is an extensive piece of malware. Our goal with this lab is to demonstrate how anti-VM techniques can slow your efforts to analyze malware. We’ll focus our discussion on disabling and understanding the anti-VM aspects of the malware. We leave the task of fully reversing the malware in this sample to you.

Begin by loading the malware into PEview to examine its exports and imports. The malware’s extensive import list suggests that it has a wide range of functionality, including functions for manipulating the registry (RegSetValueEx), manipulating services (ChangeService), screen capturing (BitBlt), process listing (CreateToolhelp32Snapshot), process injection (CreateRemoteThread), and networking functionality (WS2_32.dll). We also see a set of export functions, mostly related to installation or removal of the malware, as shown here:

.

, there are three cross-references to this function, each of which is located in a different export from the malware. Following the cross-reference to InstallRT, we see the code shown in in the InstallRT export function.

in graph mode, we see two code paths to it, both conditional jumps after the calls to sub_10006119 or sub_10006196. Because the function sub_10006119 is empty, we know that sub_10006196 must contain our anti-VM technique. shows a subset of the instructions from sub_10006196.

is taken from the start of the InstallRT export. The jz instruction at ❶ determines if the anti-VM check will be performed.

, InstallRT takes an optional argument. The strlen at ❶ checks the string length of the argument. If the string length is 0 (meaning no argument), iexplore.exe is used (shown in bold).

.

.

The sub_1000DF22 function appears to contain functionality from both InstallSA and InstallRT. InstallSB also takes an optional argument containing a service name (by default NtmsSvc) that the malware uses to overwrite a service on the local system. In the default case, the malware stops the NtmsSvc service if it is running and overwrites ntmssvc.dll in the Windows system directory with itself. The malware then attempts to start the service again. If the malware cannot start the service, the malware performs DLL injection, as seen with the call at 0x1000E571. (This is similar to how InstallRT works, except InstallSB injects into svchost.exe.) InstallSB also saves the old service binary, so that UninstallSB can restore it if necessary.

We’ll leave the full analysis of this malware to you, since our focus here is on anti-VM techniques. This malware is an extensive backdoor with considerable functionality, including keylogging, capturing audio and video, transferring files, acting as a proxy, retrieving system information, using a reverse command shell, injecting DLLs, and downloading and launching commands.

To fully analyze this malware, analyze its export functions and static configuration options before focusing on the backdoor network communication capability. See if you can write a script to decode network traffic generated by this malware.

Назад: Lab 17-1 Solutions

Дальше: Lab 17-3 Solutions

Отправить

sss

sss

×

Войти в систему

Войти с помощью соц. сетей: