's "VM trick" is checking the registry for IDE VMWARE hard drive... so with some moderate modifications i have passed that check and ran the malware :)

It is really good to know there are other debuggers/VB decompilers out there (i wasn't really aware of anything other then IDA,Olly,windbg..), would be really helpful in the future when i'll start working unpacking VB stuff :)

Thanks again!

Fiz

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...