romzhke Posted February 1, 2022 Posted February 1, 2022 (edited) Hi. In order to advance myself in malware analysis I solve tasks from widely known malware-traffic-analysis.net. But I'm also trying to dig deeper and fully analyze malware samples found in pcaps. The one that puzzles me a lot is from 2019-06-22 task. Particularly the file 2019-06-22-malware-retrieved-from-the-infected-Windows-host.exe.zip (md5: 90c90e8d3fa5ca583e966d2a34565899). https://www.malware-traffic-analysis.net/2019/06/22/index.html What exactly, is that it basically doesn't show any red flags during basic static analysis. # Its import table is pretty "herbivore". # Strings don't show any obvious indicators. # The only thing that looks strange is several resource objects with a high entropy. But again, in the import table we will not find regular functions to work with PE-file resources (FindResource and LoadResource). On the other hand, during debug I've set the some BPs, Among others breakpoint at CreateProcessInternalW call I and was able to catch the moment, when the process executes cmd.exe with the parameter "ping 127.0.0.1 && del malware_file" right before it terminates. I presume it is because some checks i do not pass due to virtual machine evasion. And if we look at memory region where it happens, we will find out that it is .text of the original file, but filled with unpacked new PE file (the real malicious payload). And also if we will check for strings referenced by this new code, we will find a lot of interesting indicators. Sadly i cannot figure out how to catch the moment when the initial file unpacks the injected data. Breakpoint on WriteProecessMemory never hit. So the question i have is how to catch the moment when the program starts to unpack? Edited February 1, 2022 by romzhke spell re-check.
0xNOP Posted February 1, 2022 Posted February 1, 2022 Use a program like rohitab's API Monitor from http://www.rohitab.com/apimonitor and spy on all API calls that might be using it.. I have known a more obscure way of hiding strings and its using windows atoms.. 👍 https://docs.microsoft.com/en-us/windows/win32/dataxchg/about-atom-tables#atom-table-queries 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now